Transcript Active Defenses to Cyber Attacks

Active Defenses to
Cyber Attacks
UW Information School/Agora
Workshop
09/12/03
Supported by a research grant from Cisco
Systems Critical Infrastructure Assurance Group
Agenda
• Three floating moderators
• “Three hour tour” format
•
•
•
•
Background (~45 minutes)
Open discussion of issues (~1 hour)
Attack Scenario (~20 minutes)
9 potential AD actions (~2 hours)
• ~10-15 minutes each
Desired outcome
• Get feedback on current outline of Active
Defense
• Get ideas on pros/cons of AD actions
• Identify avenues of legal/ethical/technical
research
• Identify alternatives and possible changes in
laws, public/private CompSec policies
• Have a fun time!
Background
• Topic discussed in Pre-Agora meeting June
8, 2001 and again in Q1 2003
•
•
•
•
Current USG interest
Ongoing private sector interest
Lack of common definitions
Potential impact on national & international
debate
Senate debate
"If we can find some way to do this without
destroying their machines, we'd be interested in
hearing about that. If that's the only way, then
I'm all for destroying their machines. If you
have a few hundred thousand of those, I think
people would realize [the seriousness of their
actions.] There's no excuse for anyone
violating copyright laws.”
Utah Senator Orrin Hatch
Information Assurance
• Information Assurance (IA) concerns information
operations that protect and defend information and
information systems by ensuring availability,
integrity, authentication, confidentiality, and nonrepudiation.
• This includes providing for restoration of
information systems by incorporating protection,
detection, and reaction capabilities.
Source: National Security Telecommunications and Information
Systems Security Instruction (NSTISSI) No. 4009, January 1999
Attacks (Strategic level)
• Denial of Service
• Theft/alteration of data
• Web page defacement
• Industrial espionage
• Theft of services/resources
• “Stepping stones”/anonymity
• Caching data/malware
• Violation of copyright (“warez”)
Attacks (Tactical level)
•
•
•
•
•
•
•
•
•
Remote service exploitation
Log alteration/"rootkits"
Sniffers
Covert channel comms
Stepping stones
Encryption
Address forgery/hijacking
Distributed attacks
Reflected attacks
Attack Specifics (example)
Denial of Service
• Resource consumption
• Host
 Processor
 Memory
 Network services
• Network
 Bandwidth
 Router Resources (see Host above)
• Crashing
• Redirection
You are here…
Defenses (Strategic level)
• Firewalls
• IDS
• Logging/monitoring
• Host (e.g., accounts, processes, services)
• Network (flows, connections, data)
• Honeypots/Honeynets
• Augment FW/IDS
• Deception
Defenses (Tactical level)
•
•
•
•
•
•
•
•
Topological/Access control changes
Sniffing/keystroke logging
Scanning
Traffic redirection
Traffic analysis
Honeypots/Honeynets
Remote exploitation
Denial of Service
Big loss over time
Warbucks’ lost commissions on stock trades
800
700
600
500
400
300
200
100
0
1st hour 2nd hour 3rd hour 4th hour
Losses (*
$1000)
Small loss over time
Individual selling used books on Amazon
250
200
150
Losses (* $1)
100
50
0
Day 1
Day 2
Day 3
Day 4
Stages of Response
•
•
•
•
•
0 - Unconscious
1 - Involved
2 - Interactive
3 - Cooperative Response
4 - Non-cooperative (AD) Response
“Unconscious”
• Stage 0: “Right out-of-the-box”
• “The firm/system owner/operator takes no active
role, either directly or through proxy, to modify,
improve, enhance, or alter defensive capabilities
inherent in the hardware, firmware, and/or
software as delivered from the manufacturer or
installer.”
“Involved”
• Stage 1: “Doing Business”
• “The firm/system owner/operator establishes
(either directly or via proxy) a baseline, tailored,
day-to-day defensive posture involving only
resources directly owned or operated by that
owner/operator. The posture is maintained / kept
current.”
“Interactive”
• Stage 2: “We’ve Got a Problem”
• “The firm/system owner/operator applies
measures, in response to warning or evidence of
malfeasance, to resources directly owned or
operated by them. The measures are beyond the
baseline because they cause some loss of
flexibility, capability, or ease of use and the
owner/operator does not want/intend them to
become routine business practice.”
“Cooperative Response”
• Stage 3: “Reach out …”
• “The firm/system owner/operator engages other
organizations/firms/systems to take measures
intended to attribute, mitigate, or eliminate the
threat through cooperative efforts beyond the
ability of the owner/operator to effect but within
the lawful authority of the cooperating other party
or parties.”
“Non-cooperative Response”
• Stage 4: “... and Touch Someone.”
• “The firm/system owner/operator takes measures,
with or without cooperative support from other
parties, to attribute, mitigate, or eliminate the
threat by acting against an uncooperative
perpetrator or against an organization/firm/system
that could (if cooperative) attribute, mitigate, or
eliminate the threat.”
Active Defense
• Agora workshop on June 8, 2001 defined
“Active Defense” to be activity at Stage 4
• Stage 4 has levels, though
• Less intrusive to more intrusive
• Less risky to more risky
• Less disruptive to more disruptive
• Justification for and defense of your actions
may depend on how well you progress
through all 4 stages
Levels of Active Defense
• 4.1 - Non-cooperative ‘intelligence’
collection
• External services (finger, netstat, nbtstat)
• Back doors/remote exploit to access internal
services
• 4.2 - Non-cooperative ‘cease & desist’
• 4.3 - Retribution or counter-strike
• 4.4 - Preemptive defense
What Do We Need to Know?
• Are your losses and the potential risk to you
at least equal to the benefit gained if you are
successful?
• Who is it? Or “Attribution; the $64,000
question.”
• What are you contemplating doing?
• What effect do you intend to achieve?
• What ‘blow back’ could occur?
What Do We Need to Know?
• What are your personal and organizational
risks?
• Who can help?
• Who are you going to call if you do this?
• Who/what is the target? How do you know?
• Who defines what active defense is for you?
• Was there another way? Or “Creative
Response versus Active Defense”
Best Practice is to Think Ahead
• Risk Mitigation Strategy: Early, early, early
• Pre-arranged ‘moves’ with your ISP
• Business interruption insurance
• Before-the-fact discussions with the Law
• Pre-arranged responses within
• Time things out
• Range of response options for the CEO
• Who provides the oversight of this decision?
Other Points
• If this hurts your head, be glad you’re not in
Congress
• Dark Noise: It’s there and it’s useful
• People with the power of nation states
• Roles of government
• Can it provide recourse?
• Can it ever get fast enough?
• Agora as mentor
Unintended consequences
• Xerox PARC, 1978
• Researchers use worms to automate tasks
on Alto network
• Innocuous code corrupted
• >200 systems crash, reboot, crash…
• Morris worm in 1988 also buggy
• Even Nachi isn’t perfect
Oudot’s reaction to Blaster
• Used “honeyd” to pretend to be vulnerable
Windows box
• Opened fake worm port (4444/tcp)
• Captured worm payload using tftp
• Provided prototype cleanup code (that
worked!)
SysAdmins at UW polled: 76 respondents
#1 - Do you think it is ethical to take active defense measures like these in a random way (i.e.,
a worm) like nachi?
NO, W/ EXPLANATION
11%
DON'T KNOW
1%
EQUI-VOCAL
4%
YES
1%
YES, W/ EXPLANATION
3%
NO
80%
YES
YES, W/ EXPLANATION
NO
NO, W/ EXPLANATION
DON'T KNOW
EQUI-VOCAL
#2 - Do you think it is ethical to do this in a random way against systems within a network your
organization owns (e.g., a corporate network, a university network)?
YES
8%
EQUI-VOCAL
16%
DON'T KNOW
1%
YES, W/ EXPLANATION
20%
NO, W/ EXPLANATION
9%
NO
46%
YES
YES, W/ EXPLANATION
NO
NO, W/ EXPLANATION
DON'T KNOW
EQUI-VOCAL
#3 - Do you think it is ethical to do this in a targeted way (like outdot did) against systems within a
network your organization owns?
YES
21%
EQUI-VOCAL
32%
YES, W/ EXPLANATION
20%
DON'T KNOW
1%
NO, W/ EXPLANATION
4%
NO
22%
YES
YES, W/ EXPLANATION
NO
NO, W/ EXPLANATION
DON'T KNOW
EQUI-VOCAL
#4 - Do you think it is always unethical to alter files in any system you yourself do not own?
EQUI-VOCAL
19%
DON'T KNOW
0%
YES
40%
NO, W/ EXPLANATION
10%
NO
14%
YES, W/ EXPLANATION
17%
YES
YES, W/ EXPLANATION
NO
NO, W/ EXPLANATION
DON'T KNOW
EQUI-VOCAL
Open Discussion
Attack Scenario
• Players
• Warbucks Financial Services
• Target Medical Center at the University of Hard
Knocks
• Francis X. Hackerman
• C_prime
Warbucks Financial Services
•
•
•
•
•
•
Boutique stock services for high $$$ clients
Real-time quotes from their web site
CRM system used in-house
Voice over IP comms
Laptops for ul/dl data and email
All systems tightly integrated for speed,
flexibility, customized service
Hard Knocks U
• Large State U w/four campuses
• Combined Academic/Clinical Med Center
(Target Medical Center)
• TMC has Computerized Physician Order
Entry (CPOE) system connected to
Electronic Medical Record (EMR) system
• TMC used as DDoS agents
• HKU used as stepping stone, cache and
DDoS handler (on different campuses)
Francis X. Hackerman
• CISO of Warbucks
• Recent graduate of HKU School of
Information Management
• Was notorious hacker in High School
• Considers himself a highly skilled “hired
gun” when it comes to computer networks
C_prime
• Security Engineer at Hard Knocks
University
• Senior member of incident response team
• Represents HKU on Higher Ed ISAC
• Her background includes mathematics,
programming, system administration
Attack
• Attacker owns 2000-3000 hosts world-wide
(stepping stones, DDoS agents)
• Attacker choses to take out all services at Warbucks
via massive rolling DDoS attack (100-300 hosts at
a time)
• Warbucks’ network is inoperative - difficulty
tracing attack sources, but notes some at TMC,
HKU, many other .edus, etc.
• HKU IRT was already investigating intrusions to
hosts on their net (have isolated malware)
• Possible consequence of a disruptive AD action
towards TMC’s network is death of a patient
Response
• Hackerman and C_prime both go through
Stages 1 to 3
• DDoS traffic cannot be entirely blocked by
their upstream network provider
• DDoS network too large/dynamic to contact
all sites involved
• Explore options at Stage 4…
Action A
• C_prime finds a sniffer log on a
compromised TMC system. This log
exposes an account and password on a host
in Canada (used as a cache and stepping
stone by the attacker). She has the ability to
enter the Canadian system with root
privilege, and could periodically run
operating system commands to monitor use
and/or copy files off the system.
Action B
• Using this same password, she could also
shut this host down temporarily or semipermanently, requiring administrator
intervention. This could disable some/all of
the DDoS network (can’t be sure…)
• Consequence: Host goes down
Action C
• C_prime identifies means of controlling
(even disabling) DDoS agents on other
hosts. This knowledge could be used to
shut down just the DDoS agents on all
affected hosts at once during a DDoS attack.
• Consequence: DDoS agents stopped
Action D
• Hackerman scans the entire network at
TMC, identifying all nodes (IP address,
operating system type, all services enabled,
versions of services.) Sends results to TMC
network contact. Gets no reply.
Action E
• Hackerman’s scan finds a router vulnerable
to a one or more remote DoS attacks. Has
the option of using exploits to disable this
router.
• Consquence: Outage would affect all hosts
on TMC’s network that share this router.
(Possible result: Patient dies)
Action F
• Hackerman scans just the identified DDoS agents
at HKU & TMC (identifying operating system
type, all services enabled, versions of services).
Finds they are vulnerable to a remote exploit.
Could use this means to enter and disable network
access to these hosts.
• Similar to what RIAA/MPAA were proposing for
copyright violators
• Consequence: Host losses network access (Similar
to E)
Action G
• Hackerman’s scan shows a large number of
Windows desktops vulnerable to various
DCOM flaws. Could modify publicly
available exploits/worms to affect only
systems on the HKU, TMC networks,
shutting them down.
• Consequence: Many hosts go down (Similar
to E)
Action H
• Another alternative for Hackerman could be
to use DCOM exploits to take over control
of one or more systems on TMC’s network,
using them to sniff traffic of the intruder as
stepping stones are used. This could
identify the intruder, or at least get one hop
closer…
• Consequence: None?
Action I
• Hackerman is contacted by C_prime, who
knows Warbucks is victim of massive
DDoS. Provides Hackerman with
information about suspected DDoS
handlers, perhaps even attacker’s other
stepping stones. Hackerman could attack
these sites to try to pre-empt another round
of attacks on Warbucks’ network.
• Consequence: ???
Action J
Action K
Action L