Cyber TA Threat Operations Center

advertisement
Slide 1
Cyber - Threat Analytics
Threat Operations Center
Washington, D.C.
Marcus H. Sachs, P.E.
www.cyber-ta.org
SRI International
marcus.sachs@sri.com
703-247-8717
Not approved for public release
Slide 2
Agenda
•
•
•
•
Internet Threats, 2006
New Attack Methods
The Need for a New Approach
The CyberTA Threat Operations Center
Not approved for public release
Slide 3
In the Beginning
• ARPANET was “born” in 1969 as a DoD
experiment
• A culture of sharing and openness
– Government funded, academic focus
– Documentation based on Requests for Comments
• User communities
– Largely government/military/academia
– Virtually no talk of commercial or industrial use
– Security through obscurity was king
• Home users and hobbyists connected via
dial-up bulletin board systems, not the
ARPANET
Not approved for public release
Slide 4
And Then There Were Packets
• Infrastructure technologies
– Interface Message Processors
– Packet switching with gateways between
networks
– Hosts.txt file updated a few times per month
• End point technologies
– Timesharing mainframes
– No personal computers, wireless, or hand-held devices
• Data exchange technologies and protocols
– FTP, telnet, SMTP, rlogin in use since mid-1970s
– Domain Name System introduced in 1980s
– Hypertext and World Wide Web proposed in late 1980s
Not approved for public release
Slide 5
Most Early Protocols Had Known
Security Issues
• Sniffing clear-text passwords
(ftp, telnet, smtp/pop, http)
• Spoofing (tcp and udp packet
sources)
• Denial of service (echo vs
chargen ports)
• Flooding attacks (SYN and RST)
• DNS cache poisoning (unvalidated dns
responses)
• Mapping (traceroute using TTL and ICMP)
Not approved for public release
Slide 6
Others Created New Problems We Deal
With Today
• Tunneling (data fields in packet headers)
• Sensor evasion (fragmentation reassembly)
• Fingerprinting (analysis of responses to
crafted packets)
• Unsolicited bulk email (forged smtp headers)
• Phishing (unvalidated http
transactions)
• Identity theft (open databases
of personal information)
Not approved for public release
Slide 7
Threat Groups and Actors
• Espionage
– State-sponsored or corporate electronic spying
– Typically “open source” data collection
• Terrorist groups
– Covert communications channels
• Criminal activity
–
–
–
–
Credit card theft, child pornography, copyright infringement
Spyware and other unauthorized cyber tracking software
Phishing emails and fake websites
Encrypting files followed by extortion to unencrypt
• Insiders
– Unauthorized disclosure of intellectual property
• Hackers
– Worms, viruses, malicious software, website defacements, and
adolescent pranks
Not approved for public release
Slide 8
Where are all the Worms?
• We thought that the Internet would get
wormier
– But in fact it has not!
• The trend was clear:
–
–
–
–
2001: Li0n, Code Red, Nimda
2002: Slapper, Klez
2003: SQL Slammer, Blaster, SoBig
2004: Sober, MyDoom, Witty, Sasser
• Since 2004 there have been no new major
worm outbreaks WHY?
– Where is the MS06-040 or -042 worm?
Not approved for public release
Slide 9
The Rise of the Bots
• Bot = Robot, or autonomous software
– Sometimes called zombies or slaves
• The latest wave of malicious
software introduced to the
Internet
– Highly complex
– Evolving
– In many cases hard to detect or remove
• Original bots were IRC-based
• New vulnerabilities lead to new bots, not
new worms
Not approved for public release
Slide 10
New Frontier: “Zero-Day” Attacks
• Find a vulnerability in a common software package
or application
– Do not notify the software company
– Develop a working exploit that takes advantage of the
vulnerability and keep the exploit a secret
• Subvert a target organization by flooding the victim
with zero-day attachments or pointers to infected
web sites
• Microsoft products are a favorite choice
–
–
–
–
Internet Explorer in August 2005, April, Aug, and Sept 2006
Windows Meta File (.wmf) in December 2005
Microsoft PowerPoint in July and August 2006
Microsoft Word in May and August 2006
Not approved for public release
Slide 11
So Who is Attacking Me?
• 1970s: virtually no attacks
– Heck, the networks were hard enough
to run, why attack them?
• 1980s: academic attacks
– Brain virus, Morris worm
• 1990s: script kiddies take charge
– Web site defacements, parlor tricks with Trojan
horses, email viruses, worms
• 2000s: value-oriented attacks, espionage,
and terrorists
– Bots, root kits and zero-day vulnerabilities
Not approved for public release
Slide 12
Technical Terrorists and 4G Warfare
• Most terrorist groups are thought of as low-tech, not
capable of cyber destruction
• But the next attack may not be directed against the
Internet itself
– It might very well be directed towards our way of life
– Goal might be to disrupt our economy
– One way to achieve that goal would be to cause disruptions
and havoc in our networks, grids, and communications
systems
• 4th Generation Warfare is here
– “Non-state actors” with private funding, training, and goals
– Information operations is central to 4G warfare
Not approved for public release
Slide 13
Recruiting
• Most terrorist groups recruit for multiple skill sets
– Physical strength and
endurance
– Intelligence
– Business and financial
capabilities
– Technical skills
• Many al-Qaeda members have college degrees and
advanced training in technical fields
• Terrorist groups understand the power of
information control and will use it as a weapon
Not approved for public release
Slide 14
Indications and Warnings
• Disruption of the Afghanistan center of al-Qaeda in
2001-2002 resulted in a different C2 structure
• Internet is a perfect place for new operations
– No centralized control
– No “legitimacy of the state”
• Sympathizers in other countries can “help” via online activity
– Particularly idealistic youthful hackers
• Airplane attacks in 2001 were predicted by
intelligence analysts
– Is a future terrorist cyber attack also predictable?
Not approved for public release
Slide 15
International Espionage
• China is our number one threat
– University students on academic visas
– “Professional” hacking clubs in China
– Titan Rain intrusion set
• Source code to Microsoft Windows and
Office is available in China
• Most of the recent
zero-day attacks against
Microsoft Office products
came from China
Not approved for public release
Slide 16
Hostile Word File From China
Not approved for public release
Slide 17
Organized Crime and Fraud
• Dangerous combination of
– Spammers
– Hackers
– Professional criminals
• US Secret Service, FBI, RCMP, Scotland
Yard, and others currently investigating
fraud cases totaling in the hundreds of
millions of dollars
• International crime rings
• Use zero-day vulnerabilities in browsers
• New attacks involve mirroring a victim’s
clipboard in addition to keylogging
Not approved for public release
Slide 18
The Criminal’s Playground
• The Internet is a “perfect” place for crime
–
–
–
–
–
–
–
No taxes, therefore no tax evasion
Value in everything online
Anonymous access to vast resources
Criminal tools look and act like lawful tools
No national or political boundaries
Laws and law enforcement are limited
Numerous opportunities for money laundering
(PayPal, etc.)
– Millions of clueless victims
Not approved for public release
Slide 19
A Criminal’s Tool Box
• “Script kiddies” are frustrated by the
complexity of attack tools
• Need to bring order to the chaos of exploit
development
– Too many vulnerabilities
– Too many payloads (actions on the target host)
• Software developers have common tools and
shared libraries
– Why not build a framework that pulls it all
together for exploit developers?
– And make that framework open source – i.e.,
FREE!
Not approved for public release
Slide 20
The Ultimate Weapon
• The best weapons are the simplest
• New wave of hacking tools are
updated as new exploits are
found
• Lethal when combined with
a scanner
• Interface is a GUI
– Windows/Linux application or web application
• Metasploit is most popular
–
–
–
–
Contains dozens of canned exploits
Makes hacking as easy as a mouse click
No understanding of computer science needed
Gaining in popularity with both attackers and defenders
Not approved for public release
Slide 21
Pure Evil: Metasploit
• 153 Exploits
• 75 Payloads
• Multiple targets
–
–
–
–
–
–
BSD
IRIX
Linux
Mac
Microsoft
Solaris
• Point-n-Click
Interface
• Version 3.0 is latest
http://metasploit.com/projects/Framework/downloads.html
Not approved for public release
Slide 22
The Future of Network Attacks
• DDoS attacks will decrease
– New mitigation tools are working
– “Real Hackers” don’t DoS
– Bot Armies will be used for distributed
computing rather than DDoS
• Fraud will increase while worms decrease
– Too many juicy targets, including critical
infrastructures and control systems
– Too much value in the Internet to ignore
– Watch for VOIP and streaming video fraud
– Online gaming community is a valuable target too
• Network components will become targets of opportunity
• Voice Over IP, Video Over IP: all are potential future targets
• In nearly all cases, future attacks will leverage historically
insecure protocols and technologies!
Not approved for public release
Slide 23
The Future of
Computer Security Research
• As attack tools get more
complex, research funding
and efforts must increase
• Cyber security funding will always
compete with the physical threat
mitigation community
– Chemical, Radiological, Nuclear, Biological are hot
– Cyber threats are “invisible” and hard to quantify
• Governments, private companies, universities, and
citizens must look toward the future
– Our economic survival is at stake
• Research collaboration must mirror attack
community collaboration levels
Not approved for public release
Slide 24
Our Challenge
• Current tools to detect attacks and defend
our networks are based on 1990s threat
models
–
–
–
–
Anti-virus
Worm detection
DDoS prevention
Scan, probes, and other flow-based tools
• New tools and analysis techniques need to
be developed to detect and mitigate the new
attack methods
Not approved for public release
Slide 25
We Need To:
• Create a centralized threat coordination and
Internet monitoring center
– Including research and operational partners
• Distribute sensor data repositories across
the consortium partnership
• Develop methods of sharing meta data while
ensuring privacy and anonymity
• Develop new ways to visualize emerging
threats and to understand their meanings
Not approved for public release
Slide 26
Next-Gen Threat Analysis Centers
• Must support highly automated threat
diagnosis and prioritization
• Must scale to alert volumes and data
sources covering millions of IP addresses
• Must be able to rapidly distribute
actionable information back to user
communities
• Must be able to fuse data from multiple
sources, most of which are not related
• Must also be sensitive to data privacy and
anonymity concerns
Not approved for public release
Slide 27
Cyber-TA Project Directions
• Internet-scale collaborative sharing of
sensitive information to support analysis and
correlation
• Real-time malware focused alert correlation
analysis
• Rapid threat warning dissemination that
leverages new collaborative data analysis
capabilities
• Open-source software releases, capability
demonstrations, and commercial integration
Not approved for public release
Slide 28
Cyber-TA Research Directions
• Some existing repositories collect millions of
data elements per day
– Latency could be an hour or more
– Little or no client-side correlation
• Cyber-TA seeks to
– Reduce detection and correlation latency
– Produce client-side meta data that will
supplement local sensor alert data
– Discover new analysis methods to assist in
identifying new malware and threat tools
Not approved for public release
Slide 29
Ops Center Analytical Capabilities
• Current threat operations centers primarily focus on
reactive measures such as
– IP blacklists
– Port statistics and analysis
– Historical trends
• New threat operations centers need to adopt
innovative techniques such as
–
–
–
–
–
–
–
Sensor meta-data sharing and analysis
Publishing consensus-based signatures
Sharing honeynet and malware collections
Sharing botnet command and control data
Dynamic updates to firewalls and IPSs
Detecting changes to DNS, BGP, and other mechanisms
Using application crash analysis tools for early detection of
zero-day attacks
Not approved for public release
Slide 30
Ops Center Usage Scenarios
• Where the degree of trust between
organizations is unknown
• Consensus-based release of sensor data
and analysis facilitated by
– Out-of-band trust relationships
– Exchange of encryption keys
– Secure multi-party computation schemes
• Data distribution between “natural
competitors” or non-sharing parties
– Can enemies share technical data anonymously?
Not approved for public release
Slide 31
CTA Threat Operations Center
•
•
•
•
•
•
Alert repository database service
Analysis and data coordination center
Programmable interfaces for data feeds
Public and private web portal
Data visualization
Host technology demonstrations and
briefings
• Capable of supporting limited real-world
operations with a few hours notice
Not approved for public release
Slide 32
High Level Deployment Scenario
• Immediate priority is to improve
protection of DoD deployed networks
– Secondary are CONUS and OCONUS
WANs such as NIPRNET and SIPRNET
– Later: domestic ad-hoc networks in
support of emergency response scenarios
• Recommend deployment of a
prototype CTA system in a mature AOR
within six months of successful
demonstration in CONUS
Not approved for public release
Slide 33
Roadmap for Deployment: Sensors
• Use devices already in place as sensors
–
–
–
–
Firewalls
Intrusion detection systems
Routers and switches
Host-based intrusion prevention systems
• Deploy a script that “scrapes” the needed data from
the local sensor logs
– Extractions become part of CTA system
• Advantage: no new hardware devices or “bumps in
the wire”
• Disadvantage: no control over signatures or
configuration
• Cyber-TA will use both old and new sensor systems
Not approved for public release
Slide 34
Roadmap for Deployment: C2
• Initial C2 will be internal to SRI
– SRI researchers in Menlo Park
– Research partners in other USA locations
– Prototype operations center and analysis in
Washington, D.C.
• Later we plan to leverage existing DoD C2
relationships
– JTF-GNO
– RCERTs, ACERT, AFCERT, NAVCIRC, MARCERT,
NSIRC
• Long term goal is to transition technologies
and lessons learned to the JTF-GNO and
components
Not approved for public release
Slide 35
Operations Center Personnel
• SRI Staff (Washington, D.C.)
–
–
–
–
–
Site Director
Deputy Director and Project Coordinator
Web Site Administrator
Database Administrator
Network Administrator
• Consultants (Outside of Washington)
– DShield
• Graduate Students (Local University)
– Two or three CompSci/InfoSec students
Not approved for public release
Slide 36
Equipment Block Diagram
Sensors
LCD Monitor
Video Switch
Other servers
LCD Monitor
Database 1
Demo Room
Database 2
Web Server
Server Room
Not approved for public release
KVM
SRI-WDC Frame Room
CTA Firewall
SRI Router
E-net Switch
Mixnet
Analyst
Slide 37
Web Site
It’s not pretty, but stay tuned.....
Not approved for public release
Slide 38
Contact Information
Marcus H. Sachs, P.E.
1100 Wilson Blvd, Ste 2800
Arlington, VA 22209
marcus.sachs@sri.com
703-247-8717
http://www.cyber-ta.org
http://cyberta.dshield.org
Not approved for public release
Download