Slide 1 Cyber - Threat Analytics Threat Operations Center Washington, D.C. Marcus H. Sachs, P.E. www.cyber-ta.org SRI International marcus.sachs@sri.com 703-247-8717 Not approved for public release Slide 2 Agenda • • • • Internet Threats, 2006 New Attack Methods The Need for a New Approach The CyberTA Threat Operations Center Not approved for public release Slide 3 In the Beginning • ARPANET was “born” in 1969 as a DoD experiment • A culture of sharing and openness – Government funded, academic focus – Documentation based on Requests for Comments • User communities – Largely government/military/academia – Virtually no talk of commercial or industrial use – Security through obscurity was king • Home users and hobbyists connected via dial-up bulletin board systems, not the ARPANET Not approved for public release Slide 4 And Then There Were Packets • Infrastructure technologies – Interface Message Processors – Packet switching with gateways between networks – Hosts.txt file updated a few times per month • End point technologies – Timesharing mainframes – No personal computers, wireless, or hand-held devices • Data exchange technologies and protocols – FTP, telnet, SMTP, rlogin in use since mid-1970s – Domain Name System introduced in 1980s – Hypertext and World Wide Web proposed in late 1980s Not approved for public release Slide 5 Most Early Protocols Had Known Security Issues • Sniffing clear-text passwords (ftp, telnet, smtp/pop, http) • Spoofing (tcp and udp packet sources) • Denial of service (echo vs chargen ports) • Flooding attacks (SYN and RST) • DNS cache poisoning (unvalidated dns responses) • Mapping (traceroute using TTL and ICMP) Not approved for public release Slide 6 Others Created New Problems We Deal With Today • Tunneling (data fields in packet headers) • Sensor evasion (fragmentation reassembly) • Fingerprinting (analysis of responses to crafted packets) • Unsolicited bulk email (forged smtp headers) • Phishing (unvalidated http transactions) • Identity theft (open databases of personal information) Not approved for public release Slide 7 Threat Groups and Actors • Espionage – State-sponsored or corporate electronic spying – Typically “open source” data collection • Terrorist groups – Covert communications channels • Criminal activity – – – – Credit card theft, child pornography, copyright infringement Spyware and other unauthorized cyber tracking software Phishing emails and fake websites Encrypting files followed by extortion to unencrypt • Insiders – Unauthorized disclosure of intellectual property • Hackers – Worms, viruses, malicious software, website defacements, and adolescent pranks Not approved for public release Slide 8 Where are all the Worms? • We thought that the Internet would get wormier – But in fact it has not! • The trend was clear: – – – – 2001: Li0n, Code Red, Nimda 2002: Slapper, Klez 2003: SQL Slammer, Blaster, SoBig 2004: Sober, MyDoom, Witty, Sasser • Since 2004 there have been no new major worm outbreaks WHY? – Where is the MS06-040 or -042 worm? Not approved for public release Slide 9 The Rise of the Bots • Bot = Robot, or autonomous software – Sometimes called zombies or slaves • The latest wave of malicious software introduced to the Internet – Highly complex – Evolving – In many cases hard to detect or remove • Original bots were IRC-based • New vulnerabilities lead to new bots, not new worms Not approved for public release Slide 10 New Frontier: “Zero-Day” Attacks • Find a vulnerability in a common software package or application – Do not notify the software company – Develop a working exploit that takes advantage of the vulnerability and keep the exploit a secret • Subvert a target organization by flooding the victim with zero-day attachments or pointers to infected web sites • Microsoft products are a favorite choice – – – – Internet Explorer in August 2005, April, Aug, and Sept 2006 Windows Meta File (.wmf) in December 2005 Microsoft PowerPoint in July and August 2006 Microsoft Word in May and August 2006 Not approved for public release Slide 11 So Who is Attacking Me? • 1970s: virtually no attacks – Heck, the networks were hard enough to run, why attack them? • 1980s: academic attacks – Brain virus, Morris worm • 1990s: script kiddies take charge – Web site defacements, parlor tricks with Trojan horses, email viruses, worms • 2000s: value-oriented attacks, espionage, and terrorists – Bots, root kits and zero-day vulnerabilities Not approved for public release Slide 12 Technical Terrorists and 4G Warfare • Most terrorist groups are thought of as low-tech, not capable of cyber destruction • But the next attack may not be directed against the Internet itself – It might very well be directed towards our way of life – Goal might be to disrupt our economy – One way to achieve that goal would be to cause disruptions and havoc in our networks, grids, and communications systems • 4th Generation Warfare is here – “Non-state actors” with private funding, training, and goals – Information operations is central to 4G warfare Not approved for public release Slide 13 Recruiting • Most terrorist groups recruit for multiple skill sets – Physical strength and endurance – Intelligence – Business and financial capabilities – Technical skills • Many al-Qaeda members have college degrees and advanced training in technical fields • Terrorist groups understand the power of information control and will use it as a weapon Not approved for public release Slide 14 Indications and Warnings • Disruption of the Afghanistan center of al-Qaeda in 2001-2002 resulted in a different C2 structure • Internet is a perfect place for new operations – No centralized control – No “legitimacy of the state” • Sympathizers in other countries can “help” via online activity – Particularly idealistic youthful hackers • Airplane attacks in 2001 were predicted by intelligence analysts – Is a future terrorist cyber attack also predictable? Not approved for public release Slide 15 International Espionage • China is our number one threat – University students on academic visas – “Professional” hacking clubs in China – Titan Rain intrusion set • Source code to Microsoft Windows and Office is available in China • Most of the recent zero-day attacks against Microsoft Office products came from China Not approved for public release Slide 16 Hostile Word File From China Not approved for public release Slide 17 Organized Crime and Fraud • Dangerous combination of – Spammers – Hackers – Professional criminals • US Secret Service, FBI, RCMP, Scotland Yard, and others currently investigating fraud cases totaling in the hundreds of millions of dollars • International crime rings • Use zero-day vulnerabilities in browsers • New attacks involve mirroring a victim’s clipboard in addition to keylogging Not approved for public release Slide 18 The Criminal’s Playground • The Internet is a “perfect” place for crime – – – – – – – No taxes, therefore no tax evasion Value in everything online Anonymous access to vast resources Criminal tools look and act like lawful tools No national or political boundaries Laws and law enforcement are limited Numerous opportunities for money laundering (PayPal, etc.) – Millions of clueless victims Not approved for public release Slide 19 A Criminal’s Tool Box • “Script kiddies” are frustrated by the complexity of attack tools • Need to bring order to the chaos of exploit development – Too many vulnerabilities – Too many payloads (actions on the target host) • Software developers have common tools and shared libraries – Why not build a framework that pulls it all together for exploit developers? – And make that framework open source – i.e., FREE! Not approved for public release Slide 20 The Ultimate Weapon • The best weapons are the simplest • New wave of hacking tools are updated as new exploits are found • Lethal when combined with a scanner • Interface is a GUI – Windows/Linux application or web application • Metasploit is most popular – – – – Contains dozens of canned exploits Makes hacking as easy as a mouse click No understanding of computer science needed Gaining in popularity with both attackers and defenders Not approved for public release Slide 21 Pure Evil: Metasploit • 153 Exploits • 75 Payloads • Multiple targets – – – – – – BSD IRIX Linux Mac Microsoft Solaris • Point-n-Click Interface • Version 3.0 is latest http://metasploit.com/projects/Framework/downloads.html Not approved for public release Slide 22 The Future of Network Attacks • DDoS attacks will decrease – New mitigation tools are working – “Real Hackers” don’t DoS – Bot Armies will be used for distributed computing rather than DDoS • Fraud will increase while worms decrease – Too many juicy targets, including critical infrastructures and control systems – Too much value in the Internet to ignore – Watch for VOIP and streaming video fraud – Online gaming community is a valuable target too • Network components will become targets of opportunity • Voice Over IP, Video Over IP: all are potential future targets • In nearly all cases, future attacks will leverage historically insecure protocols and technologies! Not approved for public release Slide 23 The Future of Computer Security Research • As attack tools get more complex, research funding and efforts must increase • Cyber security funding will always compete with the physical threat mitigation community – Chemical, Radiological, Nuclear, Biological are hot – Cyber threats are “invisible” and hard to quantify • Governments, private companies, universities, and citizens must look toward the future – Our economic survival is at stake • Research collaboration must mirror attack community collaboration levels Not approved for public release Slide 24 Our Challenge • Current tools to detect attacks and defend our networks are based on 1990s threat models – – – – Anti-virus Worm detection DDoS prevention Scan, probes, and other flow-based tools • New tools and analysis techniques need to be developed to detect and mitigate the new attack methods Not approved for public release Slide 25 We Need To: • Create a centralized threat coordination and Internet monitoring center – Including research and operational partners • Distribute sensor data repositories across the consortium partnership • Develop methods of sharing meta data while ensuring privacy and anonymity • Develop new ways to visualize emerging threats and to understand their meanings Not approved for public release Slide 26 Next-Gen Threat Analysis Centers • Must support highly automated threat diagnosis and prioritization • Must scale to alert volumes and data sources covering millions of IP addresses • Must be able to rapidly distribute actionable information back to user communities • Must be able to fuse data from multiple sources, most of which are not related • Must also be sensitive to data privacy and anonymity concerns Not approved for public release Slide 27 Cyber-TA Project Directions • Internet-scale collaborative sharing of sensitive information to support analysis and correlation • Real-time malware focused alert correlation analysis • Rapid threat warning dissemination that leverages new collaborative data analysis capabilities • Open-source software releases, capability demonstrations, and commercial integration Not approved for public release Slide 28 Cyber-TA Research Directions • Some existing repositories collect millions of data elements per day – Latency could be an hour or more – Little or no client-side correlation • Cyber-TA seeks to – Reduce detection and correlation latency – Produce client-side meta data that will supplement local sensor alert data – Discover new analysis methods to assist in identifying new malware and threat tools Not approved for public release Slide 29 Ops Center Analytical Capabilities • Current threat operations centers primarily focus on reactive measures such as – IP blacklists – Port statistics and analysis – Historical trends • New threat operations centers need to adopt innovative techniques such as – – – – – – – Sensor meta-data sharing and analysis Publishing consensus-based signatures Sharing honeynet and malware collections Sharing botnet command and control data Dynamic updates to firewalls and IPSs Detecting changes to DNS, BGP, and other mechanisms Using application crash analysis tools for early detection of zero-day attacks Not approved for public release Slide 30 Ops Center Usage Scenarios • Where the degree of trust between organizations is unknown • Consensus-based release of sensor data and analysis facilitated by – Out-of-band trust relationships – Exchange of encryption keys – Secure multi-party computation schemes • Data distribution between “natural competitors” or non-sharing parties – Can enemies share technical data anonymously? Not approved for public release Slide 31 CTA Threat Operations Center • • • • • • Alert repository database service Analysis and data coordination center Programmable interfaces for data feeds Public and private web portal Data visualization Host technology demonstrations and briefings • Capable of supporting limited real-world operations with a few hours notice Not approved for public release Slide 32 High Level Deployment Scenario • Immediate priority is to improve protection of DoD deployed networks – Secondary are CONUS and OCONUS WANs such as NIPRNET and SIPRNET – Later: domestic ad-hoc networks in support of emergency response scenarios • Recommend deployment of a prototype CTA system in a mature AOR within six months of successful demonstration in CONUS Not approved for public release Slide 33 Roadmap for Deployment: Sensors • Use devices already in place as sensors – – – – Firewalls Intrusion detection systems Routers and switches Host-based intrusion prevention systems • Deploy a script that “scrapes” the needed data from the local sensor logs – Extractions become part of CTA system • Advantage: no new hardware devices or “bumps in the wire” • Disadvantage: no control over signatures or configuration • Cyber-TA will use both old and new sensor systems Not approved for public release Slide 34 Roadmap for Deployment: C2 • Initial C2 will be internal to SRI – SRI researchers in Menlo Park – Research partners in other USA locations – Prototype operations center and analysis in Washington, D.C. • Later we plan to leverage existing DoD C2 relationships – JTF-GNO – RCERTs, ACERT, AFCERT, NAVCIRC, MARCERT, NSIRC • Long term goal is to transition technologies and lessons learned to the JTF-GNO and components Not approved for public release Slide 35 Operations Center Personnel • SRI Staff (Washington, D.C.) – – – – – Site Director Deputy Director and Project Coordinator Web Site Administrator Database Administrator Network Administrator • Consultants (Outside of Washington) – DShield • Graduate Students (Local University) – Two or three CompSci/InfoSec students Not approved for public release Slide 36 Equipment Block Diagram Sensors LCD Monitor Video Switch Other servers LCD Monitor Database 1 Demo Room Database 2 Web Server Server Room Not approved for public release KVM SRI-WDC Frame Room CTA Firewall SRI Router E-net Switch Mixnet Analyst Slide 37 Web Site It’s not pretty, but stay tuned..... Not approved for public release Slide 38 Contact Information Marcus H. Sachs, P.E. 1100 Wilson Blvd, Ste 2800 Arlington, VA 22209 marcus.sachs@sri.com 703-247-8717 http://www.cyber-ta.org http://cyberta.dshield.org Not approved for public release