Intrusion Tolerance
advertisement
Minimizing Losses from Zero Days – A New Layer of
Defense (SCIT)
Game-Change Concepts:
Moving Target + Exposure Management
Next Generation Server Security Technology
Arun Sood Ph. D.
Dept of Computer Science & International Cyber Center, SCIT Labs Inc
http://cs.gmu.edu/~asood/scit
http://www.scitlabs.com
+1703.347.4494
SCIT
Multi-National Security Breach
• http://news.bbc.co.uk/2/hi/technology/7118452.stm
• “A huge campaign to poison web searches and trick people into visiting
malicious websites has been thwarted.”
• If a user searched Google for terms such as
– "hospice", "cotton gin and its effect on slavery", "infinity" and many more
– The first result pointed to a website from which malicious software was
downloaded and embedded on user system.
• Criminals in country A created domains that were mostly bought by
companies in country B and hosted in country C. Tens of thousands of
domains were used.
• These domains tricked the indexing strategy of Google to believe that
these web pages were good and reliable source of information.
Our focus: targeted and organized attacks.
SCIT
Anatomy of an Hack
Analyze publicly
available info. Set
scope of attack and
identify key targets
Check for
vulnerabilities on
each target
Exploitation
Buffer Overflow
Spoofing
Password
DOS
Attack targets using
library of tools and
techniques
Automated Scanning
Machines
Ports
Applications
•
Identify Target
•
Install Malicious Code
•
Hack Other Machines
•
Take over Domain Controller
Deliver Payload
Custom Trojan
Rootkit
Attack targets using
installed software
Damage
“Owning” IP Theft,
Blackmail, Graffiti,
Espoinage
Destruction
Damage
“Owning” IP Theft,
Blackmail, Graffiti,
Espoinage
Destruction
Richard Stiennon, May 2006,
http://blogs.zdnet.com/threatchaos/?p=330
SCIT
Automated Approach
Foot print analysis
Who is
NSLookup
Search Engines
Enumeration
Scanning
Machines
Ports
Applications
Manual Approach
Foot print analysis
Who is
NSLookup
Search Engines
Enumeration
Attacking a Multi-tier Architecture
Web-App-DB-Domain Controller
•
Step 1: Identify Target
•
Step 2: Initial Compromise
•
Step 3: Elevate Privileges
•
Step 4: Hacking Other Machines
•
Step 5: Take over Domain Controller
–
–
–
–
–
–
–
–
–
–
Network address ranges
Host names
Exposed hosts
Applications exposed on those hosts
Operating system and application version information
Patch state of both the host and of the applications
Structure of the applications and back-end severs
Web pages are always exposed – opportunity for ingress
Become a privilege user – like internal user on the target system
Own the network.
Jesper Johansson and Steve Riley , Protect Your Windows Network: From Perimeter to Data, Addison-Wesley Professional, 2005.
SCIT
The Problem
• Verizon Business (DBIR2009): 285 M records compromised for 90
sites. Customized malware hard to detect. Intrusion persists for
days, weeks, months.
– Network Solutions, Wyndham Hotels.
• Symantec produced 920,000 malicious signatures in 2009.
• 50% of all vulnerabilities in web apps.
• Half of disclosed vulnerabilities had no fixes.
• Recovery from a breach is costly: $6.3M [Ponemon Inst]
• Focus on targeted and organized attacks.
Current reactive approaches are inadequate.
We introduce intrusion tolerance – a new paradigm.
SCIT
Verizon (DBIR2010): Time Frame
SCIT
The SCIT Solution
SCIT provides Intrusion Tolerance for servers…
…using virtualization to restore the OS and
application to a pristine state after attack!
SCIT Virtual Partition
Enterprise
Server
SCIT
Virtual
Server
Firewall
Hacker
(Actual Photo)
Every minute SCIT software cleans and restores the virtual server to its
pristine state
3/22/2016
SCIT
7
Cross Sector Cyber Threats
Strategy
Defense in Depth Approach to Security
• Multi layered Approach to Security: Best if layers operate
independently
• Firewalls depend on inspection of incoming packets
• IDS/IPS depend on inspection of incoming and outgoing packets
– With increasing bandwidth and more matching requirements, the cycles
devoted to packet inspection will keep increasing
• Threat independent approaches are needed for protection against
zero-days
• Other approaches should be included in the mix, including
approaches that do not rely on packet inspection and have potential
for threat independent performance:
– White list of software
– Time-dependent recovery-based intrusion tolerance
SCIT
Cross Sector Cyber Threats
The SCIT Solution
Strategy
• Static Servers Converted to Dynamic Environment
– Facilitates Incorporation of Diversity
• Threat Independent
• Rapid Recovery: Work Through an Attack
• Mission Resilience
• Emphasize Temporal Dimension
• Virtualization as a New Framework for Server
Security
SCIT
How Does SCIT Provide Additional
Security?
•
SCIT servers
•
SCIT DNS servers
•
SCIT Web servers
– Regularly restored to a known state and remove malicious software installed by attackers.
– Provide protection while manufacturer is developing a patch, i.e. SCIT servers are
protected in the time period between vulnerability detection and patch distribution.
– Gives data center managers an additional level of freedom in developing a systematic plan
for patch management.
– Domain name / IP address mapping is protected from malicious alteration, thus avoiding
improper redirection of the traffic.
– Protect the corporate crown jewels, front ends for sensitive information, e.g. customer or
employee data sets, IP, and informational web sites.
– Regularly restores the sites to known states, and makes it difficult for intruders to
undertake harmful acts such as deleting files.
– Avoid long term defacements.
– Reduces the risk of large scale data ex-filtration.
SCIT
Key Intrusion Tolerance Approaches
OASIS (DARPA)
MAFTIA (EU)
Fault Tolerance Based: Intrusion Detection First
SCIT (GMU)
Recovery Based
Structure Based
Structure Based
Time Dependent
Packet Inspection
Yes
Yes
No
Voting Algorithm
Yes
Yes
No
Deterministic
No
No
Yes
Performance Impact
Yes
Yes
Yes
Diversity
Required
Required
Optional. Diversity will make
scheme more robust
Recovery
Performed upon
detecting intrusion.
Performed upon
detecting intrusion.
Built in automatic periodic
recovery.
See IEEE Security andSCIT
Privacy paper for details
Comparison of IDS, IPS, SCIT
Issue
Firewall, IDS, IPS
Intrusion tolerance
Risk management.
Reactive.
Proactive.
A priori information
required.
Attack models. Software
vulnerabilities. Reaction
rules.
Exposure time selection.
Length of longest
transaction.
Protection approach.
Prevent all intrusions.
Impossible to achieve.
Limit losses.
System Administrator
workload.
High. Manage reaction
rules. Manage false alarms.
Less. No false alarms
generated.
Design metric.
Unspecified.
Exposure time:
Deterministic.
Packet/Data stream
monitoring.
Required.
Not required.
Higher traffic volume
requires.
More computations.
Computation volume
unchanged.
Applying patches.
Must be applied
immediately.
Can be planned.
3/22/2016
SCIT
12
Server Rotations
Example: 5 online and 3 offline servers
Servers
-Virtual
-Physical
Server
Rotation
Online
servers;
potentially
compromised
Offline
servers; in
self-cleansing
3/22/2016
SCIT
13
Server Rotations
Example: 5 online and 3 offline servers
Servers
-Virtual
-Physical
Server
Rotation
Online
servers;
potentially
compromised
Offline
servers; in
self-cleansing
3/22/2016
SCIT
14
Server Rotations
Example: 5 online and 3 offline servers
Servers
-Virtual
-Physical
Server
Rotation
Online
servers;
potentially
compromised
Offline
servers; in
self-cleansing
3/22/2016
SCIT
15
Server State Transitions
Current
Additional States Planned for Analysis and Archiving
3/22/2016
SCIT
16
SCIT Supports Session Persistence
• SCIT does not require changing the application server or
application code
• SCIT servers support session persistence but do not
migrate state
• Session data is stored in shared memory or shared by
multicasting among the virtual servers
• Session info is data and not executable
3/22/2016
SCIT
17
SCIT - Intrusion Tolerance Approach
•
Increase security by reducing exposure window
•
Decreasing available time for intrusion, reduces potential losses
•
No packet inspection; No signatures; No detection
•
SCIT does not eliminate vulnerabilities or prevent intrusions,
but makes it difficult to exploit the vulnerability
•
Additional layer of defense
– Exposure window is the time a server is online between rotations
– Optimizes application-specific exposure windows to servers
Loss
Loss Curve
T
Intruder Residence Time
•
Reduce managed services cost
•
Adaptive SCIT
•
Increase availability – reduce down time for upgrades – fewer
reboots
Cost
– Integrated system: prevention, detection, tolerance
T
3/22/2016
SCIT
18
Transaction Length in Multi-tier
Architecture
Layer
Implementation
Transaction Length
Client Layer
Web site, DNS service
Short
Middle Layer
Authentication, Single Sign On
Short
VPN, Streaming Media
Long
Transaction Processing
Short
File Access
Mixed
Complex Database Queries
Long
Back End Layer
SCIT
Exposure Time Reductions
Application
Current Server
SCIT Server
Websites – Windows Server
1 day to 3 month
60 seconds
Websites – UNIX Server
1 month to 6 months
60 seconds
DNS services – Linux Server
3 months to 1 year
30 seconds
In the following slides we show that:
Reducing Exposure Time Significantly Reduces
Expected Loss
SCIT
Security Risk Assessment
Threat Level
Threat Probability
(Threat Probability x Risk Factor)
Criticality Factor
Risk Factor
(Criticality/Effort)
Exposure Factor (EF)
Effort Required
(Threat Level x Impact)
x Asset Value (AV)
Single Loss Expectancy
(SLE)
x Annual Rate of Occurrence (ARO)
Vulnerability Factor
Annual Loss Expectancy
(ALE)
Impact (Loss Factor)
Asset Priotiy
Follows SecurityFocus.com (Symantec), Microsoft
SCIT
Risk Shaping by Exposure Time
SCIT
Multi Tier Example
Un-trusted
domain
Corporate
Trusted domain
Private
domain
High Risk
Medium Risk
Low Risk
Zone 3
Workstation
Zone 2
Content Management
Server
Zone 1
Database
Server
SCIT
SCIT vs Traditional Cumm Single Loss
Expectancy
$80,000
$30,000
$20,000
SCIT Exposure Time
C
ur
r
C en
um t A
m pp
As ro
se ach
tV
al
ue
60
50
40
30
$10,000
$0
10
Web server
DNS server
Content Manager
Database server
$50,000
$40,000
20
Multi Tier
Architecture
$70,000
$60,000
Reducing Exposure Time Significantly Reduces Expected Loss
SCIT
Avoidance is Better Than Cleaning
•
You cannot clean a compromised system by
•
You cannot trust
•
The only proper way to clean a compromised system is to flatten and rebuild.
•
CLEANING COMPROMISED SYSTEMS IS DIFFICULT. IT IS BETTER TO AVOID
HACKING.
–
–
–
–
–
–
–
–
patching it.
removing the back doors.
using some vulnerability remover.
using a virus scanner.
reinstalling the operating system over the existing installation.
any data copied from a compromised system.
the event logs on a compromised system.
your latest backup.
SCIT
Case Study: Payment Card
Industry
•
Cost per exposed accounts (legal and professional fees, customer contact, post
event clean up and improvements)
–
–
•
More than 1M accounts compromised: $50 per account
Few (1500) accounts compromised: $1500 per account
Cost for protecting data – 100,000 customers
Method
$ per customer
Year 1
Comments
Recurring
Encrypt data at rest
$5
$1
Application Changes
Host IDS
$6
$2
False Alarm management
Continuous security audits
$3 - $4
$3 - $4
Vulnerability scanning
•
Bottom Line: Cost of exposed accounts >> Cost of protection
•
Reducing Exposure Time provides additional layer of defense - makes it
more difficult to exploit vulnerabilities
steal data.
Source: Rapidand
7 – Vulnerability
Management Trends. Also Gartner Group
SCIT
Sample Requirements Met by
SCIT Servers
• Web site should not be defaced longer than 1 minute
• DNS tables should be restored within 1 minute
• System should reduce data ex-filtration – when combined with IDS
the volume of data that can be maliciously retrieved can be
computed
• To ensure clean servers, remove malware every minute
• Change the face of the website every minute
SCIT
Randomized Defensive Strategies
•
Current servers are static and overexposed -almost sitting ducks
•
Randomly change the exposed face of the target
– Hide, obscure, alter, move target
•
Develop approaches that are effective in server farms and at the point of
the spear
•
Issues to address:
– Impact on system administration
– Scalability
SCIT
Comparing 4 Architectures
IDS
SCIT
NIDS + HIDS
NIDS + SCIT
SCIT
Results of Simulation
Parameters used in the simulation
Simulation Metrics
Value (units)
Number of queries
used
50,000
Intruder Residence
Time (IRT)
0 minutes to 2 months
Mean IRT – Pareto
distribution
48 hours
Exposure Time – 2
cases
1.
2.
Data Ex-filtration rate
675 records/breach
4 hrs
4 mins
Results of the simulation
Case
NIDS
Total
damage
(records)
245,962
(100%)
SCIT: ET 4hrs
55,364
SCIT: ET 4
(23%)
mins
1,015 (0.4%)
NIDS + HIDS
210,578
(86%)
NIDS + SCIT 20,931 (9%)
(ET 4 hrs)
NIDS + SCIT 383 (0.16%)
(ET 4 mins)
SCIT
No. of
breaches
192
Mean
Damage
(records/
breach)
1,281
508
508
109
2
164
1,284
191
110
191
2
Long
Transaction Length
Short
Target Applications
• E-Commerce payments –
long session of multiple
short transactions
• Streaming media
• Web servers
• DNS services
• Single Sign On
• Firewalls
• Authentication (LDAP)
• Transaction Processors
• VPN
• Complex Database Queries
• Back end processing
• File Transfer (size dependent)
Low
High
Value for Exposure Window Management
SCIT
Collaboration with Systems Integrators
• Lockheed Martin
– Testing and validation of SCIT servers.
– Funded SCIT research
• Northrop Grumman
– Testing and validation of SCIT servers.
– Matching partner – Virginia CTRF project
• Raytheon
– Collaborated on SBIR proposal
3/22/2016
SCIT
32
Testing by Northrop Grumman
Component
Test Objectives
Findings
Basic Web Server with
Session persistence
Defacement (recovery)
System Compromise (limit effects)
Data Corruption (recovery)
Data ex-filtration (limit effects)
The resilience of the underlying VM architecture
proved effective at thwarting any long term or
permanent damage to the platform as a result of
malicious activity.
E-Commerce Application
Defacement (recovery time)
System Compromise (limit effects)
Data Corruption (recovery)
Data ex-filtration (limit effects)
Shopping Cart Price manipulation
The findings were the same as the basic web
server and the shopping cart was not subject to
manipulation
Single Sign-On
SQL injection
System Compromise
Unauthorized access
Due to effective firewall and authentication
input filtering the SSO architecture proved
immune to O/S Corruption and Database
Exploitation attack vectors.
The underlying rotation of SSO Virtual Machine
instances proved transparent throughout the
entire course of testing.
Overall
The SCIT platform does reduce exposure time and confuses attacker efforts.
There is a slight performance degradation as exposure time is reduced.
SCIT
Lockheed Testing
•
The overall security features of the SCIT system performed as advertised. This
tool is very effective in ensuring application availability and the integrity of the
web server itself. It provides a stable platform on which an enterprise can host
web applications.
•
“…The evaluators found that the first step, port scanning, was successfully
accomplished. However, the Nessus software just hung when establishing
sessions with the open ports it found. This was probably because the rotation of
the servers deleted the session information that Nessus left on the servers. “
•
Recovery from DoS attack
•
Resiliency
•
SCIT does not fix app/OS vulnerabilities; does not protect against the integrity,
and confidentiality of the user’s session and sensitive data; these properties are
the same as that of the application.
•
Current SCIT implementations do not change the application code.
–
–
–
Verify that the system will automatically recover from a website defacement attack.
Verify that the system will automatically recover if the service is made unavailable.
Verify that if the vulnerabilities were executed they would not seriously impact the overall system
SCIT
Quick Review + Road Map
SCIT: Why? How? Scope. Independent
Validation.
Performance.
DOD Network. Specific Server: SCIT – DNS.
Scalability.
Plans.
Demo
SCIT
Performance & Functionality Stress Tests
•
Workload: number of user sessions/minute (50,100,125)
•
User session:
–
Series of request and response from server
– Select item from drop down list and add it to persistent storage
•
OpenSTA is used to generate workload
–
•
3 runs per case.
Duration of run = 3 * Exposure time for the run
–
each VM is tested at least once
•
Workload consists of N requests every 10 secs.
•
Exposure times of 2,3 and 4 minutes, No Rotation
•
Stand alone web server for Non-SCIT test.
3/22/2016
SCIT
36
Performance Test Results
Exp Time (minutes)
User Sessions
Avg. Response Time
(secs)
STD Dev
2m
50
6.16
0.07
2m
100
6.24
0.01
2m
125
6.27
0.02
3m
50
6.10
0.04
3m
100
6.15
0.02
3m
125
6.31
0.05
4m
50
6.08
0.04
4m
100
6.15
0.02
4m
125
6.14
0.02
No Rotation
50
6.03
0.01
No Rotation
100
6.03
0.00
No Rotation
125
6.04
0.00
3/22/2016
SCIT
SCIT Server Environment
• Entry Level DELL
System
•Dual processor – 4
cores each
•Memory: 4 GB
• Slackware OS
• Apache, Tomcat,
Shopping Cart (Java)
37
SCIT and DoD Networks
Network
Relative Size
Frequency of
Change
Security Support Staff
Sustaining
Network
Many servers.
Worldwide.
Slowly changing.
Large & talented support
Tactical
Network
Fewer servers.
Smaller region.
Potential for rapid
change.
Limited support. Frequent
staff rotations.
• Sustaining Networks
• SCIT provides additional layer of defense.
• Tactical Networks
• SCIT provides continuity of operations, automatic
recovery.
3/22/2016
SCIT
38
Standards and Compliance Requirements
• DODI 8500.2
Enclave and Computing Environment
Integrity
ECID-1 Host Based IDS
Host-based intrusion detection systems are deployed for
major applications and for network management assets,
such as routers, switches, and domain name servers
(DNS).
• Payment Card Industry Data Security Standard
Consumer Data Protection Requirement
Compensating Control
3/22/2016
SCIT
39
Potential Target Audience
•
•
•
•
•
Web site/ Ecommerce
• Commercial Data Centers
• Government Critical Infrastructure sites
(e.g. Emergency preparedness)
Database server protection
DNS servers
SSO servers
Cloud Computing Services
3/22/2016
SCIT
40
DNS & DNSSEC & SCIT-DNS
• DNS is an essential part of Internet.
– Used where names are used – web, email, web services, etc
– DNS was designed for trusted environment.
• DNSSEC adds end-to-end security to DNS.
– OMB has mandated DNSSEC.
– “.. represents an infinitesimal presence .”
(http://dns.measurement-factory.com/surveys/200910.html)
– Particularly challenging in some environments, like tactical.
• SCIT – DNS
– DNSSEC is the preferred solution.
– SCIT-DNS provides near DNSSEC trust with DNS convenience
– Focus of Army SBIR
3/22/2016
SCIT
41
SCIT – DNS
Trust Degradation With Time
DNS
SCIT-DNS
DNSSEC
1.2
1
Trust
0.8
0.6
0.4
0.2
0
0
1
2
3
4
5
6
7
Time
3/22/2016
SCIT
42
SCIT in Server Farms
Scalability Issues
• Can SCIT be incorporated in
Enterprise environments?
Version 1 Objectives
• System Admin Function
– Many apps and servers
– Monitoring of the system state
– Diagnostics
– Many servers
– Many applications
• Can SCIT work in a multiple
apps per server environment?
• Deployment of VMs
– App related VMs are assigned to the
servers
• Distribute after testing at a staging
server
• System captures VM map to
facilitate deployment
• Can SCIT VMs be distributed
across the server farm?
• Can SCIT effectively exploit
multi-core architectures?
3/22/2016
• Distributing the sever load
– Prelim simulation model
– Resource Allocation model
SCIT
43
SCIT Configuration & Construction
Library
Select OS
Select SCIT
App
Select 3rd Party
Apps
Staging
Server
GUI
• Controller IP
• Dispatcher
IP
• # of VMs
Controller VM
Pristine Image
VM
Staging Server
Dispatcher VM
Manual
Tuning
Cloned
Pristine
Cloned
ImagePristine
VM 01
Cloned
ImagePristine
VM 01
Cloned
ImagePristine
VM 01
Cloned
ImagePristine
VM 01
Image VM 01
Pristine
Image VM
3/22/2016
SCIT
44
Current Status
•
Validated the scalability of SCIT: Developed SCIT Infrastructure System
(SIS)
–
–
–
–
Monitor server farm from a single point
Diagnostics from a single location
Automate the staging, testing and deployment of SCIT apps
• Pristine images, clones, dispatcher, controller
• Specified the key management requirements
• Configuration
Simulation of SCITized multiple application server farm
•
Independent validation at Lockheed units
•
Independent validation at Northrop Grumman Triad Labs - Colorado
•
Moving target defense
•
SCIT DNS
•
SCIT SSO – SAML compatibility
•
Community of interest: pubs, invited presentations and workshops
•
Parallel Effort: Development, Quantitative, Simulation
–
–
Testing at Gaithersburg, Omaha, Rockville
Capture new use cases: upload and download of files taking 3 to 4 minutes: Share Point
3/22/2016
SCIT
45
Way Ahead
• Further Validation and Certification
– Seeking Pilot project opportunities
• Examine long duration applications
– Up to 5 minute uploads
• SCIT improvements
– Dispatcher is static; can this be rotated; what about apps distributed across
server boxes
– Dynamism enables diversity in deployment: OS, App, Memory Image
– Multi-level rotations: apps, OS, hardware
• SCIT reconnaissance
• SCIT in cloud computing, Virtualized Desk Top Infrastructure
• Multiple apps per server
• Adaptive SCIT; Memory image based IDS; Hardware Enabled SCIT
3/22/2016
SCIT
46
IP Protection and Recognition
Issued Patents:
•
" Self-Cleaning System“, US 7549167. Issued 6/16/2009. Inventors: Yih Huang and Arun Sood
•
"SCIT-DNS: Critical Infrastructure Protection through Secure DNS Server Dynamic Updates", US
7680955. Issued 03/16/2010. Inventors: David Arsenault, Yih Huang and Arun Sood.
•
“Single Use Server System", US 7725531. Issued May 25, 2010 Inventors: David Arsenault, Yih
Huang and Arun Sood.
Pending Patents
•
"Data Alteration Prevention System", Utility Patent Application No.: 11/419,832, 5/23/2006,
Docket No.: GMU-05-037U. Inventors: David Arsenault, Yih Huang, and Arun Sood.
•
Two additional patents applied in 2010.
Research Support:
• Army (TATRC), NIST/CIPP, SUN, CTRF/Northrop Grumman, Lockheed Martin
Awards:
•
•
Winner Security Technologies for Tomorrow – GSC and CNI-Expo competition 2 June 2010.
2nd place GSC Cyber Security Challenge 13 Novermber2009. GSC=Global Security Challenge,
associated with London Business School.
SBIR:
• Army – SCIT DNS with focus on tactical environment.
3/22/2016
SCIT
47
Benefits of SCIT
• SCIT removes malware every minute without detection
– “.. 85 percent of the 285 million records breached in the year were harvested by
custom-created malware.” Verizon.
• SCIT reduces data ex-filtration
– Data ex-filtration is slow gradual process to avoid IDS detection & SCIT
interrupts the flow every minute
• SCIT does not rely on signatures and is threat independent
– IPS / IDS depend on signature matching and focus on known threats. SCIT
relies on exposure time control.
• SCIT automatically recovers from defacement or software deletion
attacks: mission resilient
• SCIT reduces intrusion response (alerts) management cost
– SCIT provides an additional dimension to separate false alarms.
3/22/2016
SCIT
48
SCIT: Additional Capability
• Apply hot patches
– Operating Systems
– Applications
• Potential for fast recovery from bad patches
• Technology that converts a static system
(“sitting duck”) into dynamic system
– Different types of diversity: admin cost – security trade off
• Explicit use of time in secure system design
SCIT
SCIT Publications + Contact Info
• SCIT technical publications
• Links to media reports
• Links to demo videos
http://cs.gmu.edu/~asood/scit
http://www.scitlabs.com
Questions?
Arun Sood
{asood@scitlabs.com, asood@gmu.edu}
+1703.347.4494
3/22/2016
SCIT
50
