1 / 13

The Technicalities of Active Response

The Technicalities of Active Response. Sergio Caltagirone April 26, 2005 CS 523 – Net Sec. What Is Active Response?.

kateb
Download Presentation

The Technicalities of Active Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Technicalities of Active Response Sergio Caltagirone April 26, 2005 CS 523 – Net Sec

  2. What Is Active Response? Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set.

  3. Taxonomy of Actions • 8 Types: • No Action • Internal Notification • Internal Response • External Cooperative Response • Non-cooperative Intelligence Gathering • Non-cooperative ‘Cease and Desist’ • Counter-Strike • Preemptive Defense

  4. No Action • Under attack, conscious decision to take no action

  5. Internal Notification • Contact Administrators • Contact CTO, CEO, CISO • Contact Users

  6. Internal Response • Write Firewall Rules (firewall signaling) • Block IP, range of IPs, block specific ports • Strategic Segmentation/Disconnection • Nat, change subnets, re-address, remove port • Drop Connections • TCP RST packet to client AND server • Use ICMP (port, host, network unreachable) – UDP • Unreliable, must come in sequence

  7. External Cooperative Response • Contact CERT, FBI, Secret Service, Local Police, upstream ISPs • Dshield • Symantec (UI)

  8. Non-Cooperative Intelligence Gathering • Direct attacker to honeynet/honeypot • Use tools to determine identity of attacker • Ping, finger, traceroute, lsrr packets

  9. Non-Cooperative ‘Cease and Desist’ • Use tools to disable harmful services without affecting usability • University scenario • Zombie Zapper by BindView

  10. Active Counter-Strike • Active Counter-Strike (direct action) • Worm focusing only on attacker IP or to trace back the attack and report • Straight hack-back • DoS back

  11. Passive Counter-Strike (Cyber Aikido) • Footprinting Strike-Back (DNS) • Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests • Network Recon Strike Back • Traceroute packets (ICMP “TTL Expired”) receive spoofed random addresses (creating any network we want) • Exploit Strike-Back • Send attack code back to terminal • Set titlebar, read titlebar to command line <CR>

  12. Preemptive Defense • Conexion vs. E-Hippies • Email bomb • DoD vs. Zapatista • Killer applet

  13. Conclusions • Many ways to defend your systems during an attack • Active response goes far beyond strike-back • Questions?

More Related