370 likes | 503 Views
Active Response. Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke. A Little Background…. Clifford Stoll v. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM , vol 31, 1998, pp. 484-497.
E N D
Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke
A Little Background… • Clifford Stoll v. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497. • DoD v. Electronic Disturbance Theater (1998) http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/ • Conxion v. E-Hippies (2000) http://www.nwfusion.com/research/2000/0529feat2.html • FBI v. Russian Hackers (2001) a.k.a. ‘Invita’ Case http://www.wired.com/news/politics/0,1283,47650,00.htm
Why? • Response is not a choice… • Insufficient Protection on Imperfect Systems • A Policy Is Necessary (even if not utilized) • Vulnerable Systems • Air Traffic Control • http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/ • SCADA Systems • http://www.securityfocus.com/news/6767
Research Question Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response?
Research Goals • Framework for Discussion • Definition • Taxonomy • Summary of Challenges • ADAM • Response Model • Decision Model • Algorithm • Example • Evolutionary Implementation
Elements of a Definition • Time Bound • Before an attack is not active response, after an attack is forensics • Self-defense • Necessity/Imminent, Proportionality • Technologically Independent • Humans and Computers can respond • Purposeful • Not for retribution or revenge, but to return to a previous secure state
Definition of Active Response Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set. • Active does not modify response, but rather describes the state of the attack
Taxonomy of Actions • 8 Types • No Action • Internal Notification • Internal Response • External Cooperative Response • Non-cooperative Intelligence Gathering • Non-cooperative ‘Cease and Desist’ • Counter-Strike • Preemptive Defense
No Action • Under attack, conscious decision to take no action
Internal Notification • Contact Administrators • Contact CTO, CEO, CISO • Contact Users
Internal Response • Write Firewall Rules (firewall signaling) • Block IP, range of IPs, block specific ports • Strategic Segmentation/Disconnection • Nat, change subnets, re-address, remove port • Drop Connections • TCP RST packet to client AND server • Use ICMP (port, host, network unreachable) – UDP • Unreliable, must come in sequence
External Cooperative Response • Contact CERT, FBI, Secret Service, Local Police, upstream ISPs • Dshield • Symantec
Non-Cooperative Intelligence Gathering • Direct attacker to honeynet/honeypot • Use tools to determine identity of attacker • Ping, finger, traceroute, lsrr packets
Non-Cooperative ‘Cease and Desist’ • Use tools to disable harmful services without affecting usability • University scenario • Zombie Zapper by BindView
Counter-Strike • Active Counter-Strike (direct action) • Worm focusing only on attacker IP or to trace back the attack and report • Straight hack-back • Passive Counter-Strike (cyber aikido) • Footprinting Strike-Back (DNS) • Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests • Network Recon Strike Back • Traceroute packets (ICMP “TTL Expired”) receive spoofed random addresses (creating any network we want)
Preemptive Defense • Conexion vs. E-Hippies • Traffic Redirection • DoD vs. Electronic Disturbance Theater • Killer applet
Challenges of Active Response • Legal • Civil, Criminal, Domestic, International • Ethical • Teleological, Deontological • Technical • Traceback, Reliable IDS, Confidence Value, Real Time • Risk Analysis • Measure ethical, legal risk effectively? • Unintended Consequences • Attacker Action, Collateral Damage, Own Resources
Research Goals • Framework for Discussion • Definition • Taxonomy • Summary of Challenges • ADAM • Response Model • Decision Model • Algorithm • Example • Evolutionary Implementation
Goals of ADAM • Provide a generalizable, extendable model for any organization • Completely model the risk of the threat and AD actions • Find appropriate active defense solution for the threat – maximize benefit, minimize risk • Allow for automation • Provide legal (and ethical) due diligence
Decision Model Escalation Ladder AR Policy Scoring Chart Asset Evaluation Action Evaluation Decision Set Asset Identification Goal Identification Threat Identification Action Identification Utility Modifier Risk Identification Risk Identification Success Ordering
Algorithm • A pragmatic and implementable description of the process and decision model • Illustrates the use of the decision model within the process of response
Solutions Provided by ADAM • Ethicalness • Incorporates Teleological and Deontological ethical concerns • Legal • No precedent: minimal force, proportional force, immediate threat • Unintended Consequences • Statistical measure of confidence in action performing as expected (if confidence values provided by IDS) • Risk Valuation • Provides statistical bounds for potential risk (if confidence values provided by IDS)
Research Goals • Framework for Discussion • Definition • Taxonomy • Summary of Challenges • ADAM • Response Model • Decision Model • Algorithm • Example • Evolutionary Implementation
Evolutionary Model • Competitive Co-Evolution • Genetic Algorithm • Uses biologically equivalent operators (crossover, mutation, gene, chromosome, populations) • Determines global maxima or minima • Fitness Function / Value • Two competing populations, co-evolving • Attackers / Defenders • Game Based • Fitness: risk assumed by defenders
Evolutionary Model (Defender) DEFENSE ACTION DEFENSE POSITION 0 1 2 3 4 5 6 7 Null Action 58 58 57 48 57 53 50 52 Contact Administrator 8 2 5 6 6 10 5 5 Contact Chief Technology Officer 3 2 2 6 9 5 7 9 Shutdown port at firewall 0 0 0 0 0 0 0 0 Filter IP at firewall 0 1 1 2 2 1 0 2 Shutdown Server 0 0 0 0 0 0 0 0 Send TCP RST Packet 3 4 6 5 6 5 7 5 Ask ISP to Shut-off Attack 7 15 7 10 9 7 18 11 Contact FBI 4 2 5 4 1 5 3 7 Use Traceback 17 16 17 19 10 14 10 9 Send Virus Against IP 0 0 0 0 0 0 0 0 Initiate DoS Against IP 0 0 0 0 0 0 0 0 Attempt to Hack Attacker 0 0 0 0 0 0 0 0
Evolutionary Model (Attacker) ATTACK ACTION ATTACK POSITION 0 1 2 3 4 5 6 7 Null Action 54 51 56 48 56 43 46 49 Spoof IP Address 39 24 19 7 4 2 0 3 Port Scan the Server 0 4 6 7 6 5 6 1 Ping the Server 0 1 0 2 3 2 5 1 DoS the Server 0 0 0 0 0 2 2 4 DDoS the Server w/ Zombies 0 1 0 2 2 6 6 5 Poison DNS 7 12 8 17 10 12 8 11 Hack Server, Install Backdoor 0 1 2 2 1 7 4 3 Hack Server, Download Records 0 0 1 0 2 4 2 4 Hack Server, Change Records 0 2 7 8 10 10 13 12 Send Virus Against Server 0 4 1 7 6 7 8 7
Results of Evolutionary Model • Population finesses show that model was correct W.R.T evolutionary techniques • IT IS POSSIBLE! • Proof-Of-Concept that reasonable active response strategies can be developed using the rational behind ADAM • Competitive Co-Evolution is a potential model for computer security relationships • First implementation applying concept to a computer security scenario
Conclusions & Contributions • The First Definition of Active Response • Taxonomy of Actions • Illustrates active response is more than strike-back methodology • Summary of Challenges • Ethical, Legal, Risk Analysis, Technical, Unintended Consq. • Response Process Model • Decision Model • Max Benefit, Min Risk, Incorporates Legal & Ethical • Active Defense Algorithm • Implementable version of process and decision model • Evolutionary Active Response Model • Provides proof-of-concept
Future Work • Simulate and Validate Model (Currently Ongoing – Medical/Univ/Financial) – R. Blue • Further define taxonomy • More work on applying evolutionary techniques – R. Blue, S. Gotshall • Clearly define legal risks – A. Hubbard • Generate More Discussion / Educate
Publications • Sergio Caltagirone, Deborah Frincke, "The Response Continuum," presented at 6th IEEE Information Assurance Workshop, West Point, NY, USA, June 2005. • Sergio Caltagirone, Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311. • Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005. • Sergio Caltagirone, "Active Defense Decision and Escalation Model," 20th Annual Computer Security Applications Conference, Works In Progress. Tucson, AZ, USA, December 2004. • Sergio Caltagirone, "An Active Defense Decision Model," presented at the Agora Workshop, University of Seattle, Seattle, WA. December, 2003.
Thank You http://www.activeresponse.org