Download
1 / 48
480 likes | 643 Views
Mitigation Strategies. Hervey Allen Chris Evans Phil Regnauld. September 3 – 4, 2009 Santiago, Chile. Overview. Where Did We Start? Where We are Now… Survey of Additional Strategies. Where Did We Start?. We Were “Blind”!. We started with a fairly simple, non-resilient network
E N D
Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile
Overview Where Did We Start? Where We are Now… Survey of Additional Strategies
Where Did We Start? We Were “Blind”! • We started with a fairly simple, non-resilient network • One Gateway Router • No ACLs or Monitoring • One Nameserver • One Non-Functional NOC
We Are Here! We Can See! • We now have a fairly simple network that offers us some resiliency to cyber attacks • One Gateway Router • With ACLS & Monitoring • One Nameserver • Some Configuration Changes • One Functional NOC • Monitoring & Detection
We Are Here! Tip of the Iceberg! • The Things We Discussed: • Have a Plan BEFORE Attacks Occur • Various Monitoring Tools • Configuration Control • Secure Application Configurations
It’s a BIG World… But – Let’s Discuss! “By The Way – Not Everything Is a Technical Solution!” • There are things that we didn’t demonstrate due to time or have the ability to add: • Anycasting • Additional Infrastructure • In-Line Monitoring • Active Defenses
Mitigation Strategies • Build a Contingency Plan • Compare costs of disruption vs. recovery • Establish plan of action for what you expect to be your highest risks • Concentrate on your business objectives & risk • Risk is NOT threat – its an understanding of what’s important to you, threats, vulnerabilities, controls, and impact • Prioritize security implementations based on risk • You probably don’t have the time or resources to implement everything • Good security is about multiple layers of protection
Mitigation Strategies • Robust Architectures • Anycasting • Geographically Separated Name Servers • NS on Both Sides of Satellite Links • Diversity in hardware & software • Over-provision where possible • Bandwidth, servers, people!
Mitigation Strategies 199.7.83.0/24 AS20144 199.7.83.42 NS1 NS2 199.7.83.42 199.7.83.0/24 AS20144 Anycasting “Anycast is a network addressing and routing scheme whereby data is routed to the "nearest" or "best" destination as viewed by the routing topology.” – Wikipedia
Mitigation Strategies • Anycasting • Increased Capacity, Resiliency to Attack • Outsourcing • Instant Gratification, Perhaps Loss of Control • What are you really getting? Ask Questions! • Doing it In House • Requires Expertise & Resources to Set it Up
Mitigation Strategies • Real Time Monitoring • Stratify your alerts (info, low, med, high, uh oh!) • E-Mail, SMS, Pager notifications of priority alerts • Select tools that work for you! • Intrusion Detection • Install & Monitor an IDS (e.g. SNORT) • Where to install it? Inside or Outside? • Feeling adventurous – put it in active mode!
SNORT MySQL BASE 1.1.1.1 1.1.1.2 1.1.1.3 A Brief Aside - SNORT View Alerts SNIFF Network Alerts Canx Alerts • SNORT monitors traffic seen by the box’s network card in promiscuous mode • SNORT compares this traffic to a set of static rules (signatures) • Any matches to the signatures produce an alert • These alerts can be displayed through SYSLOG or through several other front-ends (like BASE). • Alerts can be stored in a database for later analysis • An operator can view these alerts and take appropriate action • Note the one-way paths here – for security purposes… • BUT – these could all be on the same box if you wanted…
SNORT MySQL BASE 1.1.1.1 1.1.1.2 1.1.1.3 A Brief Aside - SNORT View Alerts SNIFF Network Alerts Canx Alerts • The key to SNORT are its rules • There are two kinds of rules • Official Ruleset • Paying users get them as they are released • Registered users get them 5 days after release • Unregistered users get them with SNORT releases • Community Rules • Publicly Available • Rules are text based files that contain a signature (what to alert on) and an action (how to alert)
A Brief Aside - SNORT Alert tcp any any -> $HOME_NET any (flags:S; msg:”SYN packet”;) • The key to SNORT are its rules • There are two kinds of rules • Official Ruleset • Paying users get them as they are released • Registered users get them 5 days after release • Unregistered users get them with SNORT releases • Community Rules • Publicly Available • Rules are text based files that contain a signature (what to alert on) and an action (how to alert)
A Brief Aside - SNORT View Alerts By Protocol
A Brief Aside - SNORT View Recent Alerts By Protocol
A Brief Aside - SNORT View Recent Alerts By IP
A Brief Aside - SNORT View Recent Alerts By Port
A Brief Aside - SNORT View Portscans
A Brief Aside - SNORT A Single Alert
A Brief Aside - SNORT Alert Title Links to Alert Information
A Brief Aside - SNORT • Click for IP Analysis – • alerts SOURCED from this IP • alerts DESTINED for this IP
Mitigation Strategies • Vulnerability Scanning • Regularly scheduled scans – using an updated engine! • Web application, operating system, third party application scanners are all available… • Patching Systems • This is NOT a silver bullet – but keeps riff-raff out • Use automatic updates where available • Vulnerability scanning can tell you what’s missing – don’t assume that because you “installed” it, it actually took • Don’t forget 3rd party application updates (adobe, flash, firefox, etc)
Mitigation Strategies • Forensic Data Capture • Capture the last say, 12 hours, of traffic to enable you to do forensic analysis on what happened after the fact • Technical Configuration Guides • Understand how your systems are configured and be able to easily reproduce / rebuild them • Most already exist, find them BEFORE you need them in a hurry
Mitigation Strategies • Data Escrow • Keeping a copy of your zone and customer data in a safe place • Mutual Aid Agreements • Other ccTLDs, Universities, Governments • Secondary Hosts, Data Escrow, Tech Assistance • Temporary Manpower & Resources • Do you (would you) share data of an attack with other ccTLDs?
C Mitigation Strategies A B D • Cold, Warm, Hot & Mirrored Sites • Secondary locations that can be stood up in case of physical or cyber difficulties
Mitigation Strategies • Bubba Net (Bubba = Friend, Net = Network) • Establish your professional networks so you know who to call when you need assistance • Develop Professional Network of Stakeholders • Governments, ISPs, Registrars, etc • Awareness Briefings to Stakeholders • Establish yourself as “critical infrastructure”
Mitigation Strategies • End User / Customer Education • Reduce Risk from Your Customers (e.g. phishing) • Media / Public Relations • Invite media in to discuss best methods of dealing with them • Build a communication plan so you know how to respond for a given situation
Mitigation Strategies • Internal Training & Awareness • Train your administrators in defensive actions • Forces you to establish procedures & policies! • Exercise Defensive Actions • You will only know your defensive capacity by testing it! • Simple walkthroughs to elaborate, hands-on, multi-agency exercises
Mitigation Strategies • Test Your Processes • Two-factor authentication for customer interaction • Out of band communication (phone, fax, walk-in) for customer validation
Notional ccTLD Architecture Putting It All Together NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Registrant – Requests Assignment, Updates, Removal
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Authentication for Registrant Requests
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Authorization for Internal Registry Changes
Notional ccTLD Architecture Offsite Backup for Entire Registry NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User
Notional ccTLD Architecture Registry – Publishes and Maintains Assignments NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Alternate Registry Server and Database
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Country Localized DNS Servers
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Country Localized User
Notional ccTLD Architecture Firewall NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User
Notional ccTLD Architecture Primary Global DNS NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User
Notional ccTLD Architecture Primary External Gateway NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Secondary Global DNS Server Anycasting with Geographic Separation
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Secondary External Gateway
Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User International User
References • Internet Society Workshop Resource Center http://www.ccnog.org/ • ccTLD Best Practices http://www.nsrc.org/netadmin/wenzel-cctld-bcp-02.html • ICANN Country Code Name Support Org http://ccnso.icann.org/ • ICANN Security & Stability Advisory Committee http://www.icann.org/committees/security/ • DNS Security Reading Room http://www.dnssec.net/dns-threats DNS Installation & Configuration Training
Do you have any questions about … • Mitigation Strategies Questions? ?
