130 likes | 286 Views
The Technicalities of Active Response. Sergio Caltagirone April 26, 2005 CS 523 – Net Sec. What Is Active Response?.
E N D
The Technicalities of Active Response Sergio Caltagirone April 26, 2005 CS 523 – Net Sec
What Is Active Response? Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set.
Taxonomy of Actions • 8 Types: • No Action • Internal Notification • Internal Response • External Cooperative Response • Non-cooperative Intelligence Gathering • Non-cooperative ‘Cease and Desist’ • Counter-Strike • Preemptive Defense
No Action • Under attack, conscious decision to take no action
Internal Notification • Contact Administrators • Contact CTO, CEO, CISO • Contact Users
Internal Response • Write Firewall Rules (firewall signaling) • Block IP, range of IPs, block specific ports • Strategic Segmentation/Disconnection • Nat, change subnets, re-address, remove port • Drop Connections • TCP RST packet to client AND server • Use ICMP (port, host, network unreachable) – UDP • Unreliable, must come in sequence
External Cooperative Response • Contact CERT, FBI, Secret Service, Local Police, upstream ISPs • Dshield • Symantec (UI)
Non-Cooperative Intelligence Gathering • Direct attacker to honeynet/honeypot • Use tools to determine identity of attacker • Ping, finger, traceroute, lsrr packets
Non-Cooperative ‘Cease and Desist’ • Use tools to disable harmful services without affecting usability • University scenario • Zombie Zapper by BindView
Active Counter-Strike • Active Counter-Strike (direct action) • Worm focusing only on attacker IP or to trace back the attack and report • Straight hack-back • DoS back
Passive Counter-Strike (Cyber Aikido) • Footprinting Strike-Back (DNS) • Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests • Network Recon Strike Back • Traceroute packets (ICMP “TTL Expired”) receive spoofed random addresses (creating any network we want) • Exploit Strike-Back • Send attack code back to terminal • Set titlebar, read titlebar to command line <CR>
Preemptive Defense • Conexion vs. E-Hippies • Email bomb • DoD vs. Zapatista • Killer applet
Conclusions • Many ways to defend your systems during an attack • Active response goes far beyond strike-back • Questions?