1 / 55

CSCE 727 Cyber Attacks and Risk Management

This article explores the relationship between attack sophistication and the intruder's technical knowledge in cyber attacks and risk management. It also discusses different types of attacks and their phases, as well as passive attacks and protection against them.

rbowen
Download Presentation

CSCE 727 Cyber Attacks and Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSCE 727Cyber Attacks and Risk Management

  2. Attack Sophistication vs.Intruder’s Technical Knowledge From: http://people.ubuntu.com/~duanedesign/SurvivabilityandInformationAssuranceCurriculum/01survive/01survive.html

  3. Reading Required: • Denning Chapter 8, 9, 14 • Hutchins et al, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, White paper,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf Interesting Reading: • DHS repairing internal security operations, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/seworld20140409-dhs-repairing-internal-security-operations • Student develops new way to detect hackers, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409-student-develops-new-way-to-detect-hackers • Measuring smartphone malware infection rates, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409-measuring-smartphone-malware-infection-rates

  4. Attack Internet Engineering Task Force: RFC 2828: “ An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of the system.”

  5. Normal Flow Information source Information destination

  6. Interruption Information source Information destination Asset is destroyed of becomes unavailable - Availability Example: destruction of hardware, cutting communication line, disabling file management system, etc.

  7. Interception Information source Information destination Unauthorized party gains access to the asset – Confidentiality Example: wiretapping, unauthorized copying of files

  8. Modification Information source Information destination Unauthorized party tampers with the asset – Integrity Example: changing values of data, altering programs, modify content of a message, etc.

  9. Fabrication Information source Information destination Unauthorized party insets counterfeit object into the system – Authenticity Example: insertion of offending messages, addition of records to a file, etc.

  10. Phases of Attack • Improve detection by examining which “phase” an intruder’s behavior is identified • Attack phases: • Intelligence gathering: attacker observes the system to determine vulnerabilities • Planning: attacker decide what resource to attack (usually least defended component) • Attack: attacker carries out the plan • Inside the system: • Hiding: attacker covers tracks of attack • Future attacks: attacker installs backdoors for future entry points

  11. Passive Attack “Attempts to learn or make use of information from the system but does not affect system resources” (RFC 2828) Sniffer

  12. Sniffers • All machines on a network can “hear” ongoing traffic • A machine will respond only to data addressed specifically to it • Network interface: “promiscuous mode” – able to capture all frames transmitted on the local area network segment

  13. Risks of Sniffers • Serious security threat • Capture confidential information • Authentication information • Private data • Capture network traffic information

  14. Network Sniffing Tools Used for network analysis and troubleshooting SecTools.Org: Top 125 Network Security Tools, http://sectools.org/tag/sniffers/ Free, open source sniffers Multiplatform support (user needs superuser privilege, education: drop privilege) #1: Wireshark: GUI interface #9: tcpdump: command line

  15. Wireshark • Examines data from a live network or from a capture file on disk • GUI interface for editing and visualization • Green: TCP traffic, dark blue: DNS traffic, light blue: UDP traffic, black: TCP packets with problems • Has remotely exploitable security holes • How to Use Wireshark to Capture, Filter and Inspect Packets, http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

  16. Passive attacks Interception (confidentiality) Disclosure of message contents Traffic analysis

  17. Disclosure of message content • Intruder is able to interpret and extractinformation being transmitted • Highest risk:authentication information • Can be used to compromise additional system resources

  18. Traffic Analysis • Intruder is not able to interpret and extract the transmitted information • Intruder is able to derive (infer) information from the traffic characteristics

  19. Protection Against Passive Attacks • Shield confidential data from sniffers: cryptography • Disturb traffic pattern: • Traffic padding • Onion routing • Detect and eliminate sniffers

  20. Detection of Sniffer Tools • Difficult to detect: passive programs • Tools: • Promisc – Linux • cmp – SunOS 4.x: detects promiscuous mode • AntiSniff (L0pht Heavy Industries, Inc. ): remotely detects computers that are packet sniffing, regardless of the OS

  21. Tor Online anonymity Free software and an open network Platforms: Windows, Mac, Linux/Unix, and Android Defend against traffic analysis Download site: https://www.torproject.org/

  22. Tor Tor network: a group of volunteer-operated servers Privacy: user connections through a series of virtual tunnels  using the Tor network Censorship circumvention tool: allowing users to reach otherwise blocked destinations or content

  23. How Tor works? Source: https://www.torproject.org/about/overview.html.en Cryptographically hide connection between communicating partners

  24. Source: The Tor Project, https://www.torproject.org/

  25. Source: The Tor Project, https://www.torproject.org/

  26. Source: The Tor Project, https://www.torproject.org/

  27. Risk of Tor? • False sense of privacy • Legal risk of Tor relay operators? • Bad guys use Tor, too! • Interesting reading: • EFF: 7 Things You Should Know About Tor, 2014, https://www.eff.org/deeplinks/2014/07/7-things-you-should-know-about-tor • B. Schneier: Has Tor Been Compromised?, 2013, https://www.schneier.com/blog/archives/2013/08/has_tor_been_co.html

  28. Active attacks “Attempts to alter system resources of affect their operation” (Internet Enginering Task Force, RFC 2828)

  29. Active attacks Interruption Modification Fabrication DOS, DDOS (integrity) (integrity) (availability) Replay Masquarade (Authentication) (Authentication)

  30. Protection against DoS, DDoS • Hard to provide full protection • Some of the attacks can be prevented • Filter out incoming traffic with local IP address as source • Avoid established state until confirmation of client’s identity • Internet trace back: determine the source of an attack

  31. Degradation of Service • Do not completely block service just reduce the quality of service

  32. Intrusion Control It is better to prevent something than to plan for loss. Problem: Misuse happens!

  33. Need: • Intrusion Prevention: protect system resources • Intrusion Detection: (second line of defense) identify misuse • Intrusion Recovery: cost effective recovery models

  34. Intrusion Prevention • First line of defense • Techniques: cryptography, identification, authentication, authorization, access control, security filters, etc. • Not good enough (prevention, reconstructions)

  35. Intrusion Detection System (IDS) • Looks for specific patterns (attack signatures or abnormal usage) that indicate malicious or suspicious intent • Second line of defense against both internal and external threats • See recommended reading!

  36. Intrusion Detection Systems • Deter intruders • Catch intruders • Prevent threats to fully occur (real-time IDS) • Improve prevention techniques • IDS deployment, customisation and management is generally not trivial • See required reading!

  37. Audit-Based Intrusion Detection Profiles, Rules, etc. Audit Data Intrusion Detection System Need: • Audit data • Ability to characterize behavior Decision

  38. Audit Data • Format, granularity and completeness depend on the collecting tool • Examples • System tools collect data (login, mail) • Additional collection of low system level • “Sniffers” as network probes • Application auditing • Honey Net • Needed for • Establishing guilt of attackers • Detecting suspicious user activities

  39. Audit Data Accuracy • Collection method • System architecture and collection point • Software and hardware used for collection • Storage method • Protection of audit data • Sharing • Transmission protection and correctness • Availability

  40. IDS Categories • Time of data analysis • Real-time v.s. off-the-line IDS • Location where audit data was gathered • Host-based v.s. network-based v.s. hybrid • Technique used for analysis • Rule-based v.s. statistic-based • Location of analysis • Centralized, distributed, network-based • Pattern IDS looking for • Misuse v.s. anomaly-based v.s. hybrid

  41. Intrusion Recovery • Actions to avoid further loss from intrusion • Terminate intrusion and protect against reoccurrence • Law enforcement • Enhance defensive security • Reconstructive methods based on: • Time period of intrusion • Changes made by legitimate users during the effected period • Regular backups, audit trail based detection of effected components, semantic based recovery, minimal roll-back for recovery.

  42. What is “Survivability”? To decide whether a computer system is “survivable”, you must first decide what “survivable” means.

  43. Threats RISK Vulnerabilities Consequences Risk Assessment

  44. Real Cost of Cyber Attack • Damage of the target may not reflect the real amount of damage • Services may rely on the attacked service, causing a cascading and escalating damage • Need: support for decision makers to • Evaluate risk and consequences of cyber attacks • Support methods to prevent, deter, and mitigate consequences of attacks

  45. Carry Out Fixes and Validate Identify Business and Technical Risks Define Risk Mitigation Strategy Synthesize and Rank Risks Measurement and Reporting Risk Management Framework (Business Context) Understand Business Context

  46. Understand the Business Context • “Who cares?” • Identify business goals, priorities and circumstances, e.g., • Increasing revenue • Meeting service-level agreements • Reducing development cost • Generating high return investment • Identify software risk to consider

  47. Identify Business and Technical Risks • “Why should business care?” • Business risk • Direct threat • Indirect threat • Consequences • Financial loss • Loss of reputation • Violation of customer or regulatory constraints • Liability • Tying technical risks to the business context in a meaningful way

  48. Synthesize and Rank the Risks • “What should be done first?” • Prioritization of identified risks based on business goals • Allocating resources • Risk metrics: • Risk likelihood • Risk impact • Risk severity • Number of emerging risks

  49. Define the Risk Mitigation Strategy • “How to mitigate risks?” • Available technology and resources • Constrained by the business context: what can the organization afford, integrate, and understand • Need validation techniques

  50. Carry Out Fixes and Validate • Perform actions defined in the previous stage • Measure “completeness” against the risk mitigation strategy • Progress against risk • Remaining risks • Assurance of mechanisms • Testing

More Related