1 / 48

Mitigation Strategies

Mitigation Strategies. Hervey Allen Chris Evans Phil Regnauld. September 3 – 4, 2009 Santiago, Chile. Overview. Where Did We Start? Where We are Now… Survey of Additional Strategies. Where Did We Start?. We Were “Blind”!. We started with a fairly simple, non-resilient network

halen
Download Presentation

Mitigation Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mitigation Strategies Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

  2. Overview Where Did We Start? Where We are Now… Survey of Additional Strategies

  3. Where Did We Start? We Were “Blind”! • We started with a fairly simple, non-resilient network • One Gateway Router • No ACLs or Monitoring • One Nameserver • One Non-Functional NOC

  4. We Are Here! We Can See! • We now have a fairly simple network that offers us some resiliency to cyber attacks • One Gateway Router • With ACLS & Monitoring • One Nameserver • Some Configuration Changes • One Functional NOC • Monitoring & Detection

  5. We Are Here! Tip of the Iceberg! • The Things We Discussed: • Have a Plan BEFORE Attacks Occur • Various Monitoring Tools • Configuration Control • Secure Application Configurations

  6. It’s a BIG World… But – Let’s Discuss! “By The Way – Not Everything Is a Technical Solution!” • There are things that we didn’t demonstrate due to time or have the ability to add: • Anycasting • Additional Infrastructure • In-Line Monitoring • Active Defenses

  7. Mitigation Strategies • Build a Contingency Plan • Compare costs of disruption vs. recovery • Establish plan of action for what you expect to be your highest risks • Concentrate on your business objectives & risk • Risk is NOT threat – its an understanding of what’s important to you, threats, vulnerabilities, controls, and impact • Prioritize security implementations based on risk • You probably don’t have the time or resources to implement everything • Good security is about multiple layers of protection

  8. Mitigation Strategies • Robust Architectures • Anycasting • Geographically Separated Name Servers • NS on Both Sides of Satellite Links • Diversity in hardware & software • Over-provision where possible • Bandwidth, servers, people!

  9. Mitigation Strategies 199.7.83.0/24 AS20144 199.7.83.42 NS1 NS2 199.7.83.42 199.7.83.0/24 AS20144 Anycasting “Anycast is a network addressing and routing scheme whereby data is routed to the "nearest" or "best" destination as viewed by the routing topology.” – Wikipedia

  10. Mitigation Strategies • Anycasting • Increased Capacity, Resiliency to Attack • Outsourcing • Instant Gratification, Perhaps Loss of Control • What are you really getting? Ask Questions! • Doing it In House • Requires Expertise & Resources to Set it Up

  11. Mitigation Strategies • Real Time Monitoring • Stratify your alerts (info, low, med, high, uh oh!) • E-Mail, SMS, Pager notifications of priority alerts • Select tools that work for you! • Intrusion Detection • Install & Monitor an IDS (e.g. SNORT) • Where to install it? Inside or Outside? • Feeling adventurous – put it in active mode!

  12. SNORT MySQL BASE 1.1.1.1 1.1.1.2 1.1.1.3 A Brief Aside - SNORT View Alerts SNIFF Network Alerts Canx Alerts • SNORT monitors traffic seen by the box’s network card in promiscuous mode • SNORT compares this traffic to a set of static rules (signatures) • Any matches to the signatures produce an alert • These alerts can be displayed through SYSLOG or through several other front-ends (like BASE). • Alerts can be stored in a database for later analysis • An operator can view these alerts and take appropriate action • Note the one-way paths here – for security purposes… • BUT – these could all be on the same box if you wanted…

  13. SNORT MySQL BASE 1.1.1.1 1.1.1.2 1.1.1.3 A Brief Aside - SNORT View Alerts SNIFF Network Alerts Canx Alerts • The key to SNORT are its rules • There are two kinds of rules • Official Ruleset • Paying users get them as they are released • Registered users get them 5 days after release • Unregistered users get them with SNORT releases • Community Rules • Publicly Available • Rules are text based files that contain a signature (what to alert on) and an action (how to alert)

  14. A Brief Aside - SNORT Alert tcp any any -> $HOME_NET any (flags:S; msg:”SYN packet”;) • The key to SNORT are its rules • There are two kinds of rules • Official Ruleset • Paying users get them as they are released • Registered users get them 5 days after release • Unregistered users get them with SNORT releases • Community Rules • Publicly Available • Rules are text based files that contain a signature (what to alert on) and an action (how to alert)

  15. A Brief Aside - SNORT View Alerts By Protocol

  16. A Brief Aside - SNORT View Recent Alerts By Protocol

  17. A Brief Aside - SNORT View Recent Alerts By IP

  18. A Brief Aside - SNORT View Recent Alerts By Port

  19. A Brief Aside - SNORT View Portscans

  20. A Brief Aside - SNORT A Single Alert

  21. A Brief Aside - SNORT Alert Title Links to Alert Information

  22. A Brief Aside - SNORT • Click for IP Analysis – • alerts SOURCED from this IP • alerts DESTINED for this IP

  23. Mitigation Strategies • Vulnerability Scanning • Regularly scheduled scans – using an updated engine! • Web application, operating system, third party application scanners are all available… • Patching Systems • This is NOT a silver bullet – but keeps riff-raff out • Use automatic updates where available • Vulnerability scanning can tell you what’s missing – don’t assume that because you “installed” it, it actually took • Don’t forget 3rd party application updates (adobe, flash, firefox, etc)

  24. Mitigation Strategies • Forensic Data Capture • Capture the last say, 12 hours, of traffic to enable you to do forensic analysis on what happened after the fact • Technical Configuration Guides • Understand how your systems are configured and be able to easily reproduce / rebuild them • Most already exist, find them BEFORE you need them in a hurry

  25. Mitigation Strategies • Data Escrow • Keeping a copy of your zone and customer data in a safe place • Mutual Aid Agreements • Other ccTLDs, Universities, Governments • Secondary Hosts, Data Escrow, Tech Assistance • Temporary Manpower & Resources • Do you (would you) share data of an attack with other ccTLDs?

  26. C Mitigation Strategies A B D • Cold, Warm, Hot & Mirrored Sites • Secondary locations that can be stood up in case of physical or cyber difficulties

  27. Mitigation Strategies • Bubba Net (Bubba = Friend, Net = Network) • Establish your professional networks so you know who to call when you need assistance • Develop Professional Network of Stakeholders • Governments, ISPs, Registrars, etc • Awareness Briefings to Stakeholders • Establish yourself as “critical infrastructure”

  28. Mitigation Strategies • End User / Customer Education • Reduce Risk from Your Customers (e.g. phishing) • Media / Public Relations • Invite media in to discuss best methods of dealing with them • Build a communication plan so you know how to respond for a given situation

  29. Mitigation Strategies • Internal Training & Awareness • Train your administrators in defensive actions • Forces you to establish procedures & policies! • Exercise Defensive Actions • You will only know your defensive capacity by testing it! • Simple walkthroughs to elaborate, hands-on, multi-agency exercises

  30. Mitigation Strategies • Test Your Processes • Two-factor authentication for customer interaction • Out of band communication (phone, fax, walk-in) for customer validation

  31. Notional ccTLD Architecture Putting It All Together NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User

  32. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Registrant – Requests Assignment, Updates, Removal

  33. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Authentication for Registrant Requests

  34. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Authorization for Internal Registry Changes

  35. Notional ccTLD Architecture Offsite Backup for Entire Registry NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User

  36. Notional ccTLD Architecture Registry – Publishes and Maintains Assignments NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User

  37. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Alternate Registry Server and Database

  38. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Country Localized DNS Servers

  39. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Country Localized User

  40. Notional ccTLD Architecture Firewall NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User

  41. Notional ccTLD Architecture Primary Global DNS NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User

  42. Notional ccTLD Architecture Primary External Gateway NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User

  43. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Secondary Global DNS Server Anycasting with Geographic Separation

  44. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User Secondary External Gateway

  45. Notional ccTLD Architecture NS1 NS3 External Internal International User Registrant NS2 NS4 External Internal User International User

  46. Recommendations

  47. References • Internet Society Workshop Resource Center http://www.ccnog.org/ • ccTLD Best Practices http://www.nsrc.org/netadmin/wenzel-cctld-bcp-02.html • ICANN Country Code Name Support Org http://ccnso.icann.org/ • ICANN Security & Stability Advisory Committee http://www.icann.org/committees/security/ • DNS Security Reading Room http://www.dnssec.net/dns-threats DNS Installation & Configuration Training

  48. Do you have any questions about … • Mitigation Strategies Questions? ?

More Related