1 / 37

Active Response

Active Response. Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke. A Little Background…. Clifford Stoll v. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM , vol 31, 1998, pp. 484-497.

bevis-rowe
Download Presentation

Active Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke

  2. A Little Background… • Clifford Stoll v. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497. • DoD v. Electronic Disturbance Theater (1998) http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/ • Conxion v. E-Hippies (2000) http://www.nwfusion.com/research/2000/0529feat2.html • FBI v. Russian Hackers (2001) a.k.a. ‘Invita’ Case http://www.wired.com/news/politics/0,1283,47650,00.htm

  3. Where We’re At…

  4. Where We Want To Be…

  5. Why? • Response is not a choice… • Insufficient Protection on Imperfect Systems • A Policy Is Necessary (even if not utilized) • Vulnerable Systems • Air Traffic Control • http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/ • SCADA Systems • http://www.securityfocus.com/news/6767

  6. Research Question Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response?

  7. Research Goals • Framework for Discussion • Definition • Taxonomy • Summary of Challenges • ADAM • Response Model • Decision Model • Algorithm • Example • Evolutionary Implementation

  8. Elements of a Definition • Time Bound • Before an attack is not active response, after an attack is forensics • Self-defense • Necessity/Imminent, Proportionality • Technologically Independent • Humans and Computers can respond • Purposeful • Not for retribution or revenge, but to return to a previous secure state

  9. Definition of Active Response Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set. • Active does not modify response, but rather describes the state of the attack

  10. Taxonomy of Actions • 8 Types • No Action • Internal Notification • Internal Response • External Cooperative Response • Non-cooperative Intelligence Gathering • Non-cooperative ‘Cease and Desist’ • Counter-Strike • Preemptive Defense

  11. No Action • Under attack, conscious decision to take no action

  12. Internal Notification • Contact Administrators • Contact CTO, CEO, CISO • Contact Users

  13. Internal Response • Write Firewall Rules (firewall signaling) • Block IP, range of IPs, block specific ports • Strategic Segmentation/Disconnection • Nat, change subnets, re-address, remove port • Drop Connections • TCP RST packet to client AND server • Use ICMP (port, host, network unreachable) – UDP • Unreliable, must come in sequence

  14. External Cooperative Response • Contact CERT, FBI, Secret Service, Local Police, upstream ISPs • Dshield • Symantec

  15. Non-Cooperative Intelligence Gathering • Direct attacker to honeynet/honeypot • Use tools to determine identity of attacker • Ping, finger, traceroute, lsrr packets

  16. Non-Cooperative ‘Cease and Desist’ • Use tools to disable harmful services without affecting usability • University scenario • Zombie Zapper by BindView

  17. Counter-Strike • Active Counter-Strike (direct action) • Worm focusing only on attacker IP or to trace back the attack and report • Straight hack-back • Passive Counter-Strike (cyber aikido) • Footprinting Strike-Back (DNS) • Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests • Network Recon Strike Back • Traceroute packets (ICMP “TTL Expired”) receive spoofed random addresses (creating any network we want)

  18. Preemptive Defense • Conexion vs. E-Hippies • Traffic Redirection • DoD vs. Electronic Disturbance Theater • Killer applet

  19. Challenges of Active Response • Legal • Civil, Criminal, Domestic, International • Ethical • Teleological, Deontological • Technical • Traceback, Reliable IDS, Confidence Value, Real Time • Risk Analysis • Measure ethical, legal risk effectively? • Unintended Consequences • Attacker Action, Collateral Damage, Own Resources

  20. Research Goals • Framework for Discussion • Definition • Taxonomy • Summary of Challenges • ADAM • Response Model • Decision Model • Algorithm • Example • Evolutionary Implementation

  21. Goals of ADAM • Provide a generalizable, extendable model for any organization • Completely model the risk of the threat and AD actions • Find appropriate active defense solution for the threat – maximize benefit, minimize risk • Allow for automation • Provide legal (and ethical) due diligence

  22. Response Process Model

  23. Decision Model Escalation Ladder AR Policy Scoring Chart Asset Evaluation Action Evaluation Decision Set Asset Identification Goal Identification Threat Identification Action Identification Utility Modifier Risk Identification Risk Identification Success Ordering

  24. Algorithm • A pragmatic and implementable description of the process and decision model • Illustrates the use of the decision model within the process of response

  25. Solutions Provided by ADAM • Ethicalness • Incorporates Teleological and Deontological ethical concerns • Legal • No precedent: minimal force, proportional force, immediate threat • Unintended Consequences • Statistical measure of confidence in action performing as expected (if confidence values provided by IDS) • Risk Valuation • Provides statistical bounds for potential risk (if confidence values provided by IDS)

  26. Research Goals • Framework for Discussion • Definition • Taxonomy • Summary of Challenges • ADAM • Response Model • Decision Model • Algorithm • Example • Evolutionary Implementation

  27. Evolutionary Model • Competitive Co-Evolution • Genetic Algorithm • Uses biologically equivalent operators (crossover, mutation, gene, chromosome, populations) • Determines global maxima or minima • Fitness Function / Value • Two competing populations, co-evolving • Attackers / Defenders • Game Based • Fitness: risk assumed by defenders

  28. Evolutionary Model

  29. Evolutionary Model (Defender) DEFENSE ACTION DEFENSE POSITION 0 1 2 3 4 5 6 7 Null Action 58 58 57 48 57 53 50 52 Contact Administrator 8 2 5 6 6 10 5 5 Contact Chief Technology Officer 3 2 2 6 9 5 7 9 Shutdown port at firewall 0 0 0 0 0 0 0 0 Filter IP at firewall 0 1 1 2 2 1 0 2 Shutdown Server 0 0 0 0 0 0 0 0 Send TCP RST Packet 3 4 6 5 6 5 7 5 Ask ISP to Shut-off Attack 7 15 7 10 9 7 18 11 Contact FBI 4 2 5 4 1 5 3 7 Use Traceback 17 16 17 19 10 14 10 9 Send Virus Against IP 0 0 0 0 0 0 0 0 Initiate DoS Against IP 0 0 0 0 0 0 0 0 Attempt to Hack Attacker 0 0 0 0 0 0 0 0

  30. Evolutionary Model (Attacker) ATTACK ACTION ATTACK POSITION 0 1 2 3 4 5 6 7 Null Action 54 51 56 48 56 43 46 49 Spoof IP Address 39 24 19 7 4 2 0 3 Port Scan the Server 0 4 6 7 6 5 6 1 Ping the Server 0 1 0 2 3 2 5 1 DoS the Server 0 0 0 0 0 2 2 4 DDoS the Server w/ Zombies 0 1 0 2 2 6 6 5 Poison DNS 7 12 8 17 10 12 8 11 Hack Server, Install Backdoor 0 1 2 2 1 7 4 3 Hack Server, Download Records 0 0 1 0 2 4 2 4 Hack Server, Change Records 0 2 7 8 10 10 13 12 Send Virus Against Server 0 4 1 7 6 7 8 7

  31. Results of Evolutionary Model • Population finesses show that model was correct W.R.T evolutionary techniques • IT IS POSSIBLE! • Proof-Of-Concept that reasonable active response strategies can be developed using the rational behind ADAM • Competitive Co-Evolution is a potential model for computer security relationships • First implementation applying concept to a computer security scenario

  32. Conclusions & Contributions • The First Definition of Active Response • Taxonomy of Actions • Illustrates active response is more than strike-back methodology • Summary of Challenges • Ethical, Legal, Risk Analysis, Technical, Unintended Consq. • Response Process Model • Decision Model • Max Benefit, Min Risk, Incorporates Legal & Ethical • Active Defense Algorithm • Implementable version of process and decision model • Evolutionary Active Response Model • Provides proof-of-concept

  33. Future Work • Simulate and Validate Model (Currently Ongoing – Medical/Univ/Financial) – R. Blue • Further define taxonomy • More work on applying evolutionary techniques – R. Blue, S. Gotshall • Clearly define legal risks – A. Hubbard • Generate More Discussion / Educate

  34. Publications • Sergio Caltagirone, Deborah Frincke, "The Response Continuum," presented at 6th IEEE Information Assurance Workshop, West Point, NY, USA, June 2005. • Sergio Caltagirone, Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311. • Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005. • Sergio Caltagirone, "Active Defense Decision and Escalation Model," 20th Annual Computer Security Applications Conference, Works In Progress. Tucson, AZ, USA, December 2004. • Sergio Caltagirone, "An Active Defense Decision Model," presented at the Agora Workshop, University of Seattle, Seattle, WA. December, 2003.

  35. Thank You http://www.activeresponse.org

More Related