1 / 28

Active Defense

Active Defense. Team BAM! Scott Amack, Everett Bloch, and Maxine Major. Definition of “active defense” Risks & legal issues Active defense tools Demo Conclusions. Overview. A.K.A.: Passive defense Hacking back Striking back Retributive counterstriking Mitigative counterstriking

taipa
Download Presentation

Active Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Defense Team BAM!Scott Amack, Everett Bloch, and Maxine Major

  2. Definition of “active defense” • Risks & legal issues • Active defense tools • Demo • Conclusions Overview

  3. A.K.A.: • Passive defense • Hacking back • Striking back • Retributive counterstriking • Mitigative counterstriking • Active threat neutralization What is Active Defense?

  4. “synchronized, real time capability to discover, detect, analyze and mitigate threats and capabilities.” – DOD • “Active defenses consist of electronic countermeasures that attack an aggressive computer system, immobilizing that system and thus halting the cyber attack.” (jnslp.com) • “electronic counter-measures designed to strike attacking computer systems and shut down cyberattacks midstream.” • “to have true active defense, you’ve got to be able to meet the threat wherever it occurs.” (off the record comment by a military official) What is Active Defense?

  5. Active defense includes: • local intelligence gathering • remote intelligence gathering • actively tracing the attacker • actively attacking the attacker. What is Active Defense?

  6. Active defense includes: • local intelligence gathering LEGAL • remote intelligence gathering CAUTION • actively tracing the attacker CAUTION • actively attacking the attacker. CAUTION What is Active Defense?

  7. facebook vs. Koobface (2008 - 2012)(Also MySpace, hi5, Bebo, Friendster, Twitter, and Sophos vs. Koobface) Koobface: malware spread via social networking (facebook), created a botnet. Sophos found (and Facebook released) info on the creators of the Koobface botnet via publicly available information. • Full daily backup of Command & Control software found during Webalyzer search (last.tar.bz2) • PHP script to send texts to Russian phone numbers • Phone numbers used to sell kittens & BMW • Email used to register multiple domains includingkoobface • Email prefix used as handle for multiple social networking accounts. In the News

  8. Anonymity of attacks make them hard to prosecute. • A cyber attack can be considered comparable to a physical attack causing a similar effect.Example: Shutting down a power grid vs. Bombing a power grid. • Active cyber defense can be considered comparable to active physical defense. Active Defense - International

  9. Collateral damage. Actively defending against an unmapped system could accidentally affect innocent systems. • Trespassing. Actively accessing any computer in excess of authorization is illegal. Note: The attacking system may not be owned by the criminal. Active Defense - RISKS

  10. HoneypotsA trap set to detect and possibly prevent unauthorized access of computing systems, and legally collect information about attackers • BeaconsInformation captured by the attacker reports back to you • Disinformation CampaignsData obfuscation and disinformation:corruptpackets, decoy documents, fake intelligence, etc. Theoretically, these are implemented on your own system, and are not “attacks.”…BUT there still may be legal implications Active Defense – LESS RISKY

  11. Types of Honey Pot • Production: • Placed on production systems to help protect the network. • May bring unwanted attention to your network, and if not secured properly will create an attack vector. • Research: • Typically setup in a standalone environment to research new malware. • They are not setup on a critical network, so if compromised little damage can be done. Active Defense - Honeypots

  12. Project Honey Pot • Distributed network of websites with decoy webpages to try and detect new malicious scanners and crawlers. • Requires a unique page installed on participants’ websites for testing purposes, and share information with all members about new threats. • Can sign up at www.projecthoneypot.org. It is free. Active Defense - Honeypots

  13. Shadownet • An infrastructure for insider cyber attack prevention • A tiered server system that is able to dynamically redirect dangerous/suspicious network traffic away from production servers Active Defense - ShadowNet

  14. How it works: • Suspicious network traffic is redirected to a quarantined clone server • Clone creates the impression that the attacks performed are successful • Malicious activity on the quarantined server is not reflected on the production server • Existing connections, such as SSH, are not interrupted • The redirection process is transparent to both the attacker and normal users • Actions performed on the quarantined server are recorded Active Defense - ShadowNet

  15. 4 key parts: • ShadowNet Client • ShadowNet Server • ShadowNet Bridge • IDS Fusion System Active Defense - ShadowNet

  16. ShadowNet Architecture Active Defense - ShadowNet

  17. ShadowNet Architecture Active Defense - ShadowNet

  18. The Active Defense Harbinger Distribution (ADHD) Linux install with active defense tools http://sourceforge.net/projects/adhd/ We will demo the following tools: • Artillery • WebLabyrinth Active Defense Demo

  19. Artillery • Honeypot:Blacklists port scans • File monitoring and integrity checking:if a file hash changes  email alert • Brute force login prevention:More than 4 attempts  blacklisted Active Defense Demo

  20. Weblabyrinth • A maze of web pages designed to delay and occupy malicious web scanners. • Displays a 404 error to legitimate web crawlers. Active Defense Demo

  21. Demonstration Active Defense Demo

  22. The best “active defense” • Trace the IP • Report itDebatably the most legal thing you can do. Active Defense

  23. The best “active defense” “ Get a good lawyer. Get them involved early and often.” - Robert Clark, operations lawyer for U.S. Army Cyber Command Active Defense – Conclusions

  24. http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf For More Information…

  25. Parting Thoughts • "Not only do we put out the fire, but we also look for the arsonist“ - Shawn Henry, former head of cybercrime investigations at FBI • " Anything we do in active defense will automatically legitimize that technique for other regimes,“ - Michael Hayden, former director of NSA Active Defense

  26. Several definitions of “Active Defense” • Legal & international implications • Tools • Honeypot • ShadowNet • ADHD • Artillery • Weblabyrinth • Report (& stay legal) Active Defense - Recap

  27. Questions? Active Defense

  28. http://bgr.com/2012/06/18/anti-hacker-retaliation-new-policies/http://bgr.com/2012/06/18/anti-hacker-retaliation-new-policies/ • http://cda.ornl.gov/publications_2012/Publication_30528.pdf • http://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html • http://en.wikipedia.org/wiki/Koobface • http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf • http://jnslp.com/wp-content/uploads/2010/08/07_Graham.pdf • http://jolt.law.harvard.edu/articles/pdf/v25/25HarvJLTech415.pdf • http://sourceforge.net/projects/adhd/ • http://svn.secmaniac.com/artillery • http://threatpost.com/en_us/blogs/debate-over-active-defense-and-hacking-back-crops-rsa-022812 • http://weblabyrinth.googlecode.com/files/weblabyrinth-0.3.2.tar.gz • http://weblabyrinthserverip/labyrinth/index.php • http://www.alston.com/Files/Publication/c638c36f-0293-45fa-ba20-ee50b12e00fe/Presentation/PublicationAttachment/4a6feb1e-c091-4352-977c-d45bcd114d3c/Cyber-Alert-legal-issues-with-emerging-active-defense-security-technologies-1-11-13.pdf • http://www.darkreading.com/risk-management/167901115/security/security-management/240012675/companies-should-think-about-hacking-back-legally-attorney-says.html • http://www.defense.gov/news/d20110714cyber.pdf • http://www.forbes.com/sites/jodywestby/2012/11/29/caution-active-response-to-cyber-attacks-has-high-risk/ • http://www.hbgary.com/active-defense • http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf • http://www.lokisec.com/?p=164 • www.projecthoneypot.org • http://www.washingtonpost.com/blogs/checkpoint-washington/post/active-defense-at-center-of-debate-on-cyberattacks/2012/02/27/gIQACFoKeR_blog.html • http://www.webtorials.com/discussions/2012/07/tracking-hackers-down---then-striking-back.html Active Defense - References

More Related