Presentation on theme: "Beyond Reactive Management of Network Intrusions Professor Sushil Jajodia Professor Sushil Jajodia Center for Secure Information Systems"— Presentation transcript:
Beyond Reactive Management of Network Intrusions Professor Sushil Jajodia Professor Sushil Jajodia Center for Secure Information Systems
Outline Problem Approach Benefits Challenges
The Perfect Storm Network configurations are ever more sophisticated Vulnerabilities are becoming more complex Remediation resources are sparse A total solution is a combination of technology and services I will describe the technology component I will describe the technology component
Limitations of Vulnerability Scanners Generate overwhelming amount of data Example Nessus scan –Elapsed time: 00:48:07 –Total security holes found: 255 –High severity: 40 –Low severity: 117 –Informational: 98 No indication of how vulnerabilities can be combined Can an outside attacker obtain access to the Crown Jewels? Where does a security administrator start?
Limitations of IDSs Generate overwhelming number of alerts Many false alerts – normal traffic or failed attacks Alerts are isolated No indication of how alerts can be combined Incomplete alert information Where does a security administrator start? Is the attacker trying to obtain access to Crown Jewels? Require extensive human intervention
Summary Current security measures largely independent Little synergy among tools Vulnerabilities considered in isolation may seem acceptable risks, but attackers can combine them to produce devastating results
What is lacking? “A distributed system is one in which the failure of computer you didn’t even know existed can render your own computer unusable” – Leslie Lamport Context for total network security How outsiders penetrate firewalls and launch attacks from compromised hosts Insider attacks
9 The reality – security concerns are highly interdependent. Simply Listing Problems Misses the Big Picture!
Penetration Testing Few experts available Red teams can be expensive Tedious Error-prone Impractical for large networks No formal claims
Attack Graphs An attacker breaks into a network through a chain of exploits where each exploit lays the groundwork for subsequent exploits Chain is called an attack path Set of all possible attack paths form an attack graph Generate attack graphs to mission critical resources Report only those vulnerabilities associated with the attack graphs
Related Work Phillips and Swiler NSPW 1998 Templeton and Levitt NSPW 2000 Ritchey and Ammann S&P 2000 Wing, Jha et al. CSFW 2002 Ammann et al CCS 2002 Ou et al. CCS 2006 Sawilla and Ou ESORICS 2008
Firewall Attacker Web ServerMail Server Hub NT4.0 IIS Linux attack tools Linux wu_ftpd
Reference Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, John Williams, "Cauldron: Mission-centric cyber situational awareness with defence in depth," Proc. MILCOM Conf., Baltimore, MD, November 7-10, 2011.
Minimal-Cost Network Hardening
Reference Massimiliano Albanese, Sushil Jajodia, Steven Noel, "A time-efficient approch to cost-effective network hardening using attack graphs," Proc. 42nd Annual IEEE/IFIP International Conference on Dependable and Networks (DSN), Boston, Mass, June 25-28, 2012.
25 Attack Graph Visualization Problem Even small networks can yield complex attack graphs!
2/21/ Attack Target External Attacker
Alert Correlation Correlate alerts to build attack scenarios For efficient response, this must be done in real time
Related Work Based on a priori knowledge, such as the prepare- for relationship (Cuppens et al S&P’02, Ning et al CCS’02 CCS’03, etc.) Based on statistical analysis, such as temporal similarity between alert sequences (Lee et al RAID’03, Dacier et al KDD’02, Valdes et al RAID’01, etc.) Hybrid approaches (Ning et al ACSAC’04, Lee et al ESORICS’04, Morin et al RAID’02, etc.)
Attack Graph Approach Provides context for alarms Can help with forensic analysis, attack response, attack prediction
Hypothesizing and Predicting Alerts Correlation based on the prepare-for relationship is vulnerable to alerts missed by IDSs - Reassembling a broken attack scenario is expensive and error- prone By reasoning about the inconsistency between the knowledge (encoded in attack graph) and the facts (represented by received alerts), missing alerts can be hypothesized By extending the facts in a way that is consistent with the knowledge, possible consequences of current attacks can be predicted
Reference Lingyu Wang, Anyi Liu, Sushil Jajodia, "An efficient and unified approach to correlating, hypothesizing, and predicting network intrusion alerts," Proc. 10th European Symposium on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 3679, September 2005, pages
Two Sides of Security Just what is “predictive? Common Operating Picture Situational Awareness I have 700 vulnerabilities – now what?!? Monitoring/Management Predictive Plus more than 60 other vendors 3 vendors “Put my problems/my risks in context”
Our Approach Network Capture –builds a model of the network –represents data in terms of corresponding elements in Vulnerability Reporting and Exploit Specifications Vulnerability Database –a comprehensive repository of reported vulnerabilities Graph Engine –simulates multi-step attacks through the network, for a given user-defined Attack Scenario –analyzes vulnerability dependencies, matching exploit preconditions and post-conditions –generates all possible paths through the network (for a given attack scenario) Aggregate / Correlate / Visualize
Benefit from Synergies Common Operating Picture Situational Awareness Patching servers vs changing firewalls Combined vulnerabilities are real Firewalls Vulnerability Scans Patch Mgmt/ Asset Mgmt Other Where do I need to focus my resources?! to focus my resources?!
Unconstrained Start/Goal 39
Attack Start Constrained Start 40
Attack Start Attack Goal Constrained Start and Goal 41
Attack Start Attack Goal Attack Start Direct Paths 42
Harden First-Layer Recommendation 43
Harden Last-Layer Recommendation 44
Harden Minimum-Effort Recommendation 45
2/21/ Security Metrics Alarm Correlation And Attack Response Sensor Placement Network Hardening CAULDRON has Numerous Applications
Summary of CAULDRON Automated analysis of all possible attack paths through a network –Resulting attack “roadmap” provides context for optimal defenses –Transforms volumes of isolated facts into manageable, actionable results Integrates with existing tools for capturing network configuration Your network is provably secure, with minimum effort A useful tool for making informed decisions about network security
Zero-day Attacks Lingyu Wang, Sushil Jajodia, Anoop Singhal, Steven Noel, "k-Zero day safety: Measuring the security risk of networks against unknown attacks," Proc. 15th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6345, 2010, pages
Cyber Situation Awareness An ever increasing number of critical applications and services rely on Information Technology infrastructures –Increased risk of cyber attacks –Increased negative impact of cyber attacks Attackers can exploit network configurations and vulnerabilities (both known and unknown) to incrementally penetrate a network and compromise critical systems –Manual analysis is labor-intensive and error-prone –Vulnerabilities are often interdependent, making traditional point- wise vulnerability analysis ineffective –Services and machines on a network are interdependent Need for tools that provide analysts with a “big picture” of the cyber situation 49
CSA Capabilities: Enterprise Network 50 Internet Web Server (A) Mobile App Server (C) Catalog Server (E) Order Processing Server (F) DB Server (G) Local DB Server (D) Local DB Server (B) Current situation. Is there any ongoing attack? If yes, where is the attacker? Impact. How is the attack impacting the enterprise or mission? Can we asses the damage? Evolution. How is the situation evolving? Can we track all the steps of an attack? Behavior. How are the attackers expected to behave? What are their strategies? Forensics. How did the attacker create the current situation? What was he trying to achieve? Information. What information sources can we rely upon? Can we assess their quality? Prediction. Can we predict plausible futures of the current situation? Scalability. How can we ensure that solutions scale well for large networks?
Situation Knowledge Reference Model Index & Data Structures Index & Data Structures Topological Vulnerability Analysis CSA Framework Architecture 51 Monitored Network Analyst Alerts/Sensory Data Cauldron Switchwall Vulnerability Databases NVDOSVD CVE Stochastic Attack Models Generalized Dependency Graphs Generalized Dependency Graphs Graph Processing and Indexing Dependency Analysis NSDMine r Scenario Analysis & Visualization Network Hardening Unexplained Activities Model Adversarial modeling Heavy Iron
Reference Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang, eds., Cyber Situational Awareness: Issues and Research, ISBN: , Springer International Series on Advances in Information Security, 2009, 252 pages. Arun Natrajan, Peng Ning, Yao Liu, Sushil Jajodia, Steve E. Hutchinson, "NSDMine: Automated discovery of network service dependencies," Proc. 31st Annual Int'l. Conf. on Computer Communications (INFOCOM), Orlando, FL, March 25-30, 2012, pages Massimiliano Albanese, Sushil Jajodia, Andrea Pugliese, V. S. Subrahmanian, "Scalable analysis of attack scenarios," Proc. 16th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6879, V. Atluri and C. Diaz, eds., Leuven, Belgium, September 12-14, 2011, pages