Computer Network Defense2

 Computer Network Defense (CND) …actions taken through the use of computer networks to protect, monitor, analyze, detect, and respond to unauthorized activity within information systems and computer networks.  Information Assurance (IA) …measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation.  CND and IA are not the same  Mutually supporting Computer Network Defense Joint Publication

 All authorized use is allowed  All unauthorized use is denied  Pretty simple, right? Computer Network Defense4

 Advantage lies with the offense  Near-impossible to fully achieve both goals  Most secure system is the one not connected to the network  May still be vulnerable, but what does this do to system availability?  Cannot defend against every attack: Zero-day exploits  Some defensive measures may block legitimate traffic  Must balance system usability and security  Goal: minimize risk of operating in a networked environment  Requires robust CND and IA strategies  Defend what we can  Recover from attack / intrusion quickly  Limited resources  Can’t protect everything  Maximize return on investment (ROI) Computer Network Defense5

 "Give users and programs the privileges they need, and no more."  If your network only needs to provide web and name- resolution services to users/hosts outside your network, then employ a firewall that blocks inbound connections to ports other than 80 and 53.  If a file or collection of files is only needed by a specific user or by a particular network service, then that file or those files should only be accessible to the user that needs them, or to the server processes that need them.  Operating system file permissions limit access like this, but this principle should also guide decisions on what information goes on network drives and shared drives. Computer Network Defense6

 Multiple layers of defense are placed throughout an information system  Addresses security vulnerabilities in personnel, technology, and operations  Protection mechanisms cover weaknesses / vulnerabilities of other mechanisms in use  Delay success of attack  Provide time to detect and respond Computer Network Defense7

 Along with “Least Privilege” and “Defense in Depth” principles, if a system administrator is vigilant, they may well recognize the intrusion and be able to kick the attackers off the system before they get to the asset they were really out to attack.  Administrators need to keep their eyes on these logs files in order to recognize that they're under attack. Programs called intrusion detection systems can be used to help this effort by automatically combing log files looking for unusual activity and alarming administrators when it's found. Computer Network Defense8

 Defense requires knowing the nature of the threat  What is the intent of the attack?  Exploitation  Disruption  Destruction  Who is the actor?  State-sponsored  Cyber criminals  Terrorist groups / sympathizers  Disgruntled employees Computer Network Defense9

 What is the threat vector?  Remote Access  Close Access  Ex: WiFi sniffing / injection  Local Access  Insider Threat  Target users of the network (social engineering)  We are our own worst enemy  Intentional actions by insiders  Ex: PVT Manning, Terry Childs  Supply Chain  Design phase  Ordering / delivery  Disposal Computer Network Defense10

 CND hinges on detecting malicious activity  How can we respond if we don’t know we’re being attacked?  How do we know our defenses work?  Applies to all attack phases  Pre-attack  Indications of pending attack: May prevent attack from occurring  During the attack  Stop attack in progress and Limit impact of attack  Post-attack  Forensics  Determine scope of attack  Collect evidence  Identify new malware or techniques  Develop detection techniques  Clean up / recovery: What was affected?  Measure return on investment: Why are we spending money on security? 11

 Management & Monitoring  Network Access Control (NAC)  Firewalls  Demilitarized Zone (DMZ)  Intrusion Detection Systems (IDS)  Intrusion Prevention Systems (IPS)  Proxy Servers  Sandboxing  Virtual Private Networks (VPN) Computer Network Defense12

 Configuration management  Know what’s on your network  Similar systems (workstations, servers, etc.) share similar configuration  Remove unnecessary accounts and services  Changes to baseline require approval  All changes tracked  Use standardized protocols and centralized systems for management  SNMP, Software and Anti-virus Management Servers  Centralized logging  Logs from multiple systems collected in a single place  Allows for centralized monitoring and response Computer Network Defense13

 System that control network access based on defined policies  Permit, deny, or limit access based on  User identity  Control access based on who’s logged into the system  Required operating system / application updates installed  Anti-malware installed / up-to-date  Malware detected on system  System meets security policies  Can deny access if an authorized system violates policies  Usually provide a mechanism for remediation  Can rely on agent software installed on system Computer Network Defense14

 Device or software application designed to permit or deny network traffic based upon a set of rules  Protects networks from unauthorized access  Permits legitimate communications to pass  Log traffic that violates rules  Many routers contain firewall components  Many firewalls can perform basic routing  Help prevent DDoS attacks by dropping attackers packets Computer Network Defense15

 Packet Filter  Filter based on  source/destination addresses (MAC or IP)  source / destinations ports  protocols (TCP, UDP, ICMP, GRE, …)  Stateful Inspection  Examine each packet in relation to other packets in series  Determine if traffic is a new connection, existing connection, terminated connection, or invalid  Application Layer  “Deep Inspection”  Understands application-layer protocols  HTTP, FTP, DNS, …  Determine if protocol is being misused or contains malicious payloads Computer Network Defense16

 Physical or logical sub-network that exposes external services to an untrusted network  External services more vulnerable to attack  Segregate external services from internal networks  Often referred to as a perimeter network  DMZ hosts are often bastion hosts  Designed / configured to withstand attacks  Generally host a single application  Other services removed or limited  Limit implied trusts  Different usernames/passwords from internal servers  Separate or no domain membership  Can be special purpose device Computer Network Defense17

 Device or software application that monitors network and/or system activities for malicious activities or policy violations  Notifies when violations detected  Two detection techniques:  Signature-based  Compare traffic to preconfigured / predetermined attack patterns (signatures)  Alert on match  Statistical Anomaly  Determine normal network activity  Bandwidth  Ports / protocols used  Alert on anomalous traffic  Must establish baseline Computer Network Defense19

Computer Network Defense20

 IDS system that attempts to block / stop activity in addition to reporting  Must be positioned in-line with network traffic  IPS actions:  Send an alarm  Drop the malicious packets  Reset the connection  Blocking traffic from the offender Computer Network Defense21

 Network  Independent platform that identifies intrusions by examining network traffic  Connect via hub, switch, port mirroring, or network tap  Typically located at network choke points  Host-based  Agent on a host that identifies intrusions  Analyzes  System calls  Application logs  File-system modifications (binaries, password files, capability databases, access control lists, etc.)  Other host activities and state Computer Network Defense22

 Server that acts as an intermediary for requests from clients seeking resources from a server  Client connects to proxy and requests some service  Proxy connects to relevant server and requests service  Proxy forwards response to client  Purpose  Keep machines behind it anonymous  Speed up access to resources (caching)  Apply access policy to network services or content  Block undesired sites  Log / audit usage: Internet sites visited  Scan content for malware before delivery  Scan outbound content: Data leak protection Computer Network Defense23

 Principle of least privilege  Only the level of privilege necessary to carry out legitimate function  Many services run with elevated privileges  Hackers attempt to exploit these services to gain access with the service’s level of privilege  Change ownership of the service  Create an account with lower privileges  Run the service using this account Computer Network Defense24

 Mechanism to provide remote networks or individual users secure access to an organization's network  Host / remote network “appear” physically connected to organization’s network  Often encrypted  Mechanisms used  IPsec (part of IPV6, widely used with IPV4)  SSL/TLS tunneling  Dial-up protocols (PPTP, L2TP, SSTP)  SSH tunneling  More secure than opening access through firewall Computer Network Defense25

 Zero Day attacks occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software.zeroth  Very difficult to defend against since everything about them is unknown to the defender  A hardened system is one which all unnecessary services (ports) are disabled, and all patches and updates have been installed. Computer Network Defense26

Computer Network Defense27