1 Carnegie Mellon University Waging War Against the New Cyberwarrior Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense
2 Carnegie Mellon University Incidents Reported to CERT/CC , ,094
3 Carnegie Mellon University Vulnerabilities Reported 20012, ,129
4 Carnegie Mellon University Cyber Strategy Cyber-war is not just simple hacking Sociology of warriors vs. hackers -Morale -Organization -Vigilance vs. assumed invulnerability Motivation of warriors vs. hackers -Accountability vs. anarchy -Delayed vs. immediate gratification -Internal vs. external gratification Preparation of warriors vs. hackers -Training -Intelligence / strategy
5 Carnegie Mellon University Incident Trends
6 Carnegie Mellon University Intruder Technology Intruders use currently available technology to develop new technology
7 Carnegie Mellon University Information Collection, Analysis and Sharing for Situational Awareness
8 Carnegie Mellon University Overview Challenge statement Too much data – too little information – not shared Operational Need CERT Vision/Goals Our Approach Project Maturity Wrap up
9 Carnegie Mellon University Data Challenge System & Network Administrators overwhelmed Data overload Important data often not collected Local/parochial focus Poor Network Situational Awareness Network Security Information is not shared Unconnected “Islands of Information” Ineffective, non-standard security tools and processes Non-technical reasons (organizational and liability) Unwilling to yield autonomy to gain better information Attackers share information more efficiently
10 Carnegie Mellon University Our Vision An operationally flexible system providing: Clear avenues for exchanging relevant data Improved local monitoring Improved cueing methods Cross organization analytical capabilities Improved indications and warningImproved indications and warning Cross organization situational awareness
11 Carnegie Mellon University Our Goal Collect structured, sanitized, and representative situational awareness data in a standardized format to: Recognize and respond faster (prior to damage) Permit collection of focused information on activity and trends Alert operators for proactive response Provide tools for sites to manage incident information
12 Carnegie Mellon University Bi-directional Solution Top-down Collection, organization, and analysis of data from wide, shallow sensors Bottom-up Federation of data from narrow, deep sensors -Alerts from IDSs and Firewalls -Raw data from sniffers & recorders
13 Carnegie Mellon University Top-Down Approach Similar to the DEW line* – early indication that an attack may be coming facilitated by sensing the entire network Analysis for I&W Hacking involves reverse engineering: the attacker must probe, examine and determine the “right” approach Frequently precursors to attacks are buried in the “noise” Improve our ability to detect attacker behavior in the pre- attack stages Preventive Analysis Detect configuration errors * DEW - Distant Early Warning
14 Carnegie Mellon University Top-Down Edge Router Netflow Collector Firewall/Router 100Mb T1 Internet OC3 Intranet Real time collection; analysis and alert tools
15 Carnegie Mellon University Top-Down Collect coarse data No payload data Headers Only – Source, Destination IP and ports; protocol; times; traffic volumes (e.g. packets and bytes) Both inbound and outbound Collect wide data >95% network coverage Multiple networks Collect a lot of data Requires a data center with large computational and storage capacity to facilitate historical analysis Scalable collection and analysis Outbound data indicates planted code or insiders
16 Carnegie Mellon University Top-Down - Wide Shallow Sensors Netflow Originally defined by CISCO but increasingly becoming standard See what the router sees Records of “flows” created at the router Assist in routing and in reporting network traffic statistics Consists of flow records aggregated from packets Sent to a collector and aggregated into different information records for varied analysis.
17 Carnegie Mellon University Inbound Slammer Traffic
18 Carnegie Mellon University Slammer: Precursor Detection UDP Port Precursor Hour 1/24:00 1/25:04 Flows Series1
19 Carnegie Mellon University Focused on hours 6, 7, 8, 13, 14 Identified 3 primary sources, all from a known adversary All 3 used a fixed pattern Identified responders: 2 out of 4 subsequently compromised. Slammer: Precursor Analysis
20 Carnegie Mellon University Detecting Scans Detect scans against client network hosts Higher intensity scans “Low and slow” scans Coordinated (distributed) scanning
21 Carnegie Mellon University Low-Packet Filtering
22 Carnegie Mellon University Stealth Tool Detection We are studying extremely slow (“1 packet a day scanner”) traffic on the Internet. As an initial trial, we identified sources sending between 1 and 3 packets of TCP (non-Web) traffic per day into the client’s networks. We applied this to the period September 1-11, finding that % of the traffic matched this pattern. Further analysis yielded a fingerprint for one tool. The tool’s profile appears to match Compaq Insight Manager XE on the client network.
23 Carnegie Mellon University Bottom-Up Approach Using data from Commercial Off the Shelf (COTS) security solutions already deployed e.g., Intrusion Detection Systems, firewalls, system logs, Snort, RealSecure, PIX, IPTables, syslog Custom-developed technology (AirCERT), currently not present in commercial products, to integrate, convert, analyze, and share the data Combination enables analysis of security event data from across administrative domains Different entities Different scales: -Subsidiary -Corporation -Sector
24 Carnegie Mellon University Bottom-Up Sensor (Packet Capture) IDS System Web Server Mail Server AirCERT Collector Intranet Firewall/Router To other subnets….
25 Carnegie Mellon University Bottom-Up Collect data from by security devices (firewalls and intrusion detection devices) All or part of a packet Testimonials (e.g., IDS alerts), and associated contextual data Collect widely varied data Maximize network diversity (e.g., edge vs. transit; many administrative domains) Maximize sensor diversity (e.g., IDS, firewall) Configurable volume of data Determined by local site and collaborators Scalable collection and analysis
26 Carnegie Mellon University Bottom-Up Implementation Flexible, open-source, standards-based reference implementation of an Internet-scalable threat assessment system Capability consists of components for Data Collection Data Sharing
27 Carnegie Mellon University Edge Router 100Mb T1 OC3 Sensor (Packet Capture) IDS System Web Server Mail Server Collector Intranet Internet Netflow Collector Firewall/Router Implementation
28 Carnegie Mellon University What Do You Do With This Data? Predictive numerical and statistical analysis Calculate long-term trends Profile traffic – map servers, create baselines Continual monitoring for attack precursors Traffic Analysis Routing Anomalies and flaws Packet/Byte Characteristics Weak general results can drive strong focused analysis Analysis from Top-Down can drive Bottom-Up, and vice- versa
29 Carnegie Mellon University What Else Do You Do With This Data? Manage and analyze event data at all points in reporting hierarchy to detect and identify Compromise with cross-site data Coordinated, distributed attacks Slow and stealthy scans Network attack “fronts” Multi-site trends -Distinguish between local and global activity –Targeted scans –Vulnerability probes
30 Carnegie Mellon University Integrating Top-Down & Bottom-Up Analysis Augment data collection and configuration at the “leaves” Supplement or verify existing local security analyses and processes Employing cues gained from analysis at the “root”, focus analysis on data previously deemed benign or ignored Verify suggestive top-down and cross-site analysis by the selective analysis of data collected at the “leaves”
31 Carnegie Mellon University ACID can only analyze what is in the Alert Database ACID Architecture ACID
32 Carnegie Mellon University Views of Data (grouping) ACID has no implicit analysis functionality -- only presents the data by -Event (Signature) -Classification -IP Address -Port -Flow -Time -Sensor -Charts grouped by time, IP, classification and ports -User defined queries
33 Carnegie Mellon University Event (Signature) view Unique Alert Identifies the different type of attacks from Main, click on number next to ‘Unique Alert’ Signature Classification Total Number of Occurrences Reference Number of Sensors Number of Src/Dst IP First/Last Occurrence
34 Carnegie Mellon University Classification view Identifies the different event classifications From Main, click on the number next to ‘categories’ Classification Number of Events Total Number of Occurrences Number of Sensors Number of Src/Dst IP First/Last Occurrence
35 Carnegie Mellon University Address view Identifies mostly frequently attacked machines Identifies network blocks of frequent attackers From Main, click on number after ‘IP’ IP Address Total Number of all Events Fully Qualified Domain Name Number of times seen in opposite direction Number of Unique Events Number of Sensors
36 Carnegie Mellon University Port view Identifies most commonly targeted services From Main, click on number after ‘Port’ Port Number of Unique Events Number of Sensors Number of Src/Dst IP First/Last Occurrence Total Number of all Events
37 Carnegie Mellon University Flow view Identifies suspicious events by flow activity From Main, click on number after ‘Unique IP LInks’ FQDN and IP of Source FQDN and IP of Destination Protocol Number of Unique Events Total Number of all Events Unique Destination Ports
38 Carnegie Mellon University Sensor view Aggregate statistics on sensor From Main, click on number next to ‘# of Sensors’ Sensor ID Total Number of all Events Sensor Name Number of Unique Events Number of Src/Dst IP First/Last Occurrence
39 Carnegie Mellon University Temporal view Alert Listing Identifies event chronology Returned by any Searches or Alert Listing Snapshots [ Query Seq. Number, Sensor ID, Event ID ] Timestamp Event (Signature) Src/Dst IP and Port Layer-4 IP encapsulated protocol
40 Carnegie Mellon University Temporal view (2) Graph Alert Detection Time Graphs number of alerts aggregating on hour, day, or month Visually represents peak attack periods From Main, click on ‘Graph Alert Detection Time’ Time Interval Number of Events occurring in the time interval
41 Carnegie Mellon University Drill-Down: Individual Alert Click on the ID in any Alert Listing
42 Carnegie Mellon University Drill-Down: IP Address Provides statistics on an individual IP address Links to external registries and tools to gather information about the address Click on the IP address in any Alert Listing
43 Carnegie Mellon University User Interface: Main
44 Carnegie Mellon University User Interface: Navigation ACID Browser “Back”button Currently Selected Criteria Browsing Buttons Alert Actions Checkbox to select alert
45 Carnegie Mellon University Analysis Example: Most Frequently Targeted TCP Services
46 Carnegie Mellon University Project Maturity Top-Down Highly efficient data partitioning and packing format -Does not rely on a relational database –Packs 90+Gb per day into less than 30Gb Generic analysis tools written to perform ad-hoc analysis -Processes a day’s worth of data in under 10 minutes -Rapid analytical tool development API Operational deployment at sponsor site Bottom-Up Prototype collection infrastructure developed and tested Active involvement in IETF security standards activity Pilot testing in progress
47 Carnegie Mellon University Project Maturity: Continuing Efforts Involve more pilot sites Improve analytical capabilities Improve automated configuration Continue standards development efforts Increase collection diversity by supporting additional COTS Persuade vendors to adopt standards Planned Extensions to Netflow Analysis Enhanced with additional data based on payload but packed into the existing form-factor Aggregation into session records Matching aggregated session records into transaction records
48 Carnegie Mellon University Summary Transformational approach to data collection, sharing, analysis and response for Computer Network Defense Provides timely, focused information to operators – providing cues for immediate action Provides tools for local, tailored analysis Provides local, enterprise and Internet Situational Awareness information Levels the playing field
49 Carnegie Mellon University Modeling and Simulation How do we drink from this fire hose? Goal is to use the volume of information to gain a predictive power over our adversaries
50 Carnegie Mellon University Emergent Algorithms Recover Recognize & Resist Adapt Attack New Ideas Survivability is an emergent property of a system Emergent algorithms are distributed computations that fulfill mission requirements in the absence of central control and global visibility Local actions + Near-neighbor interactions => Complex global properties Impact A new methodology for the design of highly survivable systems and architectures Ability to produce desired global effects through cooperative local actions distributed throughout a system (“self-stabilizing”) Current Research Design an emergent algorithm simulation environment and language (“Easel”) to: Simulate and visualize the effects of specific cyber-attacks, accidents and failures Create a test-bed for mission-critical systems
51 Carnegie Mellon University The nature of complex, unbounded systems Easel is a new computer language designed to simulate complex, unbounded systems. Such systems exhibit the following properties Large numbers of autonomous components Incomplete and imprecise information Limited local knowledge No central control Bounded number of neighbors Competing objectives Such systems are more survivable because of adaptability graceful degradation no critical points of failure awareness of the local environment
52 Carnegie Mellon University Six explorations in survivability cascade failure in organizations failure propagation through an organizational network network topology generation survivability is a function of topology simple network message routing illustration of a very simple routing algorithm network attackers and defenders attackers compromise and defenders patch epidemic dynamics local contact leads to global infection seismic collapse of a building elastic response of linked beams to seismic shaking
53 Carnegie Mellon University Where can Easel help? Provide independent verification that complex system designs have no serious survivability flaws Analyze scenarios with respect to impact of: design assumptions human error incomplete or imprecise information common mode failures single point of failure leading to cascading failure organized malicious attacks
54 Carnegie Mellon University Dealing with the Threat - Fusion Analysis Efforts Data Collection AirCERT Open source correlation Individual Event Analysis Statistical Analysis Modeling and Simulation
55 Carnegie Mellon University What’s Next? Our coordination of information must be commensurate with the enemy’s ability to use this information against us We must create a new world of checks and balances to match the appropriate use of information in the pursuit of malfeasants The key to this revolution is local administration of information while maintaining global coordination
56 Carnegie Mellon University Changes in Intrusion Profile 1988 exploiting passwords exploiting known vulnerabilities Today exploiting passwords exploiting known vulnerabilities exploiting protocol flaws examining source and binary files for new security flaws abusing anonymous FTP, web servers, installing sniffer programs IP source address spoofing denial of service attacks widespread, automated scanning of the Internet deep vuls in SNMP, SSL, WEP, … The definition of “vulnerability” on the Internet is approaching that of the DoD in trusted systems
57 Carnegie Mellon University Scanning for Victims Today: Wide scale scanners collect information on 100,000s of hosts around the Internet Sniffers now use the same technology as intrusion detection tools Number and complexity of trust relationships in real systems make victim selection easier
58 Carnegie Mellon University Scanning for Victims Tomorrow: Use of data reduction tools and more query- oriented search capability will allow reuse of scan data Inexpensive disk and computation time will encourage the use of cryptography and persistent storage of scan data Scan data becomes a commodity like marketing information
59 Carnegie Mellon University The Future of Probes We’re very likely to see more: widespread brute-force scanning with little regard for being detected stealthy probes like SYN and FIN that require packet logging to detect attempts to hide the origin of the probes through spoofing and decoys automated vulnerability exploits that probe and compromise in a single step
60 Carnegie Mellon University Typical Intruder Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Yesterday
61 Carnegie Mellon University Distributed Coordinated Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Today
62 Carnegie Mellon University Distributed Coordinated Attack Uses 100s to 1000s of clients (10,000s) Is triggered by a “victim” and “time” command Command channels include IRC, SNMP, ICMP May include dynamic upgrade and be spread by worms Will simultaneously attack the victim from all clients Today used in DoS attacks only
63 Carnegie Mellon University Issues for Responding to DoS Attacks Filtering/detecting this attack is problematic! The intruder’s intent is not always clear in denial of service attacks. The intruder might be using the DoS attack to hide a real attack misusing resources to attack someone else attempting to frame someone else for the attack disabling a trusted host as part of an intrusion Attacks also frequently involve IRC abuse intruders attacking each other retaliation for securing systems
64 Carnegie Mellon University The Future is Automation Put these together and what do you get? tools to scan for multiple vulnerabilities architecture identification tools widely available exploits pre-packaged Trojan horse backdoor programs delivery and recon through active content Bad news! Together, these publicly available tools could be modified to launch wide-spread scans and compromise systems automatically.
65 Carnegie Mellon University Warning Signs of Today We Tolerate unexpected program behavior Place little value on software quality Assemble parts with no clear idea what each part does nor who created it Spread highly capable and functional components through the hands of the unenlightened
66 Carnegie Mellon University Tom Longstaff’s Predictions for the Next Decade (well, at least the next 3 years) Network crime on the rise Many countries and NGOs preparing information warfare weapons Insiders and planted vulnerabilities control the battlespace Information warfare will be combined with traditional tactics (e.g., Iraq)