Beyond the Noise: More Complex Issues with Incident Response

Size: px

Start display at page:

Download "Beyond the Noise: More Complex Issues with Incident Response"

Caroline Parsons
8 years ago
Views:

1 Beyond the Noise: More Complex Issues with Incident Response IFIP WG Meeting, June 30, 2006 David Dittrich Center for Information Assurance and Cybersecurity/ The Information School University of Washington 1

2 Agenda Conceptual foundation Some roadblocks to mitigation Three Case studies What to do? Conclusions 2

3 Conceptual Foundation 3

4 The Problems Malware deployed regularly on 100,000s of computers world-wide Typical.edu has hundreds per month IP theft, CC theft, DDoS attacks on the rise New methods developed constantly Concealment increasing in sophistication 4

5 The Problems (cont) Attackers are winning Less knowledge/more damage More focus/drive Time to attack: seconds Time to mitigate: days, weeks Number of incidents overwhelming IRTs LE swamped with cases Trends in Denial of Service Attack Technologies, by CERT/CC 5

6 High Intruder Knowledge Attack Sophistication Increasing Attack Sophistication Attack sophistication vs Intruder Technical Knowledge back doors disabling audits exploiting known vulnerabilities password cracking packet spoofing burglaries sniffers hijacking sessions binary encryption stealth / advanced scanning techniques denial of service GUI distributed attack tools www attacks automated probes/scans network mgmt. diagnostics Tools Low password guessing Attackers Source: CERT/CC

7 Defense Sophistication Defense sophistication vs Defender Technical Knowledge High Network Traffic Analysis DDoS mitigation Tools/ Techniques Defender Knowledge Firewalls Honeynets using Honeywall Deception Operations High Quality Forensics/ Incident Reporting Patching IDS Low Source: Apologies to CERT/CC Defense Sophistication 7

8 Targets of exploitation Passwords (direct/indirect) Trust relationships Complexity Differentials in ability to respond Time zone, language, laws 8

9 Target Surface and Attack Paths Shared Infrastructure Staff Customers and/or Partners Attacker 9

10 Trust relationships Client<->Server IP based ACLs Shared password/symmetric key Shared network infrastructure Sensitive data in Sensitive files on servers 10

11 Exploiting Trust Relationships D B To: cr4zyh4k3r@maildrop From: hacked@a Subject: merry christmas joe/foo! [login connection to B] joe foo! A C attached Key logger trojan 11

12 Exploiting Trust Relationships (2) D betty/gl52vx Escalate privileges, SSH server hackeḍ hacked.. joe/foo! B D->B: betty/gl52vx... A->B: joe/foo!... C->B: calvin/&h0bb35... calvin/&h0bb35 A C 12

13 Exploiting Trust Relationships (3) D betty/gl52vx betty/gl52vx B joe/foo! calvin/&h0bb35 calvin/&h0bb35 A C Quietly look like trusted insider 13

14 Two Defense Strategies D Different netid and/or password betty/gl52vx bg59/gl52vx betty/57dl#v bg59/57dl#v B calvin/&h0bb35 calvin/&h0bb35/ A Second factor authentication C 14

15 The Long Tail 15

16 Scale-free networks and trust relationships 16

17 Classic Handler/Agent vs. IRC Botnet 17

18 From just 1 host 18

19 Bots needed for given attack With this many hosts O(10^1) O(10^2) O(10^3) O(10^4) O(10^5) O(10^6) What can you do? Take out router via PPS flood, multicast table overflow, or one packet kill attack Take out TCP service via SYN flood Take out web server by excessive requests Defeat load balancing; Do reflected DoS attack (e.g., w/dns) Bypass scrubbers Whatever you want 19

20 Weaknesses in botnets Recruitment/ Herding Scanning/ Attacking Command/ Control 20

21 Proximity and Perspective 21

22 Comparison of Profile 22

23 Holistic View of Flows 23

24 Roadblocks to Mitigation 24

25 What you hear (or don t t hear) Its not my problem. Doing something costs me money. Its only IRC servers. Who cares? I have nothing important on my computer, so I could care less. We can t afford to have our customers/ competitors know about this. Law enforcement is going to come in here, grab our servers, and we re out of business. The press will find out about this through FOIA requests and we ll be front page news. We weren t prepared for this. We can t tell what happened. 25

26 Interfaces (transitions) Private Sector Law Enforcement (DHS NCSD & NCRCG) Intel Community Military 26

27 NIMS & the National Response Plan 27

28 Three Case Studies 28

29 Attacks on supercomputer Centers 29

30 UW Medical Center Kane Incident Goal: How hard is it to obtain patient records? Windows 98 desktop: w/trojan or open file share? Sniffer Linux server -> Windows NT PDC/F&P server Unix server Windows PDCs, BDCs Windows Terminal Server (>400 users) Access database file (>4000 patient records: Name, SSN, home telephone number, treatment, date, ) SecurityFocus -> ABC News 30

31 What to do? 31

32 Collaborative/Distributed Incident Management Optimization of response Incident data completeness, accuracy & trustworthiness Forensic data preservation Communication of incident data Incident data correlation Incident cost estimation 32

33 Levels of Force 33

34 Col. John Boyd s OODA Loop Source: The Swift, Elusive Sword, Center for Defense Information, 34

35 Observe & Orient 35

36 Decide & Act Source: AF2025 v3c2, 36

37 Conclusions We need a better view of the battle space Trust, but verify We need to think chess, not checkers Automation and decision support will provide leverage for defenders A lot of people need to do a lot of learning (including me and you!) 37

38 Thanks and questions Dave Dittrich IA Researcher Center for Information Assurance and Cybersecurity/ The Information School University of Washington dittrich(at)u.washington.edu staff.washington.edu/dittrich/ 38

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff