Table of Contents. An Introduction to Network Cyber Security

Transcription

1

2 Table of Contents 1. Overview Introduction to Networks Network Cyber Security As Part Of A Holistic Approach Application Security Network Security Physical Security Understanding Networks Building Blocks Address Services Internet Exchange Points and Topology Authentication through Certificates Protocols Network Cyber Security Vulnerabilities Anonymity and Attribution Denial of Service Attacks Spoofing and Man-in-the-Middle Attacks Network Interception and Black-holes Fake Certificates and Certificate Authorities Protocol Attacks Sizes of Networks and Traffic Netflow Network Cyber Security Defense Capabilities Protect Network Infrastructure VPNs Backbone Hardening Firewalls Defend Network Operations Intrusion Detection Systems Malware Signatures Deep Packet Inspection Analyze Network Activity Situational Awareness Test Network Security Black, Grey and White Hat Hackers Penetration Testing Vulnerability Scanning The Exploit Wheel of Life Virtual Task Forces and Information Exchanges Virtuous Cycle Growth Figures Markets Protection Defense/Interception Analysis and Situational Awareness Active Test Growth Areas Ultra Solutions Ultra Electronics, 3eTI May 2012

3 1. Overview This paper provides an overview of network cyber security, what it is, and an explanation of some of the terms. Cyberspace can be divided into the following assets: devices, data, networks, and people (Diagram 1). Securing those assets is the job of cyber security. Many of us are familiar with cyber security products designed to protect devices, such as anti-virus or login passwords. We are also familiar with the concept of encryption to protect data, but what about network security? Data needs to be communicated and therefore networks are required in order to make use of that data in a wider context. We use cryptos on networks (such as military data-link cryptos, or hardware VPN cryptos) but these devices are really just protecting the data flowing over the networks rather than the infrastructure or operation of the network itself. Cryptography plays a large role in network cyber security, but it is not the only one. Cryptography can also play a larger role than just traffic encryption within network cyber security, and some of those ideas will be presented here. Networks are easy to understand and have many obvious analogies in the real world. This paper should help the reader understand what computer networks are, facilitate ongoing discussions and avoid confusion, by providing a common understood baseline and terminology How to read this document This document is divided into three sections; an introduction into how networks work and how they are vulnerable, an overview of the different network cyber security protection areas, and a model and market assessment of the network cyber security space. While it is possible to solely read the last section and bypass the other content, this is not advisable. Networks are commonly misunderstood especially with regards to network cyber security. Just reading the model section or concluding strategy could perpetuate the misunderstandings, and confuse the reader further. In this vein, some may find the analogies used in this document too simple, and for that, an apology is offered. However, networks are for the most part simple to understand and it is the author s intent to provide examples that will prove to be enlightening. Ultra Electronics, 3eTI May 2012

4 2. Introduction to Networks Computer networks are one of those technologies which most people have heard of, and have an idea of what they are, but do not necessarily understand. When most people hear the term computer network they immediately think of wires and cables strung between boxes. Networks do not exist without the wires or physical network, but it is not what makes transportation across them possible. A good analogy when thinking of computer networks is the road infrastructure. The surface of the road defines where the road is, but it is the extra elements such as traffic lights, speed limits, drivers licenses, cars, lorries, bridges and roadmaps etc., that make transportation across it possible. Without highway laws, safe vehicles, signposts and maps, the roads would just be stretches of tarmac without any purpose. Computer networks are the same, the easy part is putting the cables in the ground and connecting them together, the hard part is getting traffic to flow through them correctly and reliably from source to destination all across the world! Attackers can manipulate and disrupt a network and its traffic by hacking these other elements. It is the role of network cyber security to act as the police of the system and to try and ensure the infrastructure remains as reliable and accessible as possible. Ultra Electronics, 3eTI May 2012

5 3. Network Cyber Security As Part Of A Holistic Approach As we said in the introduction, cyberspace can be divided into devices, data, networks and people. Each one of these areas needs their own cyber-security in order to protect the whole. Putting advanced cryptography between the computers on a network will protect against anyone listening into your communications, but will do nothing to stop the spread of malware introduced from an infected USB stick. Instead a holistic approach across all of these areas is required (Diagram 1). Diagram 1 Cyber Security Defined 3.1. Application Security Application security sits at the nexus between devices and data. Applications are made from data, but they are created to manipulate devices. For instance your computer is a device, but what makes it useful is the software that runs on it manipulating the 1 s and 0 s stored in memory. Therefore applications are written for the purpose of performing a task. If the application behaves as expected, then given a known input the application should provide a deterministic output. Should an attacker manipulate the input to an application or even the application s behavior itself then the output would no longer be what the creator or operator had intended and could have damaging consequences. While this can prove frustrating on a home computer, it can have a severe impact on an industrial control system such as a power station. Applications therefore need some security controls to protect them from malicious manipulation. This is not easy as applications are very complex, therefore it is difficult to identify standard and non-standard behavior. Manipulations can also be very subtle, making their presence difficult to detect. Applications therefore use a variety of techniques such as memory randomization (where it s code doesn t always exist in the same location when it is run), encryption, permissions (define who can do what), and input checking to protect themselves from outside manipulation. Applications can also be cryptographically signed to authenticate to the user and device that they haven t been manipulated since they were produced by their creator. There are also specific security applications such as anti-virus whose function it is to look for and identify malicious applications or behavior denoting an attack. However, this is not easy, as there is a constantly changing array of malicious applications that the anti-virus application has never even seen before. One interesting statistic to look at is that it is estimated that there is one software bug in every thousand lines of code, which when typical applications run into the millions of lines of code provides a large number of software bugs. It are these bugs that attackers exploit, using them to make an application Ultra Electronics, 3eTI May 2012

6 perform in an non-standard manner, and potentially allowing them to do unauthorized or designed tasks. Anti-virus products themselves are large complex pieces of software, and themselves are not immune to being the vector through which an attacker successfully gains control over a system. As a result, the application space is not an open no-holes barred playground. Operating systems and vendors have worked hard to try and enforce stricter rules on access and authentication for certain operations. A simple username and login prompt can provide an acceptable level of application security in certain circumstances. Otherwise, granular control over which files, folders and system operations a user can manipulate can be implemented to protect against malicious behavior. This stops an exploited piece of software such as a word processing application from being able to maliciously change the underlying operating system. However, because the application space is all software and it is very difficult to write perfect bug free software, application security will always be required. Without it, there could be no guarantee that a computer or task was being carried out as the designer and operator intended Network Security Just as a system can be attacked in a number of different ways, there are a number of different types of defenses that can be used to protect it. We are all familiar with the use of encryption as a way to harden a network and add confidentiality. This is an example of an infrastructure hardening process a static security control that by virtue of its operation stops a number of attacks from succeeding. However, as we pointed out with the USB example, these protections can be overcome, so real-time monitoring controls are also used. Monitors and intelligence gathering tools sit in a system and attempts to discover and stop attacks by inspecting ongoing activity. One common example of a device monitoring control is software anti-virus. Anti-virus sits on your computer and tries to detect malware infections in real-time. Between hardening and monitoring a large number of attacks can be prevented, however these protections are never perfect. Imperfections in the way a system operates or communicates can introduce vulnerabilities that are not protected against. Therefore a third layer of security control is required to cover these situations. These analysis controls sit outside of the day-to-day operation of a system or network, and observe behavior. Then through the reported information the analysis controls try to identify when anomalous behavior is occurring or if there are other signs of compromise. The analysis products can be thought of as providing situational awareness on the activity of a network or system, and able to find needles representing attackers in a haystack of normal activity. There is a final level of security called exploit, in which hired experts test the veracity of your security. In cyber security these are known as penetration tests or ethical hacking. These levels of cyber security have analogies in the physical space. We build walls and doors representing hardened controls, we use night watchmen and security guards as monitoring controls. And we have police investigation teams and forensic examiners to discover evidence of successful attacks. Together these three types of security create defense in depth preventing many attacks and minimizing the impact from successful ones. Throughout the rest of this paper the subject of networks and network security will be explored in more detail, as this is one of the clearest examples of where security is more than encryption, and where encryption provides more than just confidentiality. Ultra Electronics, 3eTI May 2012

7 3.3. Physical Security Critical Infrastructure (CI) must be built on a foundation of both physical and cyber security. Infrastructure and site surveillance is imperative with the increasing concern for security and safety due to the threat of terrorism and protection of critical assets. The best chance of preventing disruption to a facility is to create an interactive perimeter that detects intruders and alerts you to potential threats before they occur. Physical security likewise provides a valuable piece of the cyber security solution. Specifically it can be used to enhance the protection against attacks by people (whether intentional or unintentional). Users are one of the most common vectors for cyber attack. For instance manipulating someone into using an infected USB stick can compromise an air-gapped system, or socially engineering someone in giving an unauthorized person access a restricted or critical area. By protecting and monitoring access to critical servers, removing physically access to USB drives, or identifying when tampering occurs to remote systems, the whole cyber security posture is elevated. Diagram 2 Physical Security Integrated Ultra Electronics, 3eTI May 2012

8 4. Understanding Networks 4.1. Building Blocks Almost all IP networks are built from the same few building blocks, from small office scale networks to the expanse of the Internet. Combined together, these building blocks create a useful network infrastructure over which any type of data can flow. The utility of a network is its purpose, should an attacker successfully attack one of the building blocks, they will then disrupt the usefulness of the network and therefore cause the same damage as if they cut the wires themselves. So what are these building blocks? (Diagram 2) Diagram 3 - Network Building Blocks With the exception of certificates, each of these technologies were designed to make networking easier rather than more secure and are therefore inherently insecure and vulnerable. Security researchers are only now beginning to try and add security to these elements, and new vulnerabilities within them are being discovered all the time Address Services The Address Services are the phone directory of the network. They provide each device with a unique address (e.g. phone number) within the network. They also provide the translation service from a textual web address, such as google.com, into the unique numerical IPv4/6 address, such as The most common address service protocols are DHCP, which provides your computer with an IP address on a local network, and DNS which translates web addresses into Internet IP addresses Internet Exchange Points and Topology The Internet is not, as is commonly thought, one large mesh network of computers all interconnected. Instead, think of it as many cities connected to each other via large highways. Each Internet Service Provider (ISP) can be thought of as a city, comprising a large number of houses (or computers); these are called Autonomous Systems (AS). All of the AS s are joined together via big, super-fast connections. In Ultra Electronics, 3eTI May 2012

9 order to get from one house in one AS (city) to another house in another AS, you have to plan your journey just as you do for a road trip, which involves traversing the city s roads as well as the inter-city highways. The same is true for networks, you use internal routers to get through each AS, and external routers to get between AS s. Both external and internal routers are needed if large networks are to be deployed. Do not confuse the geographical topology of networks with the network topology of ASs. There is some commonality due to the locations of wires and computers, but the network topology is primarily determined by an AS s architecture across its user base. The Internet was initially designed to be robust and adaptable to the loss of any given link. The Internet is still very capable of quickly routing around lost connections, but it is not as robust as most people think. Due to economic pressures, the Internet actually has a relatively small number of critical nodes (called Internet Exchange Points) through which a very large amount of traffic passes. Should these be disrupted or destroyed, it is uncertain how well the rest of the network would operate. These include the Deutscher Commercial Internet Exchange (1120 Gbps), Amsterdam Internet Exchange (912 Gbps), Equinox Exchange (990 Gbps) and London Internet Exchange (743 Gbps) with their average throughputs. The Internet Topology (Diagram 4) clearly illustrates some of these primary interconnects. Diagram 4 The Internet Topology (Opte Project: Authentication through Certificates Computer networks are intrinsically anonymous. Anyone can obtain an IP address and therefore be reached from anywhere else, but ironically having an IP address does not tell you anything about the computer at the end of it. Similar to the phone network, you can sometimes misdial or become erroneously connected. We therefore rely upon the trustworthiness of the person at the other end of the phone to answer and correctly identify themselves. The phone system does not have any way to do the authentication for us. The same is true of computer networks; we rely on the computer at the other end of the IP address to be who they say they are. While this scenario is acceptable for family, friends, etc., it does not provide enough authentication for businesses such as banks or the government. Computers therefore utilize certificates (similar to passports) to provide identification. These certificates are issued by a third party (called a certificate authority), and are secured against duplication or fraudulent use through encryption. When a user connects to a remote computer, the remote computer sends back their correctly issued certificate, bound to their address so as to prove their identity. These certificates cannot easily be altered, and as they are tied to an identity such as a web address (e.g. google.com), an attacker cannot substitute one of their own. Obviously should an attacker obtain a certificate for a site they do not own, it is possible that they can reliably masquerade as that site. This is exactly what happened at the certificate authorities Commodo and DigiNotar and caused a large upheaval to Internet operations Protocols The final IP network building block involves protocols. Protocols can be thought of as the Highway Code, everyone needs to know them and follow them in order to use the network. The most common ones are; Ultra Electronics, 3eTI May 2012

10 IPv4 which describes how to label a packet, and TCP which describes how to reliably send packets. There are many more which are intrinsic to the working of a network, but it is not necessary for the purposes of this discussion to look at these in detail. What is important to understand is that networks are bound to these protocols; they need to use them in order to interoperate. Network protocols are open and available for anyone to understand and implement, and as a result, computers and networks operate in a predictable and pre-determined manner. Networks are designed to carry traffic, therefore there are some aspects of network operation and network security which require viewing the traffic itself. Inspecting the traffic through a network could be thought of as a part of data cyber security, however there is a fine line differentiating the two, so for the purposes of this discussion, they will be deemed as part of network cyber security. Networks operate by inspecting the headers of the traffic that flows across them as this is where the destination addresses are given. A great deal of extra information can be obtained by looking further into a packet of data rather than just observing its header. Network monitors are designed to do just this, and is termed deep packet inspection or analysis (DPI). DPI sounds impressive, but it only describes the act of looking at more than just the header. As with real-life, reading is the easy part, it s the understanding of what you have just read that is difficult. Ultra Electronics, 3eTI May 2012

11 5. Network Cyber Security Vulnerabilities We have discussed that networks are made up of lots of computers all delicately stitched together using a few key building blocks. Keeping these building blocks running efficiently is the job of network management, and keeping them safe from attack is the job of network cyber security. Attackers are typically trying to attack or manipulate one or more of these building blocks in order to achieve their objective. The majority of standard networks (including the Internet) were designed and implemented with no inherent authentication, access control or attribution. Instead it was designed for utility and robustness Anonymity and Attribution Security was not really a consideration when the majority of network infrastructure components were invented. As a result, networks are inherently vulnerable to a number of attacks. One of the largest and most intractable is that attackers, and their attacks, are for all intents and purposes anonymous. The only indication of where an attack came from is the sender address of the attack packet, but an address does not prove who sent it, only where it was sent from, and even then this address can easily be forged. It is common for attackers to use a previously infected system as an unwitting victim from which to launch their attack on a more sophisticated target. This maneuver will lead any subsequent investigation by a sophisticated investigator to the first victim rather than the attacker. This begs the question, are all attacks that seem to originate from China actually the result of Chinese hackers? Or are attackers routing their attacks through China knowing no further investigation from there will be possible? Due to the lack of inbuilt security, each building block of the network is vulnerable to different attacks. Networks by definition are broadcast mediums, any device along a packet s journey can view the packets going through it, and so in that regard confidentiality is not expected. Therefore encryption devices such as in-line encryptors are used to make data confidential before they ever enter the network Denial of Service Attacks IP computer networks were originally designed to solve the availability problem, by utilizing a packet switched architecture, IP networks are able to reroute around congestion or broken connections and they make full use of the capacity of a link in a way that circuit switched networks could never do. What they were not designed to protect against was intentional flooding of data to a single destination. This is what is known as a denial-of-service (DoS) attack. There are so many spam packets sent to a receiver that they do not have the resources to sort through and ignore the bad packets and only handle the legitimate ones. As a result, the receiver shuts down under the load and legitimate communications are undelivered Spoofing and Man-in-the-Middle Attacks The most dangerous element of a network to attack is the integrity of it. If an attacker can manipulate the addressing, routing or certificates of a network, they can then control who talks to whom and impersonate anyone they want (e.g. your bank or your company). Just like maps only work if the road layout and signposts are correct, networks only work if the routing, addressing and certificates of the network are accurate and not manipulated. Address services are vulnerable to two main types of attack; corruption and impersonation. Clients send requests to address services, such as what is the IP address of google.com, or what is the address of the Wi-Fi base station, and address servers return the answers. If an attacker can manipulate the information Ultra Electronics, 3eTI May 2012

12 in the address servers, then they will give clients the wrong information and clients will unwittingly connect to the wrong destination. The other way to manipulate the address services is to impersonate it. If an attacker can listen for a client s request and impersonate a reply before the real address server can, then the client will use the information provided by the attacker. This is known as spoofing, and occurs because there is an historical inherent trust of the address services. This is slowly changing with the addition of technologies such as Domain Name System Security Extensions (DNSSEC), but we are far from this point yet. Apart from directing computers to the wrong destinations, attackers can also pretend to be the Internet access point, and have computers connect through them. This enables them to act as a man-in-the-middle and view all the traffic and manipulate it as they see fit. The ability to act as a fake destination or gateway allows an attacker to completely control the conversation and manipulate any of the data passing through it. An attacker could for example, capture all of your login information or even send fake from your account. It is the integrity and legitimacy of address services that are attacked by hackers; if they control the address services they control the destination of traffic. Network defenders are therefore on the lookout for address service impersonators or manipulations to the address service information, but as attacks become more sophisticated this becomes more difficult Network Interception and Black-holes Router and address service attacks are sometimes confused with one another, but in reality are very different. Referencing a postcard analogy, address service attacks attempt to change the address of the postcard but let the postal service deliver it as normal. Whereas router attacks leave the address on the postcard alone, but manipulate the post office into sending the postcard to the wrong depot. Routers, both internal and external, are constantly communicating with each other, passing information about congestion, open/closed links, and whom they are connected to. This enables all the routers to maintain a common operational picture (COP) of the overall network. As long as all the routers have a similar and accurate COP, they can then route any packet to any destination reliably and accurately. If an attacker can manipulate this information, e.g. tell the U.S. that the quickest way to communicate with the U.K. is through South America, then just like your GPS system will re-route you along the fastest roads, traffic will begin to flow along the manipulated sub-optimal route. There are two reasons for doing this, either the attacker would like to monitor all of your communications, and therefore route that traffic through their own systems, or they want to stop any traffic reaching a destination so they purposely route traffic away from it. Traffic routed away so it never reaches its destination is called black-holing. Network black holes are areas unreachable by other parts of the network due to routing inaccuracies. If an attacker does not want to black-hole a destination, but rather intercept and read all of their traffic, then they change the routes so that all traffic goes through them en-route to the destination. So for the correct and reliable operation of a network, defenders need to ensure that the routing information is accurate and not manipulated. Defenders however, cannot lock down routing tables and stop them from being changed without limiting the ability of routers to handle changing conditions. Optimal routes change all the time due to network outages/maintenance or congestion, routers need to keep abreast of these changes to ensure a continuously reliable and robust network. If routers cannot exchange operational information and update routing tables they will become brittle and potentially collapse. Ultra Electronics, 3eTI May 2012

13 5.5. Fake Certificates and Certificate Authorities Networks can be manipulated and therefore clients need to ensure the identity of the computer at the other end of the network. Certificates are used as a form of ID, therefore if any attacker manipulates the address or routing of traffic, the resultant destination computer will not be able to provide the correct ID and the client will know something is amiss. When browsing the Internet, any site that uses HTTPS is using a certificate to verify its identity and so theoretically can be trusted. However, just like with any form of ID, you need to prevent an attacker from forging a fake one. This is done by using certificate authorities (CA) whose job it is to verify the identity of the requester and sign their certificate. Every browser comes with a copy of these CA s signatures so they can validate the authenticity of any certificate it receives. If the certificate is not signed by one of the trusted CAs, it will warn the user that it is potentially fraudulent and dangerous. But how do you sign certificates for sites all around the world in different countries and jurisdictions? There does not exist an international U.N. style body that can oversee this operation, so computer web-browsers end up having to trust at least 50 independent CAs from all around the world. These range from small companies to large ones and include the Hong Kong Post Office and Coventry City Council, and the scary part is that the web-browsers trust them all equally regardless of who they are! Attackers routinely target these CAs and attempt to get their fake certificate IDs signed by the CA to make them appear legitimate. If they are able to do this, then they could have a victim connect to the wrong destination and send them a legitimate appearing certificate for their bank, thus bypassing the computer s inbuilt security tools and giving no warning to the user of the fraudulent activity Protocol Attacks CA attacks aside, most network attacks (including some on address services) are in actuality attacks on protocols. Every computer follows set rules for how they communicate with each other, hackers periodically find out that if they go off script in certain ways, they can then manipulate the protocol and do things they should not be able to do. Network defenders need to look for times when deviations to network protocols are occurring and try and prevent any impact arising from it. This is notoriously difficult to do, because at first glance both parties are following the protocol. Protocol manipulation is analogous to a Derren Brown magic trick (see plenty of YouTube clips for more explanation). As you can imagine, cyber attacks to a network s availability tend to be obvious and destructive, either a denial-of-service flood or traffic is routed to the completely wrong destination. Attacks to a network s integrity tend to be more subtle and difficult to identify, especially when you are not looking for them. Thus network cyber defenders introduce proactive security measures such as DNSSEC, and firewalls to prevent these attacks, and use network monitoring measures such as intrusion detection, and DPI to detect signs of an attack that has penetrated their protections Sizes of Networks and Traffic Like all investigative security controls, it is very difficult to detect an attacker or attack amongst all the legitimate activity. This is especially the case within computer networks. The Internet currently routes around 7,700 GB/s, which is around 1,600 DVDs every! It is inconceivable that anybody or machine could look at, or effectively analyze that volume of data in real-time let alone store it. Monitoring the backbone of the Internet is not feasible, therefore instead of capturing and looking at a large amount of data, situational awareness is normally achieved through lots of sensors or probes distributed throughout the infrastructure, each looking at smaller amounts of data, and then fusing the results. A dispersed set of network monitors can provide a good picture of what is happening across the whole network at any given moment, and tools can be used to measure the pattern of traffic now versus Ultra Electronics, 3eTI May 2012

14 historically. This trend analysis is utilized to identify anomalous data streams and potential attacks. To describe this as looking for a needle in a haystack is very apt although a little misleading, because most security assessors actually remove all of the hay until just needles remain. In other words, they identify normal traffic and then discard it from the analysis until only the unusual traffic remains Netflow Even within a medium sized office, the amount of traffic flowing over the network will probably be too large to capture and store without being prohibitively expensive. Attempting to copy all of the letters a postman delivers in one day is almost impossible, but asking him to make a note of the sender and destination post codes (zip codes) is not. In the network cyber security arena this function is called Netflow. Network monitoring systems, such as Intrusion Detection Systems (IDS), make a log of netflow which allows them to keep track of who is talking to whom without actually storing what is being said. Netflow can be thought of a social network map of a network. Obviously this data in and of itself is very interesting, and there are many products and systems in the cyber space to analyze and make inferences on netflow data. Ultra Electronics, 3eTI May 2012

15 6. Network Cyber Security Defense Capabilities So now we understand the basics of computer networks, their building blocks and some of the inherent vulnerabilities. In this section we will describe the main cyber security areas which work to keep networks running reliably and identify attacks (identifying attackers still runs into the attribution problem). We separate network cyber security into 4 main areas: 1. Protect the network infrastructure 2. Defend network operations 3. Analyze network activity 4. Test network security (or attack if you prefer) Each area has a unique role in securing networks and all four are required in order to maintain the operational reliability and integrity of computer networks. As we look at each in detail we will see that the securing of networks is really the securing of the integrity of networks, which is to say that we continue to ensure that network operational information is both accurate and authentic Protect Network Infrastructure A large part of protecting the network infrastructure involves protecting the network traffic which can be achieved through encryption, but also includes firewalls and network access controllers VPNs In addition to the standard in-line encryption, networks also utilize virtual private networks (VPNs) to protect network traffic. Most business people are familiar with VPNs, and that it is a technology that allows them to gain access to their company s networks while out of the office. VPNs are in fact a suite of protocols that are used to securely identify and authenticate both your computer and your office s network over a public network (e.g. the Internet) and to exchange encryption keys. Once both parties have guaranteed the identity of each other, they utilize an encrypted tunnel to securely communicate. The VPN protocols used are just part of the IPSec suite of protocols or HAIPE (for government use). The traffic will be protected provided that authentication and identification steps are properly executed. However, as was discussed in the previous certificates section, if someone else is able to obtain a false certificate, they could potentially intercept your traffic and view all of your data Backbone Hardening Obviously traffic encryption must be performed between two points, and for individual traffic streams, this is easy to accomplish using software or in-line encryption such as IPSec or HAIPE. In this example, the traffic is encrypted between source and destination. What about a network backbone, can that be encrypted? The first question that should be asked is why? If you are encrypting the network backbone then by definition, before traffic reaches the backbone, it will be unencrypted. When it leaves the backbone it will have to be likewise unencrypted. Therefore the only reasonable assumption for encrypting a backbone is that you are concerned that someone will manipulate or read the information while it resides on the network. Given the size and speed of a network bandwidth, this assumption is far-fetched, and the addition of any encryption would negatively impact the operation of the backbone routing causing larger issues. Ultra Electronics, 3eTI May 2012

16 Once you have protected the data and want to send over the network, you then need to ensure that the data reaches the correct destination reliably. Specifically, this means ensuring that the routing tables and link advertisements communicated by internal and external routers are accurate and originate from an appropriate source, e.g. they have not been made up or modified by an attacker. Integrity and authenticity is possible through the use of digital signatures and certificates. Each router digitally signs their information before they circulate it, removing the possibility of an attacker spamming the network with false information. This requires all routers to have crypto hardware within them to perform the signature protocols. The cost of doing this is very expensive in terms of resources and time. It is most costly when links are changing which is the exact moment that you do not want extra overheads! Furthermore, this only prevents non-routers from advertising false topology information and does not prevent a malicious router from producing false topological information. Whilst this is not necessarily a problem when the entire network is under your control, the Internet relies on external routers all around the world to share information including those in Russia and China. Although we could determine that the information they sent to us is authentic and accurate as provided, we have no idea as to its veracity. In addition to secure routing, there needs to be secure addressing so that you can accurately determine your own location, the gateway to the network and your final destination. Mechanisms such as Secure DNS are being deployed to provide solutions to some of the issues, but other ones such as gateway discovery (through the ARP protocol) are still vulnerable. Just as with securing router advertisements, secure DNS utilizes certificates and digital signatures to provide integrity and authenticity of its data. Thus the protection or hardening of networks is not necessarily through the encryption of the data passing through them, so much as ensuring the integrity and authenticity of the operational and management data. This means that as network hardening is rolled out, there will be an increasing reliance on certificates and the security of root authorities (certificate signers), and thus on the encryption devices used within them. The more signatures and certificates are used, the more need there is for crypto Firewalls Firewalls are one of the cornerstones of the protection of network security they are the stateful machines that stop unsolicited communications from entering a system. Firewalls only allow traffic out of the network and only allow traffic from a known and specified source in. Typically the known source is either specifically listed (e.g. another company office) or it is the reply from a site with whom someone inside the network is trying to communicate with. For the most part firewalls are very good at keeping out unwanted traffic, however sophisticated attacks such as TCP injection can find holes in their operation Defend Network Operations Protecting the network traffic and hardening the infrastructure will help create a reliable and robust communications medium for computers. The increased use of encryption and certificates will help prevent attacks on the infrastructure, but will not prevent them all. Furthermore, they will prevent attacks targeting end-devices that only use the network as a delivery and communications tool. Many attacks such as Advanced Persistent Threats and computer viruses use the network to infiltrate a company s systems and continue their attack. These attacks actually require the continued existence and reliable operation of the network in order to succeed. Therefore, one of the most important and often overlooked aspects of network cyber security is to monitor the activity over the network and search for attacks or patterns. Given Ultra Electronics, 3eTI May 2012

17 that networks operate and are attacked at network speeds, the network defenses also need to operate at these speeds which means being directly connected to and monitoring the network traffic in real-time Intrusion Detection Systems One common network inspection tool is the Intrusion Detection System (IDS). This is a fancy name for a system that monitors the netflow of a network and looks for anomalous activity indicative of an attack or signs of a previously identified one. These systems are not perfect and tend to produce a lot of false positives and negatives, but they are getting better. The reason for using them is that attacks typically happen in machine time and the volume of data produced by a network is too great for human analysis alone. Therefore, computer systems are used to help remove all of the hay before a human analyst looks at the remainder for signs of needles Malware Signatures Just like policemen use mug shots to look for known criminals, network inspection systems use signatures to look for known attacks. Malware is made of 1s and 0s, therefore when you find a unique string of 1s and 0s in a piece of malware you could use it as a signature to look for it again. This has worked very well, however recently malware writers have begun to create polymorphic code which is code that constantly changes every time it copies itself. This essentially means it is constantly putting on a new disguise making it harder and harder for the network police to recognize them. Thus advances in pattern recognition, intelligent processing and inference are required to build more intelligent network policemen Deep Packet Inspection The more sophisticated defensive network inspection tools are called deep-packet-inspection systems (DPI). IDSs are only really looking at the netflow of packets, and looking for malware signatures. DPI systems look more closely at the packets and how they fit into known protocols. This allows them to identify if a traffic stream is encrypted, if it is real time (e.g. audio/video), if it is command and control information, or just a web page. The purpose of a DPI system is to look at traffic streams and infer all the information possible about it (the meta-data). Computers and networks operate according to known protocols, they must follow these if they are to effectively communicate with each other. DPI systems look at the network traffic and identify what protocol/language they are speaking, where in the conversation they are, and who is talking. If the data is unencrypted it will also be able to understand what is being said. The real power of DPI systems is not just in the ability to understand a conversation, but to record that information in a database, and use sophisticated analytical techniques to look for patterns and anomalies. Due to the complexity and variability of the data, human analysis is almost always required. Clever visualization and rendering applications are required to help analysts identify what they are looking at Analyze Network Activity Network monitors are the police force of a network, constantly looking at activity for anything suspicious, such as late night connections to servers in Russia, or short periodic encrypted transmissions to similar port numbers at different locations. And just like a police force they are divided into two camps, those that are on the street looking for crime in progress, and those back in the office going over evidence looking for an attack or analyzing a successful one. Ultra Electronics, 3eTI May 2012

18 Situational Awareness There are plenty of viruses and malware in existence that have yet to be classified and a signature produced, and there are more and more sophisticated malware for which signatures may never be produced. Therefore instead of looking for exact pieces of malware, network activity analysis looks for signs/indications of the presence of malware and who might be infected. This type of monitoring and analysis is mainly performed by artificial intelligence techniques. They look at large volumes of historical data, make assumptions regarding what is considered normal and then look for instances where something abnormal happens, or if something normal fails to happen. This can be done on a very large enterprise and carrier scale, or on a small LAN/computer scale. Due to the increase in sophistication of attacks and malware, there is a corresponding increase in the demand for and innovation in situational awareness intelligence gathering systems. Due to the large and varied input these systems collect, there needs to be a powerful database system underlying it, and a powerful graphical interface to visualize and display all the information to an analyst. Humans are still better at looking for signs of malware than computers, even if they are slower at it. Therefore any situational awareness system will be judged according to how easy and capable the viewing and manipulation aspects of the analysis tool is, not just on what it can detect and record. There are three basic steps that all network analyzers follow when using network analysis systems. Look for patterns and anomalies, investigate and identify that information to see if it is an attack and if it is an attack, to look to see how often it has occurred. This requires inspection of traffic, logging of information, and analysis of that information. The inspection can look at the data being transmitted, the traffic flows, the protocols used, historical information or any combination of them Test Network Security So far we have discussed the protection and policing aspects of cyber network defense. These are based on a current knowledge of attacks, attackers and defensive capabilities. However, the environment and attack space evolves over time, so periodically you need to refresh your knowledge. Penetration testing provides a good way of reassessing your defensive capabilities and thus what attacks you are vulnerable against Black, Grey and White Hat Hackers Within the cyber security community the terms hackers and hacking do not have a malicious connotation to them, they describe an action or capability rather than an intention. Hacking is just the manipulation of a system so that it performs an unanticipated or unspecified action. Performing the unauthorized manipulation or destruction of a system is known as black hat hacking. Performing the same action only when authorized (e.g. after being hired to test a system) is known as white hat hacking. However, the majority of hackers are people who like solving puzzles and figuring out problems. Therefore, sometimes they end up hacking systems without authorization just to see if they can, therefore its unauthorized but non-malicious hacking, these are the grey hat hackers. In reality the majority of hackers are grey hat hackers, with the exception of a few dedicated black hat ones. Ultra Electronics, 3eTI May 2012

19 Penetration Testing Penetration testing is the action of deliberately trying to attack and defeat the network protections you have in place. It is a red team exercise against your system. It is normally performed by experienced white or grey hat hackers, i.e. those who are very technical and adept at defeating cyber defenses. They normally have a toolkit of exploits that they run your system against, searching for the weak link in your armor Vulnerability Scanning While penetration testing is very beneficial, it is not feasible or economical to perform it on a continuous basis and therefore vulnerability scanners are used. If penetration testing is pretending to be a burglar and trying to get access to your house, then vulnerability scanners are tools that go around and test all the doors and windows to see if any of them are open. Vulnerability scanners are deployed on most enterprise systems to ensure that any miss-configurations or vulnerabilities are discovered as soon as possible. For instance should an employee plug a Wi-Fi dongle into their computer so they can connect their laptop, then the vulnerability scanner should detect the presence of that device and quickly notify the administrator. Many of the tests that penetration testers run can then be rolled into the vulnerability scanning software to ensure that your system isn t vulnerable to any known exploit The Exploit Wheel of Life Not all vulnerabilities are known, in fact there are a great number of either unknown or undisclosed vulnerabilities in existence. The reason why many vulnerabilities are undisclosed is that once they are, they can be patched to stop them from being exploited and its worth diminishes. There is a large black market in undisclosed vulnerabilities, so companies such as Google try to combat this by offering rewards for any vulnerability found in their software that is disclosed to them. Many top security researchers and hackers have their own private store of exploits they have discovered or shared that they use as part of their penetration testing and research. The saying that it takes a thief to catch a thief is very apt here! Some of these exploits could be simple such as a software bug, or more sophisticated such as leaking part of an encryption key in the power consumption of a chip Virtual Task Forces and Information Exchanges Most vulnerabilities do not exist in isolation, for example if a software coder made a mistake or used a fault bit of code at one point in the software, then chances are they made the same mistake elsewhere as well. Knowledge and understanding of the current wave of known but undisclosed vulnerabilities helps security researchers predict where more attacks of the same family are likely to target. This is especially true of government researchers. Due to their intelligence gathering arms such as US-CERT and the UK CPNI (as well as NSA/GCHQ), governments will have a toolbox of undisclosed vulnerabilities and situational awareness of attack vectors/families. Governments are in a unique position to help provide industry with advanced knowledge of potential attacks and help develop security patches and vulnerability scans to detect if they can be exploited. This distribution of known and potential vulnerabilities is normally done via an information exchange program such as a virtual task force. Ultra Electronics, 3eTI May 2012

20 Virtuous Cycle Once an attack has been disclosed, the software vendor affected can review their code, understand the nature of the vulnerability and patch it so that it can t be exploited in the future. There is still a period of time from when a patch is created until the time that it is deployed in which a system is vulnerable. Not everyone downloads and installs security patches in a timely manner so security researchers develop automated tools to take advantage of those exploits and fold them into pentesting and vulnerability scanning toolkits. Toolkits such as Metasploit automate many of these attacks, and have easy to use interfaces effectively allowing exploitation with the push of a button. The virtuous cycle of cyber security is: Software is deployed with a vulnerability The vulnerability is discovered An exploit is developed to take advantage of that vulnerability The vulnerability is disclosed (either by a researcher or through analysis of a successful attack) A patch is developed and sporadically deployed An automated exploit is developed and rolled into pen-test/vulnerability scanning software The earlier you know and understand the nature of the vulnerability, the sooner you can deploy a test or attack. The same is true when looking at the evolving styles of attack; if you can see where attackers are shifting their focus, then you can shift your defenses and tests accordingly. This is why many of the top cyber security companies employ teams of security researchers and pen-testers. Staying on top of new attacks allows them to develop better defenses. Deployed Patched Discovered Knowledge of Attacks (Pen-Test) Knowledge of Defense (Vulnerability Scanners) Disclosed Exploited Diagram Growth Figures Given that we have broken the network cyber security market into market segments, what are their sizes and growths? Similar to the whole cyber security market, we can break the numbers obtained from Frost and Sullivan, Forrester, Accenture and Pike Research reports into these market areas (Diagram X). There Ultra Electronics, 3eTI May 2012