From Perimetral Defense to Immune Systems: Protecting the National Cyber Space

Transcription

1 From Perimetral Defense to Immune Systems: Protecting the National Cyber Space Roberto Baldoni Singapore 20 November 2014 The 20th Pacific Rim Conference on Dependable Computing (PRDC 2014)

2 SENSITIVE ECONOMIC SECTORS TO CYBER THREATS

3 Sensitive economic sectors to cyber threats Cyber space Efficiency Productivity in the close future the economic prosperity of a country will be measured according to the degree of security of its cyberspace

4 Cyber space and economic growth Top economic driver for a nation 1-2% GDP for each 10% of connected citizen (WEF) internet Digitalizing primary services internet internet Denial of service Cyber Crime Weak Supply chain Inherent fragility of complex systems

5 Cyber Attacks Business continuity Peaks of thousands attacks per hour Attacks on evenings and weekends internet internet internet In cyber space is always emergency! Asymmetry increasingly powerful, simple and inexpensive tools difficulty to attribute

6

7

8 «Security and development are an inseparable binomial» «New threats are emerging to the economy to the finance, to the energy market» 6 March 2013 We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems 2 February 2013

9 6 March 2013 «Security and development are an inseparable binomial» «New threats are emerging to the economy to the finance, to the energy market» A nation cannot be an open book for foreign countries. It will impact domestic wealth, personal freedom and national security We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems 2 February 2013

10 National Cyber Security Strategies Cyber security is a national security issue Risk of balkanization of the Internet..constructing submarine cables that do not route through the US, building internet exchange points in Brazil, creating an encrypted service through the state postal service and having Facebook, Google and other companies store data by Brazilians on servers in Brazil.. Dilma Roussef (President of Brazil)

11 National Cyber Security Strategies Cyber security is a national security issue Risk of balkanization of the Internet..constructing submarine cables that do not route through the US, building internet exchange points in Brazil, creating an encrypted service through the state postal service and having Facebook, Google and other companies store data by Brazilians on servers in Brazil.. Dilma Roussef (President of Brazil)

12 THE ADVERSARY

13 Who is behind the cyber threat Till 2004 today CONFIKER DUQU BLASTER GAUSS STUXNET ZEUS Flame MIRAGE I LOVE YOU Virus APT, Malware

14 I LOVE YOU NACHI SLAMMER BLASTER SASSER ZEUS CONFIKER STUXNET DUQU/GAUSS Flame/MIRAGE Cyber Weapon precision Precision and Damages Cyber espionage plus logic bomb Damages caused by cyber weapons

15 Stuxnet Geography Target: SIEMENS Scada Systems slowing the infected centrifuges down to a few hundred hertz for a full 50 minutes to destroy the machine Gauss Geography Target: Lebanon Banks surveillance tool used to monitor accounts and money flow.

16 Cyber Espionage - Cyber Weapons internet vulnerability internet internet malware

17 Cyber Espionage - Cyber Weapons internet vulnerability internet internet Vulnerabilities patents sensitive government information sensitive industrial information etc.

18 Adversary Levels of expertise Available resources Objectives Attack vectors Behaviour

19 Advanced Persistent Threats sophisticated levels of expertise significant resources Objectives (footholds within the information technology infrastructure of the targeted organizations) exfiltrating information undermining or impeding critical aspects of a mission, program, or organization positioning itself to carry out these objectives in the future multiple attack vectors behavior 1. pursue its objectives repeatedly over an extended period of time; 2. adapt to defenders efforts to resist it 3. determined to maintain the level of interaction needed to execute its objectives.

20 GOVERNMENTS AND CYBER THREATS

21 Towards a Cyber Security National Strategy CERT Public Private Information Sharing Law enforcement Adequate response measures Improve preparadeness internet internet internet Early warning system Cyber Intelligence vulnerability Cyber security education Research and Development Grow of security experts

22

23 Complex Implementation Problematic voluntary adoption plan 14 Feb 2013 Google, Apple and Microsoft may be exempt from Obama s cybersecurity order Obama s Cybersecurity Order Exempts Software 5 March 2013

24 Complex Implementation

25 implementation Italian Framework for cyber security

26 DPCM 23/1/2013 Ministry Economic and Finance Ministry of Justice Ministry of Foreign Affairs MoI Military Advisor Cyber Security Office ISCOM National CERT Prime Minister Interministerial Committee for the Security of the Italian Republic (CISR) NISP (Interministerial Committee of cyber crysis) Intelligence Dept. aisi Presidency of ministers council Coordination committee aise Ministry Economic Development CNAIPIC MoD MoD CERT ULS ULS PA CERT ULS ULS Agid Private Organizations

27 Established May 2014, operative Sept 2014 Structuring, orchestrating and orienting Italian academic excellence in Cyber-Security (e.g., cryptography, dependability, information security, hardware security, malware analysis, CIP, risk management, intelligence etc.) Take advantage of presence of sites with specific research footprints and of spreading through Italy Deploying Education and Awareness actions over the Italian territory

28 THE IMMUNE SYSTEM

29

30 Protecting an Information system Do three basic things: 1. continuously detecting and fighting intruders, 2. continuing to deliver digital services (also when an infection is spreading) 3. preventing new intruders to get into the cyber space

31 System Skin (firewall, network technologies, antivirus etc) Network traffic analysis, sandboxing, IPS/IDS, Event correlation Ext Intruder attacks Symptoms /pathogens injecting Insider vulnerability Activation fault failure system Reconaissance and spreading phase Network/system anomalies generated by the action of malware Network/system Anomalies generated by the fault Prevention techniques Vulnerability prevention Cyber intelligence User Security Training & Controls Information Sharing (CERT, ISAC etc) Quantifying Risks CVSS Framework adoption Post mortem analysis forensics anatomy dissection..

32 System Skin (firewall, network technologies, antivirus etc) Network traffic analysis, sandboxing, IPS/IDS, Event correlation Ext Intruder attacks Symptoms /pathogens injecting Insider vulnerability Activation fault failure system Reconaissance and spreading phase Network/system anomalies generated by the action of malware Network/system Anomalies generated by the fault Prevention techniques Vulnerability prevention Cyber intelligence User Security Training & Controls Information Sharing (CERT, ISAC etc) Quantifying Risks CVSS Framework adoption Post mortem analysis forensics anatomy dissection

33 System Skin (firewall, network technologies, antivirus etc) Network traffic analysis, sandboxing, IPS/IDS, Event correlation Ext Intruder attacks Symptoms /pathogens injecting Insider vulnerability Activation fault failure system Reconaissance and spreading phase Network/system anomalies generated by the action of malware Network/system Anomalies generated by the fault Prevention techniques Vulnerability prevention Cyber intelligence User Security Training & Controls Information Sharing (CERT, ISAC etc) Quantifying Risks CVSS Framework adoption Post mortem analysis forensics anatomy dissection

34 Dependability Perspective Ext Intruder attacks Symptoms /pathogens injecting Insider vulnerability Activation fault failure system Reconaissance and spreading phase Network/system anomalies generated by the action of malware Network/system Anomalies generated by the fault Dependability Techniques e.g. Model checking Software Verification Modelling Dependability hardware Intrusion Tolerance Software Rejuvination Byzantine tolerant systems Replication Failure management Failure Prediction Fault injection

35 PROJECTS AT CIS SAPIENZA RESEARCH CENTERS

36 Projects at CIS-SAPIENZA RESEARCH CENTER (for a complete list see ) Malware Analysis Open Source Intelligence Failure Prediction Anonymous networks Byzantine resilient protocols Complex Event processing (semi) Automatic reaction to cyber attacks

37 Failure Prediction Black-box non-intrusive failure prediction and monitoring in complex datacenters Finding anomalous patterns through network and power consumption monitoring

38 19/05 20/05 21/05 22/05 23/05 24/05 25/05 26/05 27/05 28/05 Scostamento da risultati (%) 29/05 30/05 Cluster dimension (%) Open Source Intellegence 60 Cluster0 - M5S Cluster2 - FI Cluster3 - PD 50 European Election in Italy 26/5/2014 8,0% 5,5% 40 6,0% 4,9% Analyzed from 1/5/2014 to 30/5/2014 about 4,0% 3,5% 30 2,2% tweets with relevant hashtag 20 more than 100 twitter more 0,0% active accounts -2,0% 10Political article comments of the main 2,0% -4,0% 0,9% -2,8% PD M5S FI 1,0% 3,0% 2,8% 2,6% Italian newspapers -5,0% 0-6,0% -8,0% -10,0% -6,4% -6,1% -7,0% -7,7% Dataset IPR Agorà EMG IPSOS

39 Malware Analysis Collaborative malware detection complementary to sandboxing systems AMICO a novel system for measuring and detecting malware downloads in live web traffic Distinguish between malware and benign file downloads Creating provenance classifier that can accurately detect future malware downloads based on information about where the downloads originated from

40 How many vulnerabilities do we have in a critical infrastructure of a country? Thousands-millions known vulnerabilities (at different severity level) Possibly millions of device installed and deployed over a large territory Sometimes impossible to patch (it could risk to stop delivering the service), thus vulnerability removal has to be carefully planned, economically substainable and takes long time

41 Conclusions The protection of a cyber space is a National priority if the Nation wishes keeping (or increasing) its economy and wealth Cyber security is a multidisciplinary discipline (also within computer science areas) Dependability community has to play a fundamental role in making our cyber space a safe place

42