Network security (Part II): Can we do a better job? Rattikorn Hewett Outline State of the practices Drawbacks and Issues A proposed alternative NSF SFS Workshop August 14-18, 2014 2 Computer Network Computer Network How can I secure this network? Network Administrator 3 4 1
State of the practices State of the practices 1) Admission Control 2) Data Control Encryption Verifying the identification of authorized users Encryption/Decryption of data to be transmitted 5 6 State of the practices State of the practices 3) Infection Control 4) Security Policy ftp http SMTP Virus protection, virus removal, and infection containment Firewall policy to protect unauthorized requests from outside the network 7 8 2
State of the practices State of the practices Common IT Security Setup Where is the weakness of this network to hack into? Where is the weakness of this network to hack into? Encryption Encryption Attacker Attacker Secure enough? What about IDS to detect intrusion? Network Administrator Network Administrator 9 10 State of the practices Outline 4) IDS (Intrusion Detection System) Encryption I will outsmart IDS with new tricks State of the practices Drawbacks and Issues A proposed alternative Attacker IDS monitors network activities and alerts when attack patterns are detected 11 12 3
Recaps current practices & drawbacks Other Issues.. Admission control, e.g., authentication Data control, e.g., encryption Infection control, e.g., anti-virus, virus removal/containment Security policy, e.g., firewalls, RBAC(role-based access control) à Most defend attack at entering points or prevent non-targeted spreading à What about targeted attacks in the network? Intrusion detection system (IDS) à Can t prevent attacks à Can t detect unfamiliar attacks à Requires resource for continuous monitoring Computer networks are unavoidably vulnerable as long as they have to provide services Network Vulnerabilities Network Configurations Ports & services enabled Exploitable errors in Implementation of Software Services Apache Chunked-Code on Apache web servers Buffer overflow on Windows XP SP2 operating environments TNS- Listener on Oracle software for database servers 13 14 Network Security Issues Network Security Issues Computer networks are vulnerable Apache Chunked-Code Buffer-Over flow Apache httpd version 1.3 through 1.3.24 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunkencoded HTTP request that causes Apache to use an incorrect size. Oracle TNS Listener Wu-ftpd SockPrintf Wu-ftpd restricted-gid CVE 2002-0392 Common Vulnerability & Exposure Computer networks are vulnerable Commercial scanners can only detect network vulnerabilities at individual points 15 16 4
Network Security: Issues Outline Computer networks are vulnerable Commercial scanners can only detect network vulnerabilities at individual points Current state of the practices Issues and drawbacks A proposed alternative Perfectly secure isolated services do not guarantee secure network of combined services 17 18 A preventative approach Security Model Generation Idea: Pre-determine all possible attacks from network vulnerabilities Use results to determine appropriate actions Network Vulnerabilities Security Model Configurations Generation Security Policy Prioritize critical path Model Select appropriate Analysis counter measures Attack Model: all possible chains of exploits (or exploitable vulnerabilities) Goal: To generate all possible attacks from network vulnerabilities CVE-1 CVE-3 Scanner CVE-1 CVE-2 CVE-4 Exploit CVE-1. Exploit CVE-3 Exploit CVE-4 Exploit CVE-2 Exploit CVE-1. All possible attacks Identify vulnerabilities of each computer in the network using a vulnerability scanner (e.g., Nessus, SAINT, OpenVAS) Apply all exploitable vulnerabilities for each attack state 19 20 5
Example of Simple Network Example of Simple Network Host A, access = 2 ap tns t 1 t 2 Scan the vulnerabilities ap t 1 Goal: root access tns t2 Exploit ap? Preconditions: Access on A 1 A & W are connected 21 22 Example of Simple Network Example of Simple Network Host A, access = 2 Host A, access = 2 ap t 1 tns t 2 exploit ap Host W access = 2 ap tns t 1 t 2 Exploit tns? Preconditions: Access on A 1 A & D are connected 23 24 6
Example of a simple network Complete Attack Model Can you finish the rest? Host A, access = 2 ap tns t 1 t 2 Exploit tns? t 1 Not exploitable Host W, access = 1 Goal: root access of a database server Attack Model shows all possible attack paths 25 26 A preventative approach Why model analysis? - Example Idea: Pre-determine all possible attacks from network vulnerabilities Use results to determine appropriate actions Network Vulnerabilities Security Model Configurations Generation Security Policy Prioritize critical path Model Select appropriate Analysis counter measures Attack Model: all possible chains of exploits (or exploitable vulnerabilities) How can we prevent attack to gain root access at IP2? v 3 = CVE-2004-0148 wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Counter-measure 1. Upgrade wu-ftpd to version > 2.6.2, OR 2. Replace wu-ftpd with other ftpd-service, OR 3. Stop providing ftpd-service at IP2 Root access to IP2 27 28 7
Why model analysis? - Example Issues How can we prevent attack to gain root access at IP2? Block v 3 into IP2 More. Block v 1 into IP2 The resulting attack models are huge even for a small network Root access at the attacker s machine How do we identify these blocks? How do we pick an appropriate block/counter measure? Which state to focus first, e.g., (IP1, 2) vs. (IP2, 1) Which is more likely to be attacked? Root access to IP2 Goal: Root access to IP2 How do we effectively analyze the huge attack model? 29 30 Attack Model Analysis Exploit-based Analysis To extract useful information from security model to protect the network Visualization Group similar nodes for display [Noel & Jajodia, 05] Manual, time-consuming Non-systematic Markov model-based Estimate likelihood of attack [Sheyner et al., 02; Mehta et al.,06; PageRank] None uses knowledge about networks Handle cyclic models Graph-based Minimisation analysis to block attack paths [Jha et al, 02] Automatic Limited to specific models Our approach Exploit-based analysis Use knowledge about exploitability Prioritizes attack points in an attack model based on the ease in exploiting their vulnerabilities Easy to exploit à High exploitability à High priority (for fixing) Approach Estimate a probability distribution of intrusion for each attack state To obtain its relative chance of being attacked using the knowledge about exploitability 31 32 8
Exploitability Exploitability Atomic level Exploitability of each vulnerability Access Vector Access Complexity E.g., remote, local E.g., low efforts to exploit E.g., no or single authentication Atomic level Exploitability of each vulnerability (degrees 1à 10) High exploitability à High vulnerability à Easy to exploit 33 34 Exploitability Markov Model Atomic level Exploitability of each vulnerability (degrees 1à 10) Global level Exploitability of attack states in the network topology à Based on Markov Model (Applied to PageRank) Approximates a probability distribution of dynamic behaviors randomly evolving to a stationary state à Define the probability of intrusion of each attack point recursively Markov Property: The probability distribution for the future network intrusion only depends on the current states à Repeat the computation until no change in the probability distribution approximation 35 36 9
Recurrence Equation Recurrence Equation h(u, v) = exploitability of exploits from state u to v r t (u) = probability of state u being attacked at time t d = probability that attackers continue attacking on a current path h(u, v) = exploitability of exploits from state u to v r t (u) = probability of state u being attacked at time t d = probability that attackers continue attacking on a current path If v is not an initial state Chance of continuing attack Chances of entering v Chances of exploitability of u to v v h(u,v) u If v is an initial state + Chance of entering v from all other states ExploitRank Algorithm 37 39 Center for (thus, Science & maintain Engineering of Cyber a user Security access level in a Whitacre victim College host), of Engineering and to 38 obtain a denial of service (thus, gain a root access level in the victim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their access permissions of a home directory via the ftp, which causes its service program, wu-ftpd to, instead, allow access of the root directory. We annotate each configuration of the network in Figure 4 with its corresponding vulnerabilities and their associated A simple labels. Illustration For example, IP2 has two vulnerabilities, namely CVE-2006-5794 (or v 1) and CVE-2004-0148 (or v 3). More details of these common standard vulnerabilities are described in [14, 17]. Although our approach can be applied to any form of a security model, in this study we use a host-centric attack graph model [5]. Suppose the goal of an attacker is to violate a security requirement. Based on the network configurations and the vulnerabilities shown in Figure 4, we can automatically generate a host-centric attack model as shown in Figure 5 a) by employing a model-checking tool such as NuSMV [4] as illustrated in [5]. Rank 5 Node Intrusion Likelihood S 0 0.1500 S 1 0.1287 S 2 0.1658 S 3 0.2548 S 4 0.3007 Rank 4 Center for Science & a) Engineering host-centric of Cyber attack Security graph b) exploit-based Whitacre College analysis of Engineering graph Fig. 5. Attack model analysis of the network in Figure 4. Each state is labeled by a tuple representing a host name and its access level obtained by an attacker. Thus, (Attacker, root) is an initial state since an attacker has a root access privilege on his own machine. The attacker s goal is to obtain a root access to IP2 and thus, (IP2, root) represents a goal state. As shown in Figure 5 b), we rename the states (Attacker, root), (IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s 0, s 1, s 2, s 3, and s 4, respectively. Table 2. Vulnerability and exploitability. Rank 3 Rank 1 3.9 Rank 2 40 Fig. 6. Normalized exploitab The model obtained in F normalized exploitability w rithm to estimate a probab state i to state j. The norma of the probabilities of all p one. For example, there ar to advance from state s 0, to ity values,, and, ristic value for exploiting v /( + + ) = 0.2. entry w ij = w(i, j) is shown in the algorithm is the seco fined in Equation (3). Table 3. Ranking r Applying the heuristics trank algorithm, the resu host-centric attack model a ble 3. We then apply Mehta not employ the exploitabilit shown in the second colum As shown in Table 3, th apply the heuristics is < s 4 and otherwise, 10 < s 4, s 3, s 0, s is applied (i.e., Mehta et al order of likelihood of intru ability. Both results sugge likelihood of being attack most vulnerable).
5 5 (thus, maintain a user access level in a victim host), and to (thus, maintain a user access level in a victim host), and to obtain a denial of service (thus, gain a root access level in the obtain a denial of service (thus, gain a root access level in the victim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their ac- victim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their access permissions of a home directory via the ftp, which causes cess permissions of a home directory via the ftp, which causes its service program, wu-ftpd to, instead, allow access of the its service program, wu-ftpd to, instead, allow access of the root directory. We annotate each configuration of the network Fig. 6. Normalized exploitability of the analysis graph in Figure 5 b) root directory. We annotate each configuration of the network Fig. 6. Normalized exploitability of the analysis graph in Figure 5 b) in Figure 4 with its corresponding vulnerabilities and their in Figure 4 with its corresponding vulnerabilities and their associated labels. For example, IP2 has two vulnerabilities, The model obtained in Figure 5 b) is useful in computing a associated labels. For example, IP2 has two vulnerabilities, The model obtained in Figure 5 b) is useful in computing a namely CVE-2006-5794 (or v namely CVE-2006-5794 (or v 1) and CVE-2004-0148 (or v 1) 3). normalized and CVE-2004-0148 exploitability (or w(i, v 3). normalized exploitability w(i, j) used in the ExploitRank algorithm to estimate a probability of advancing from attack in j) used in the ExploitRank algorithm More details of these common More details of these common standard vulnerabilities are standard to estimate vulnerabilities a probability are of advancing from attack in described in [14, 17]. state i to state j. The normalization is required so that the sum described in [14, 17]. Some Comparisons state i to state j. The normalization is required so that the sum Although our approach can be Although our approach can be applied to any form of a security model, in this study we use a host-centric attack graph one. use a For host-centric example, attack there are graph one. For example, there are three possible exploits applicable of applied the probabilities to any form of all of possible a security model, in this study we of the probabilities of all More possible complex attack transitions attack would model be attack transitions would be three possible exploits applicable model [5]. Suppose the goal of model [5]. Suppose the goal of In an Mehta attacker et is al.ʼs to violate approach a security requirement. Based on the network configurations and the ristic value for exploiting v to an advance attacker from is to violate state s 0, a to security requirement. Based on the ity network values configurations,, and, and respectively. the The normalized heu- to advance from state s states s 1, s 2 and s 3 with exploitabil- 0, to states s 1, s 2 and s 3 with exploitability values,, and, respectively. The normalized heu- vulnerabilities Each node has shown equal in chance Figure ristic 4, to we be value can attacked automatically for exploiting no use generate a host-centric attack model /( as shown + in Figure + ) 5 = a) 0.2. by em- A complete weight matrix, whose vof vulnerabilities shown in Figure 4, we can automatically generate a host-centric attack model as shown the degree in Figure of vulnerability 5 a) by em- exploitability entry w 2 from s 0 to s 1 can be computed as 2 from s 0 to s 1 can be computed as /( + + ) = 0.2. A complete weight matrix, whose entry w ij = w(i, j) is shown in Figure 6. Note ij = w(i, j) is shown in Figure 6. Note that in fact w(i, j) ploying a model-checking tool such as NuSMV [4] as illustrated in [5]. that in fact w(i, j) ploying a model-checking tool such as NuSMV [4] as illustrated in [5]. fined in Equation (3). in the algorithm is the second factor of the function g in the algorithm is the second factor of the function g t(v) defined in Equation Our Approach (3). t(v) de- Mehta et al.ʼs Approach Table 3. Ranking results on the attack model. From s0 () Table 3. Rank Ranking 5 results on the attack model. Rank 5 From s0-s3 (, ) Rank 3 Rank 4 From s0 From s0-s3 Rank 2 Rank 3 Rank 2 Rank 4 Rank 3 From s0 () Rank 2 Rank 1 From s0 3.9 3.9 From s0-s2 (, ) From s0-s2 From s0-s3 (, ) Rank 1 From s0-s3 Rank 1 Applying the heuristics obtained in Figure 6 to the ExploitRank algorithm, the results of ranking attack states in the Applying the heuristics obtained in Figure 6 to the ExploitRank More algorithm, exposures the + results of ranking attack states in the a) host-centric attack graph b) exploit-based analysis graph a) host-centric attack graph b) exploit-based analysis graph host-centric attack model are shown in the first column of Table 3. We then apply Mehta et al. s ranking approach that does host-centric attack model are shown in the first column of Table 3. We then apply Mehta et al. s ranking approach that does Fig. 5. Attack model analysis of the network More Fig. exposures 5. Attack model analysis of the network in Figure 4. in Figure 4. Easier exploit vulnerability Each state is labeled by a tuple Each state is labeled by a Center tuple for representing Science & Engineering a host of Cyber name Security and not representing employ the a exploitability host name and not employ the exploitability heuristic and obtain the results as heuristic and obtain the results as 41 its access level obtained by an its access level obtained by an attacker. Thus, (Attacker, root) shown attacker. in Thus, the second (Attacker, column root) shown in the second Center column for Science & of Engineering Table of 3. Cyber Security of Table 3. is an initial state since an attacker is an initial state since an attacker has a root access privilege As has shown a root in access Table privilege As shown in Table 3, the ranking result obtained when we 3, the ranking result obtained when we on his own machine. The attacker s goal is to obtain a root apply the heuristics is < s on his own machine. The attacker s goal is to obtain a root apply the heuristics is < s 4, s 3, s 2, s 0, s 1 > (i.e., our approach) 4, s 3, s 2, s 0, s 1 > (i.e., our approach) access to IP2 and thus, (IP2, root) represents a goal state. As and otherwise, < s access to IP2 and thus, (IP2, root) represents a goal state. As and otherwise, < s 4, s 3, s 0, s 1, s 2 > is obtained when no 4, s heuristic 3, s 0, s 1, s 2 > is obtained when no heuristic shown in Figure 5 b), we rename the states (Attacker, root), is applied (i.e., Mehta et al. s approach). The ranking is in the shown in Figure 5 b), we rename the states (Attacker, root), is applied (i.e., Mehta et al. s approach). The ranking is in the (IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s (IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s 0, s 1, s 0, s 1, s 2, order of likelihood of intrusion based on vulnerability exploitability. Both results suggest that s s 2, order of likelihood of intrusion based on vulnerability exploitability. Both results suggest that s 4 has the highest (relative) 4 has the highest (relative) s 3, and s 4, respectively. 3, and s 4, respectively. likelihood of being attacked (i.e., highest exploitability and Conclusions Table 2. Vulnerability likelihood and exploitability. of being attacked (i.e., highest exploitability and References Table 2. Vulnerability and exploitability. most vulnerable). most vulnerable). To further compare the ranking results, if we ignore s To further compare the ranking results, if we ignore s 0 in 0 in both ranking lists, both ranking orders generally agree except both ranking lists, both ranking orders generally agree except a conflicting case of ranking order between s a conflicting case of ranking order between s 1 and s 2. Consider 1 and s 2. Consider Current state of security practices help guard against Hewett, R.; Kijsanayothin, P., Host-Centric Model Checking for Network Vulnerability attackers from the initial attackers from the initial Analysis, state. Computer As Security shown Applications in Figure Conference, 5 b), 2008. to ACSAC 2008. Annual, illegitimate network entry access state. As shown in Figure 5 b), to reach state s reach state s 1 (e.g., from s 0, s 2 or s 3) requires exploiting 1 (e.g., vol., from no., spp.225,234, vulnerability 0, s 2 or s8-12 3) requires Dec, 2008, exploiting doi: 10.1109/ACSAC.2008.15 vulnerability v Table network 2 shows intrusion the and exploitability network Table 2 shows the exploitability computed for each of the infection computed v 2, whereas for each to of reach the state s 2 (e.g., from 2, whereas Kijsanayothin, to reach P.; state Hewett, s s 0 or s 3) requires 2 R., (e.g., Analytical from Approach s 0 or sto 3) Attack requires exploiting vulnerability Graph Analysis for relevant vulnerabilities obtained relevant vulnerabilities obtained from publically known CVSS from exploiting publically known vulnerability CVSS Network Security, v Availability, v 1. However, according to the 1. However, Reliability, according and Security, to the 2010. ARES '10 International BUT attackers can still attack the network by exploiting as described in previous sectionbased as described in previous sectionbased on heuristic values in CVSS standard, on heuristic since values exploitability(v in CVSS standard, since Conference exploitability(v on, vol., no., pp.25,32, 1) = but exploitability(v 2) =, attack v 1 is graph 1) = 15-18 but Feb, exploitability(v 2010, doi: 10.1109/ARES.2010.21 Table network 2, we vulnerabilities obtained the corresponding (due to configuration Table 2, we obtained the corresponding attack graph for analysis as shown in Figure 5 b), where we replace the state transi- be easier we replace to reach the s 2. state For transi- be easier to reach s or software Noel, S.; Jajodia, S., Understanding complex network attack graphs through more for vulnerable analysis errors) as shown in Figure 5 b), where than 2) =, v v 2. Therefore, 1 is more vulnerable than v it should 2. Therefore, it should clustered adjacency matrices, Computer Security Applications Conference, 21st example, from initial state 2. For example, from initial state s 0, Annual reaching sby 2 requires corresponding v 1 exploit exploitaing s, vol., no., pp.10 pp.,169, 5-9 Dec, 2005, 0, doi: reach- 10.1109/CSAC.2005.58 tions of the vulnerability exploits tions of the vulnerability exploits by corresponding exploitability values in Table 2. v 1 and v 1 exploits to reach s 1. Therefore, 1 and v compared to a 2 requires v v 2 exploit or 1 exploit compared to a v a chain of 2 exploit a chain of One remedy is to aim to prevent critical possible attacks Jha, S., O. Sheyner, and J. Wing, Two formal analysis of attack graphs, in CSFW bility values in Table 2. v s 1 exploits to reach s 2 should rank '02: higher Proceedings 1. Therefore, of the 15th IEEE s 2 should workshop rank on Computer higher Security Foundations. from these vulnerabilities (not just entry points) than s than s 1. This intuitive reasoning conforms 1. This intuitive Washington, reasoning DC, conforms USA: IEEE Computer to our Society, ranking p. 49, order 2002. to our ranking order We give an example of how Mehta, V., C. Bartzis, H. Zhu, E. M. Clarke, and J. M. Wing, Ranking attack graphs, in Recent Advances in Intrusion Detection, pp. 127-144, 2006. Attack model can be automatically constructed and Schiffman, Cisco CIAG, A Complete Guide to the Common Vulnerability Scoring used for security management System (CVSS), Forum Incident Response and Security Teams (http://www.first.org/) Sheyner, O., J. Haines, S. Jha, R. Lippmann, and J. Wing, Automated generation This helps address scalability of network protection and analysis of attack graphs, Proc. of the IEEE Symposium on Security and Privacy, pp. 273-284, 2002. 42 43 44 11