active response sergio caltagirone master’s thesis defense may 9, 2005 major professor: deb...
TRANSCRIPT
Active Response
Sergio Caltagirone
Master’s Thesis Defense
May 9, 2005
Major Professor: Deb Frincke
A Little Background…
Clifford Stoll v. German Hackers (1986)C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497.
DoD v. Electronic Disturbance Theater (1998)http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/
Conxion v. E-Hippies (2000)http://www.nwfusion.com/research/2000/0529feat2.html
FBI v. Russian Hackers (2001) a.k.a. ‘Invita’ Casehttp://www.wired.com/news/politics/0,1283,47650,00.htm
Where We’re At…
Design Protect Detect Forensics?
Where We Want To Be…
Design Protect Detect Respond Forensics
Why?
Response is not a choice… Insufficient Protection on Imperfect Systems A Policy Is Necessary (even if not utilized) Vulnerable Systems
– Air Traffic Control http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/
– SCADA Systems http://www.securityfocus.com/news/6767
Research Question
Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response?
Research Goals
Framework for Discussion– Definition– Taxonomy– Summary of Challenges
ADAM– Response Model– Decision Model– Algorithm
Example– Evolutionary Implementation
Elements of a Definition
Time Bound– Before an attack is not active response, after an
attack is forensics– Self-defense
Necessity/Imminent, Proportionality
Technologically Independent– Humans and Computers can respond
Purposeful– Not for retribution or revenge, but to return to a
previous secure state
Definition of Active Response
Any action sequence deliberately performed by an individual or organization between the time an
attack is detected and the time it is determined to be finished, in an automated or non-automated
fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set.
Active does not modify response, but rather describes the state of the attack
Taxonomy of Actions
8 Types– No Action– Internal Notification– Internal Response– External Cooperative Response– Non-cooperative Intelligence Gathering– Non-cooperative ‘Cease and Desist’– Counter-Strike– Preemptive Defense
No Action
Under attack, conscious decision to take no action
Internal Notification
Contact Administrators Contact CTO, CEO, CISO Contact Users
Internal Response
Write Firewall Rules (firewall signaling)– Block IP, range of IPs, block specific ports
Strategic Segmentation/Disconnection– Nat, change subnets, re-address, remove port
Drop Connections– TCP RST packet to client AND server– Use ICMP (port, host, network unreachable) – UDP– Unreliable, must come in sequence
External Cooperative Response
Contact CERT, FBI, Secret Service, Local Police, upstream ISPs– Dshield– Symantec
Non-Cooperative Intelligence Gathering
Direct attacker to honeynet/honeypot Use tools to determine identity of attacker
– Ping, finger, traceroute, lsrr packets
Non-Cooperative ‘Cease and Desist’
Use tools to disable harmful services without affecting usability– University scenario– Zombie Zapper by BindView
Counter-Strike
Active Counter-Strike (direct action)– Worm focusing only on attacker IP or to trace back
the attack and report– Straight hack-back
Passive Counter-Strike (cyber aikido)– Footprinting Strike-Back (DNS)
Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests
– Network Recon Strike Back Traceroute packets (ICMP “TTL Expired”) receive spoofed
random addresses (creating any network we want)
Preemptive Defense
Conexion vs. E-Hippies– Traffic Redirection
DoD vs. Electronic Disturbance Theater– Killer applet
Challenges of Active Response
Legal– Civil, Criminal, Domestic, International
Ethical– Teleological, Deontological
Technical– Traceback, Reliable IDS, Confidence Value, Real Time
Risk Analysis– Measure ethical, legal risk effectively?
Unintended Consequences– Attacker Action, Collateral Damage, Own Resources
Research Goals
Framework for Discussion– Definition– Taxonomy– Summary of Challenges
ADAM– Response Model– Decision Model– Algorithm
Example– Evolutionary Implementation
Goals of ADAM
Provide a generalizable, extendable model for any organization– Completely model the risk of the threat and AD
actions– Find appropriate active defense solution for the
threat – maximize benefit, minimize risk– Allow for automation– Provide legal (and ethical) due diligence
Response Process Model
Decision Model
AR PolicyEscalation
Ladder
AssetEvaluation
ActionEvaluation
AssetIdentification
ThreatIdentification
RiskIdentification
GoalIdentification
ActionIdentification
RiskIdentification
UtilityModifier
SuccessOrdering
DecisionSet
ScoringChart
Algorithm
A pragmatic and implementable description of the process and decision model
Illustrates the use of the decision model within the process of response
Solutions Provided by ADAM
Ethicalness– Incorporates Teleological and Deontological ethical concerns
Legal– No precedent: minimal force, proportional force, immediate
threat
Unintended Consequences– Statistical measure of confidence in action performing as
expected (if confidence values provided by IDS)
Risk Valuation– Provides statistical bounds for potential risk (if confidence
values provided by IDS)
Research Goals
Framework for Discussion– Definition– Taxonomy– Summary of Challenges
ADAM– Response Model– Decision Model– Algorithm
Example– Evolutionary Implementation
Evolutionary Model
Competitive Co-Evolution– Genetic Algorithm
Uses biologically equivalent operators (crossover, mutation, gene, chromosome, populations)
Determines global maxima or minima Fitness Function / Value
– Two competing populations, co-evolving Attackers / Defenders
– Game Based Fitness: risk assumed by defenders
Evolutionary Model
Paradigm Generational
# of Populations 2
Population Size 60
# of Trials 100
Parental Selection Tournament
Elitism Top 2
Mutation Type Uniform Random Replacement
Mutation Rate 1/n
Crossover Type 2 point
Crossover Probability 100%
# of Actions in Chromosome 8
# Initial Actions 4
Evolutionary Model (Defender)
DEFENSE ACTION DEFENSE POSITION 0 1 2 3 4 5 6 7 Null Action 58 58 57 48 57 53 50 52 Contact Administrator 8 2 5 6 6 10 5 5 Contact Chief Technology Officer 3 2 2 6 9 5 7 9 Shutdown port at firewall 0 0 0 0 0 0 0 0 Filter IP at firewall 0 1 1 2 2 1 0 2 Shutdown Server 0 0 0 0 0 0 0 0 Send TCP RST Packet 3 4 6 5 6 5 7 5 Ask ISP to Shut-off Attack 7 15 7 10 9 7 18 11 Contact FBI 4 2 5 4 1 5 3 7 Use Traceback 17 16 17 19 10 14 10 9 Send Virus Against IP 0 0 0 0 0 0 0 0 Initiate DoS Against IP 0 0 0 0 0 0 0 0 Attempt to Hack Attacker 0 0 0 0 0 0 0 0
Evolutionary Model (Attacker)
ATTACK ACTION ATTACK POSITION 0 1 2 3 4 5 6 7 Null Action 54 51 56 48 56 43 46 49 Spoof IP Address 39 24 19 7 4 2 0 3 Port Scan the Server 0 4 6 7 6 5 6 1 Ping the Server 0 1 0 2 3 2 5 1 DoS the Server 0 0 0 0 0 2 2 4 DDoS the Server w/ Zombies 0 1 0 2 2 6 6 5 Poison DNS 7 12 8 17 10 12 8 11 Hack Server, Install Backdoor 0 1 2 2 1 7 4 3 Hack Server, Download Records 0 0 1 0 2 4 2 4 Hack Server, Change Records 0 2 7 8 10 10 13 12 Send Virus Against Server 0 4 1 7 6 7 8 7
Defender Population Fitness
0
2000000
4000000
6000000
8000000
10000000
12000000
14000000
16000000
1 60 119
178
237
296
355
414
473
532
591
650
709
768
827
886
945
Generation
Fit
nes
s
Population Fitness
25 per. Mov. Avg. (PopulationFitness)
Attack Population Fitness
0
100000
200000
300000
400000
500000
600000
700000
800000
900000
1000000
1 59 117
175
233
291
349
407
465
523
581
639
697
755
813
871
929
987
Generation
Fit
nes
s
Population Fitness
25 per. Mov. Avg. (PopulationFitness)
Results of Evolutionary Model
Population finesses show that model was correct W.R.T evolutionary techniques
IT IS POSSIBLE!– Proof-Of-Concept that reasonable active response
strategies can be developed using the rational behind ADAM
Competitive Co-Evolution is a potential model for computer security relationships– First implementation applying concept to a computer
security scenario
Conclusions & Contributions
The First Definition of Active Response Taxonomy of Actions
– Illustrates active response is more than strike-back methodology
Summary of Challenges– Ethical, Legal, Risk Analysis, Technical, Unintended Consq.
Response Process Model Decision Model
– Max Benefit, Min Risk, Incorporates Legal & Ethical
Active Defense Algorithm– Implementable version of process and decision model
Evolutionary Active Response Model– Provides proof-of-concept
Future Work
Simulate and Validate Model (Currently Ongoing – Medical/Univ/Financial) – R. Blue
Further define taxonomy More work on applying evolutionary techniques
– R. Blue, S. Gotshall Clearly define legal risks – A. Hubbard Generate More Discussion / Educate
Publications
Sergio Caltagirone, Deborah Frincke, "The Response Continuum," presented at 6th IEEE Information Assurance Workshop, West Point, NY, USA, June 2005.
Sergio Caltagirone, Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311.
Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005.
Sergio Caltagirone, "Active Defense Decision and Escalation Model," 20th Annual Computer Security Applications Conference, Works In Progress. Tucson, AZ, USA, December 2004.
Sergio Caltagirone, "An Active Defense Decision Model," presented at the Agora Workshop, University of Seattle, Seattle, WA. December, 2003.
Thank You
http://www.activeresponse.org