defense advanced research projects agency information … · 2011-05-13 · 17. security...
TRANSCRIPT
![Page 1: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/1.jpg)
PX DARPADARPA
Defense Advanced Research Projects AgencyInformation Assurance and Survivability
Operational Experimentation(OPX)
Phoenix Challenge 2002
Brian WittenOPX Program Manager
PX
![Page 2: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/2.jpg)
REPORT DOCUMENTATION PAGE Form Approved OMB No.0704-0188
Public reporting burder for this collection of information is estibated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completingand reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burder to Department of Defense, WashingtonHeadquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision oflaw, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
1. REPORT DATE (DD-MM-YYYY)22-04-2002
2. REPORT TYPEBriefing
3. DATES COVERED (FROM - TO)xx-xx-2002 to xx-xx-2002
4. TITLE AND SUBTITLEInformation Assurance and Survivability Operational Experimentation (OPX)Unclassified
5a. CONTRACT NUMBER5b. GRANT NUMBER5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S)Witten, Brian ;
5d. PROJECT NUMBER5e. TASK NUMBER5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME AND ADDRESSDARPAxxxxx, xxxxxxx
8. PERFORMING ORGANIZATION REPORTNUMBER
9. SPONSORING/MONITORING AGENCY NAME AND ADDRESSDARPA,
10. SPONSOR/MONITOR'S ACRONYM(S)11. SPONSOR/MONITOR'S REPORTNUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENTAPUBLIC RELEASE,13. SUPPLEMENTARY NOTES14. ABSTRACTSee report.15. SUBJECT TERMSIATAC Collection16. SECURITY CLASSIFICATION OF: 17. LIMITATION
OF ABSTRACTPublic Release
18.NUMBEROF PAGES17
19. NAME OF RESPONSIBLE PERSONemail from Booz, Allen & Hamilton (IATAC),(blank)[email protected]
a. REPORTUnclassified
b. ABSTRACTUnclassified
c. THIS PAGEUnclassified
19b. TELEPHONE NUMBERInternational Area CodeArea Code Telephone Number703767-9007DSN427-9007
Standard Form 298 (Rev. 8-98)Prescribed by ANSI Std Z39.18
![Page 3: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/3.jpg)
REPORT DOCUMENTATION PAGEForm Approved
OMB No. 074-0188Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the dataneeded, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden toWashington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, PaperworkReduction Project (0704-0188), Washington, DC 20503
1. AGENCY USE ONLY (Leaveblank)
2. REPORT DATE4/22/2002
3. REPORT TYPE AND DATES COVEREDBriefing 4/22/2002
4. TITLE AND SUBTITLEInformation Assurance and Survivability OperationalExperimentation (OPX)
5. FUNDING NUMBERS
6. AUTHOR(S)Witten, Brian
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER
DARPA
9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING AGENCY REPORT NUMBER
Defense Advanced Projects Research Agency
11. SUPPLEMENTARY NOTES
12a. DISTRIBUTION / AVAILABILITY STATEMENTApproved for public release; Distribution unlimited
12b. DISTRIBUTION CODE
A
13. ABSTRACT (Maximum 200 Words)
This briefing was presented during the Phoenix Challenge 2002 Conference and WarfighterDay.
14. SUBJECT TERMSIATAC Collection, information assurance
15. NUMBER OF PAGES
16
16. PRICE CODE
17. SECURITY CLASSIFICATION OF REPORT
UNCLASSIFIED
18. SECURITY CLASSIFICATION OF THIS PAGE
UNCLASSIFIED
19. SECURITY CLASSIFICATION OF ABSTRACT
UNCLASSIFIED
20. LIMITATION OF ABSTRACT
UNLIMITED
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89)Prescribed by ANSI Std. Z39-18298-102
![Page 4: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/4.jpg)
PX DARPADARPAVision
l Protect Centers of Gravity:Survivable Servers
l Pervasive Sensors:Hardened Clients
10101011010101101010110101011010101101010110101011010101101010110101011010101101010110101011010101101010110101011010101101010110101011010101101010110101
l Reduce Overload:Analyst Workbench
l New Capability:Situational Awareness
![Page 5: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/5.jpg)
PX DARPADARPAStrategy
lObjectives:uAccelerate transition of effective technologiesuInform research agenda with operational experience
lKey Experimentation Risks, Transition Metrics:uLimited operational staff timeuImpact on operational systems
lApproach:uLeverage mature research, well tested in labuField cautiously: walk before we run
![Page 6: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/6.jpg)
PX DARPADARPAThe Analyst’s Challenge
Today
Potential IAP Traffic(T3)
Impact of Transition to T3 volume at Internet Access Points
Tomorrow
![Page 7: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/7.jpg)
PX DARPADARPA
lOperational sensors:uHundreds of false alarms per attackuActually miss most attacks
lResearch sensors:uDramatically reduce false alarm ratesuSubstantially improve detection coverage
Attacks: 38Normal: 660,049
0
10
20
30
40
50
60
70
80
90
100
0 33 66 100 133
Att
ack
s D
etec
ted
(%
)
False Alarms Per Day
R&D Systems
Keystring
Attacks: 38Normal: 660,049
0
10
20
30
40
50
60
70
80
90
100
0 33 66 100 133
Att
ack
s D
etec
ted
(%
)
False Alarms Per Day
R&D Systems
Keystring
ROC
0
10
20
30
40
50
60
70
80
90
100
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
false alarm rate
dete
ctio
n ra
te
asimemeraldnetstatustatustat+netstatsri(ll)ucsb(ll)stolfo(ll)
Intrusion Detection in the Lab
DARPA 1998 Results (MIT/LL and AFRL)
![Page 8: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/8.jpg)
PX DARPADARPAAnalyst Workbench
lAnalysts currently overwhelmeduFlood of data, high false alarm, low detection ratesuNot… real time, decision quality, always actionable
lDARPA AlgorithmsuOver a dozen lab tested real time algorithmsuData mining, anomaly, self organizing, expert systems
lExecution: September 2001 – September 2002
![Page 9: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/9.jpg)
PX DARPADARPAHardened Client
lMARFORPAC ChallengeuClassic SIPR/NIPR PC problemuCompounded by TAD laptop theftu Insider threat and unknown viruses
lProposed TechnologyuSafe e-mail “wrappers” and encrypting file systemuAutonomic Distributed FirewalluPGP Disk & Disk Eraser
![Page 10: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/10.jpg)
PX DARPADARPAOperating System Wrappers
lTrap and stop unknown viruseslEnable safer use of mobile codelPerformance impact: LowlAvailability: Solaris, Linux, NT, Win2K
App
Wrapper
Controlled Interface
0
1
2
3
4
5
6
7
Kernel BuildKernel Build
HTTP ThroughputHTTP Throughputno WSSno WSS WSS onlyWSS only
callcountcallcount dbcallcountdbcallcount seqseq_id_id
(%)(%)33..3%3%
66..6%6%
Developers: Network Associates, Teknowledge, Cigital, Telcordia
JavaScript
VBScript
Script
![Page 11: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/11.jpg)
PX DARPADARPA
- Firewall on Network Interface Card (NIC)- Hardware based cryptographic accelerator- Trustworthy control of untrustworthy OS
Autonomic Distributed Firewall
Made by Secure Computing and 3ComResearch performed under DARPA sponsorship
LANLAN
Internet
Firewall
ADF Controller • Converts high level policy into low level
packet filtering rules for each NIC• Triple redundancy, manages thousands• Drag and drop INFOCON changes• Encrypted communication with NIC• Audit database and browser
Workstation
Remote user
NIC
NIC
Server
NIC
NIC
![Page 12: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/12.jpg)
PX DARPADARPAHardened Client Timeline
lMARFORPAC Limited Objective Experimentu Apply safe e-mail wrappers and encrypting file systemu MARFORPAC approved internal experiment charteru Execution: Late CY2001, RSO&I 02, UFL 02
l Fleet Battle Experiment India (C3F)u Execution: Jun 2001 – Autonomic Distributed Firewall (PCI)
l Fleet Battle Experiment Juliet Goals (PACFLT)u Complete application of diverse wrappersu Autonomic Distributed Firewall (PCMCIA)
![Page 13: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/13.jpg)
PX DARPADARPASurvivable Server
l Motivating factors:u High-value and commonly targeted center of gravityu Need Intrusion Tolerant Systems:
Ability to confidently execute mission while under attacku Reactive defense not adequate
l Possible technologies:u PASIS: Perpetually Available Survivable Information System
Leverage fragmentation, redundancy, and scatteringu SELinux, Immunix, Emerald, NetTop Vmware, Wrappers
l Execution: 2002
![Page 14: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/14.jpg)
PX DARPADARPASituational Awareness
lAm I under attack ?lWhat is the nature of the attack ?u Class, mechanism, and source
lWhat is mission impact ?u Urgency, damage assessment and control, initial response
lWhen did attack start ?uMore detailed damage assessment. What have I done wrong ?
lWho is attacking?uWhat are they trying to do? What is their next step ?
lWhat can I do about it ?u Course of action analysis, collateral damage risk, reversibility
![Page 15: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/15.jpg)
PX DARPADARPA
NETOPS
TNM
IA IDM
Information Assurance
NetworkManagement
Information DisseminationManagement
•Theater Wide•Real Time•Decision Quality•Actionable Information
Theater C4I Coordination Center PACOM TCCC
NeedStrategy
• Leverage Cyber Panel emerging research
![Page 16: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/16.jpg)
PX DARPADARPASummary
FY 01 FY 02
Analyst’s WorkbenchPAC CERT
Hardened Client - MARFORPAC, PACFLT
Survivable Server
Situational Awareness - TCCC
Possible extension to other CERTS
![Page 17: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/17.jpg)
PX DARPADARPA
![Page 18: Defense Advanced Research Projects Agency Information … · 2011-05-13 · 17. security classification of report unclassified 18. security classification of this page unclassified](https://reader035.vdocument.in/reader035/viewer/2022070809/5f086f9e7e708231d4220091/html5/thumbnails/18.jpg)
PX DARPADARPA
Confidentiality
Availability
IntegritySecurity
Functionality
Performance
Context
AttacksPrevention
Layered Protection
Tolerance Detection
Dynamic Defense Risk-Balanced Optimizing Strategy
InformationTreasures
( U n e x p e c t e d ! )- s n i f f e d p o p 3p a s s w o r d
s s h f r o m Y o r kt o c h e e t oL / L / L
H a l f m a n - i n - m i d d l eH / H / M
C a p t u r e D N S R e q u e s tL / L / L
C r a c k i n t om a i l s e r v e r
M / M / M
O b t a i n Y o r k t e l n e t P a s s w d s( p r e - e n c r y p t )M / M/ L
k e y b o a r d c a p t u r e
S e t u p a s c l i e n tL /L /M
O r d e r s d r o p p e d i n t r a n s i t
I s s u e o u r o w n o r d e r sL / L / L
S e t u p a s s e r v e rL /L / M
G e t o n t o Y o r kM / M / M
S c a n 3 f i r e w a l l sr e g u l a r s c a n n e r a n df i r e w a l l s c a n n e r f o ru n e x p e c t e d p a t h s
L / L / M
G e t t h r o u g h m a r s( t o a t t a c k c l i e n t s )
M / M / M
G e t o n t o t s e t s e( s o l a r i s e x p l o i t )
M / H / M
G e t r o o t o n C h e e t oo r a d m i n / r o o t o n o t h e rs y s t e m o n D L A L A N
L / M / M
S n i f f a l l D L A L A Nt r a f f i c t o g e t
F T P , D B A , a n d t e l n e tp a s s w o r d
L /H/ L
C o n t i n u o u s l y i s s u e r e s e t st o o n e c l i e n t sL / M / L
M o d i f y o rs u b m i t n e w f t p
L / L / M
M o d i f y a n d r e c o m p i l em o u n d a p p l i c .
M / M / L
M a s q u e r a d e a s c l i e n t sL / L / M
V P N m a n - i n - m i d d l eb e t w e e n t s e t s e a n d m a r s
H / H / L
F a k e M A Ca d d r e s s e s f o r f i r e w a l lM / M / M
G e t t h r o u g h s n a i l( t o a t t a c k d u r a c e l l )M / M / M
T u r n o f f a l l F T Ps e r v i c e s o n m o u n dL / L / M
H o s t i l e e m a i lo r w e b p a g e
M / L / L
K n o c k O u t Y o r kt o S p o o f Y o r k
( I P & M A C )M / M / L
O r d e r s m o d i f i e di n d a t a b a s e
A , B , F
A
O r d e r s M o d i f i e d
B
D , E
G e t t h r o u g h t s e t s eo n t o s y s t e m o n D L A L A N
M / M / M
O b t a i n n e c e s s a r yD B p a s s w o r df r o m m o u n d f i l e s
L / M / L
B i n a r y E d i t o f m o u n d D B
M / M / L
M o d i f y d u r a c e l l a p p l i c .( e d i _ s e r v e r . j a v a )M / M / M
C , E
O r d e r s A d d e d
C
O b t a i n r e m o t em o u n d f i l e a c c e s s
L / M / M
O r d e r s D e l e t e d
F , G , K
K n o c k o u t t s e t s eL / M / M
K n o c k o u t m a r sL / M / M
V P N m a n - i n - m i d d l eb e t w e e n t s e t s e a n d s n a i lH / H / L
C , D
R e s p o n d t o n e x t R e q u e s tw i t h m o u n d o n E x p L A NM / L / L
F
F
G
S S H D r o p B a c kL / M / M
S n i f f f o r u n e x p e c t e du n e n c r y p t e d t r a f f i c
t o e x p l o i tL / L / L
G e t o n t o a l m o n d j o yM / M / M
D , E , K
C
F
A , B , G
T e l n e t t o m o u n dL / L / L
T e l n e t t o s n i c k e rL / L / L
O b t a i n r e m o t es n i c k e r f i l e a c c e s s
L / M / M
M o d i f y a n d r e c o m p i l es n i c k e r a p p l i c .M / M / L
B i n a r y E d i t o f s n i c k e r D BM / M / L
O b t a i n n e c e s s a r yD B p a s s w o r d
f r o m s n i c k e r f i l e sL / M / L
R e s t a r t s n i c k e r a p p lM / M / M
B
B
G
A d d A p p l i c . t o c l i e n ts y s t e m t o m o d i f yp a c k e t s i n t r a n s i t
M / L / L
M o d i f y t s e t s e r u l e st o d e n y o r d e r s ( h t t p )
L / M / M
K
K
K
R e s p o n d t o n e x t R e q u e s tw i t h s n i c k e r o n E x p L A N
M / L / L
V P N F a l l b a c kL / H / L
M o d i f y f i r e w a l l r u l e s t or e d i r e c t o r d e r s e l s e w h e r e
L / M / M
M o d i f y o r d e r s i n t r a n s i tM / M / L
I n d u c e I C M Pe r r o r r e s p o n s e
M / M / L C a p t u r e a n d r e p l a y I C M Pe r r o r r e s p o n s e t o c l i e n t s
M / H / L
C l i e n t s p r e v e n t e d f r o mi s s u i n g n e w o r d e r s
JJ
J
J
D r o p O r d e r s a n dA c k n o w l e d g e R e c e i p t
t o s e n d e rM / M / L
F a l s e O r d e r s S u b m i t t e di n t r a n s i t
C , D
F o r w a r d C l i e n t O r d e r sm o d i f i e d i n t r a n s i t
C , E
T u r n o f f H T T P o n s n i c k e rL / L / M
D u r a c e l l O r d e r sm o d i f i e d i n t r a n s i tA
M o d i f y d a t a i nO r a c l e d a t a b a s eM / M / L
BR e s t a r t m o u n d a p p l
M / M / M
M o d i f y d a t a i nF i l e M a k e r P r o d b
M / M / L
K E Y
A n t i c i p a t e d E f f e c tP h a s e M o d i f i c a t i o n s
P h a s e R e m o v a l s ( F l a g )
C o l o r e d L i n e s - A t t a c k P a t h sC o l o r e d B o x e s - A t t a c k N a m e
C / F / D r a t i n g sC - c o s t / d i f f i c u l t y
F - l i k e l i h o o d o f f a i l u r e
D - l i k e l i h o o d o f d e t e c t i o n r e s u l t i n g i n p r e v e n t i o n
L - l o w
M - m e d i u mH - h i g h
a t t a c k e r s a r ep h y s i c a l l y l o c a t e d o n
t h e e x t e r n a l L A N
a t t a c k e r s a r ep h y s i c a l l y l o c a t e d o nt h e e x t e r n a l L A N
G e t o n t o m a r s( s o l a r i s e x p l o i t )
M / H / M
M o d i f y f / w r u l e s t o o p e np o r t s o r t u r n o f f I P S e c
L / L / M
W i n 2 K e x p l o i t f o r d i r e c ta c c e s s t o c l i e n t s
M / M / L
D
S t e a l t h y S c o u tf o r N e t w o r k I n f o r m a t i o nL / L / L
R e s p o n d t o n e x t Z o n e R e q u e s tw i t h a l m o n d j o y o n E x p L A NM / L / L
R e s p o n d t o n e x t R e q u e s tw i t h c h e e t o o n E x p L A N
M / L / L
S e t u p a s S S H s e r v e ra n d c o n v e r s e w i t h y o r k
L / L / L
S e t u p a s F T P s e r v e ra n d a c k r e c e i p t
L /H / Mm i m i c m o u n d s d i r e c t o r ys t r u c t u r e / p a s s w o r d
S e t u p a s W e b s e r v e ra n d c o n v e r s e w i t h c l i e n t s
( o r d e r i s i n q u e u e )M /H / M
S e t u p a s C O R B A s e r v e ra n d a c k p a c k e t r e c e i p t
M /H / M C a p t u r e a n d M o d i f yU n e n c r y p t e d O r d e r sL / L / L
F
D r o p O r d e r s a n da l l o w D N S t o u p d a t e
L / L / L
S e t u p a s O r i g i n a l S o u r c ea n d I s s u e M o d i f i e d O r d e r s
M /H / L
F
C a p t u r e t e l n e t p a s s w o r d sf o r s n i c k e r a n d y o r ka n d S S H i n f o r m a t i o nL / L / L
T e l n e t t o S n i c k e rf r o m o u t s i d e
L / H / M
S S H t o c h e e t o f r o m u n a u t h o r i z e ds y s t e m o n E x p L A N
L / H / MS e e T e l n e t t o s n i c k e r / m o u n da n d S S H t o c h e e t o p a t h s a b o v e
S e e T e l n e t t o s n i c k e r / m o u n da n d S S H t o c h e e t o p a t h s a b o v e
I d e n t i f y F o r w a r d - C l i e n t t r a f f i cL / L / L
A d d A p p l i c . t o f / w t o i n t e r c e p tp a c k e t s a n d m o d i f y i n t r a n s i t
M /H / M
R e s t a r t d u r a c e l l a p p l i c .L / M / M
G e t o n t o s n a i l( s o l a r i s e x p l o i t )
M / H / M
M o d i f y s n a i l r u l e st o d e n y o r d e r s ( c o r b a )L / M / M
S e e G e t t h r o u g ht s e t s e / m a r s / s n a i l p a t h s
S e e G e t t h r o u g ht s e t s e / m a r s / s n a i l p a t h s
G e t o n t o w o w o r o t h e rd u r a c e l l L A N s y s t e m
M / M / M
S n i f f a l l D u r a c e l l L A N t r a f f i cL / L / LI s s u e o u r o w nC O R B A o r d e r sM / H/ M
U p Y o r k P r i v i l e d g e sL / M / L
A , B , G
F l o o d S n i c k e r P o r t 8 0L / L / H
S o l a r i s E x p l o i t f r o mD L A L A N o n t s e t s e
L / L / M
S e e G e t o n t o t s e t s e p a t hS e e G e t o n t o t s e t s e p a t h
O p e n W e b B r o w s e rL / M / M
S p o o f C l i e n t I PL / L / L
C o n n e c t t o s n i c k e rp o r t 8 0L / M / M
D e t e r m i n e C l i e n t P r o t o c o l sL / L / M K n o c k O u t C l i e n tt o S p o o f A d d r .
M / M / L
E
P r o t o c o l A t t a c k t o g e tC l i e n t s y s t e m a c c e s sM / M / M
E
O p e n W e b B r o w s e rL / M / M
C o n n e c t t o S n i c k e r p o r t 8 0L / M / L
D
B
A
K i l l C O R B A s e r v i c eL / L / L
S t e a l S e c r e t s( e n c l a v e - e n c l a v e )
M / M / L S e e F a k e M A C a d d r e s s e sf o r f i r e w a l l p a t hS e e F a k e M A C a d d r e s s e s
f o r f i r e w a l l p a t h
I d e n t i f y I n i t i a l V P NL i n k M e s s a g e s( e n c l a v e - e n c l a v e )
L / L / L
I d e n t i f y c r y p t o w e a k n e s sb y a n a l y z i n gG a u n t l e t s o f t w a r e
H / H / L
R e s e t e n d s o f V P Nt o f o r c e I n i t i a l V P N
L i n k M e s s a g e( e n c l a v e - e n c l a v e )L / M / L
C a p t u r e I n i t i a l V P NL i n k M e s s a g e sL / L / L
C r a c k K e y sH / H / L
S e e F a k e M A C a d d r e s s e sf o r f i r e w a l l p a t h
S e e F a k e M A C a d d r e s s e sf o r f i r e w a l l p a t h
F r o m O n C h e e t o o ro t h e r s y s t e m o n D L A L A N p a t h s
F r o m O n C h e e t o o ro t h e r s y s t e m o n D L A L A N p a t h s
I d e n t i f y I n i t i a l V P NL i n k M e s s a g e s( h o s t - h o s t )
L / L / L
I d e n t i f y c r y p t o w e a k n e s sb y a n a l y z i n g
W i n 2 K I P S e c s o f t w a r eH / H / L
R e s e t e n d s o f V P Nt o f o r c e I n i t i a l V P NL i n k M e s s a g e( h o s t - h o s t )
L / M / L
C a p t u r e I n i t i a l V P NL i n k M e s s a g e s
L / L / L
C r a c k K e y sH / H / L
S e e S n i f f D L A L A Nt r a f f i c p a t h
S e e S n i f f D L A L A Nt r a f f i c p a t h
A , B
G
E s t a b l i s h I P S e c t u n n e l( h o s t - h o s t )f r o m W i n 2 K
H / H / L
F r o m s y s t e m o n p r e s e r v e s L A N- - s i m i l a r p a t h t o a b o v e
F r o m s y s t e m o n p r e s e r v e s L A N- - s i m i l a r p a t h t o a b o v e
V P N F a l l b a c kM / H / L
D
Phase 3 AttackTree
Actual AttacksExecuted
12-16 June 2000
A
D r o p W i n 2 K r e m o t e a c c e s sc o d e f o r a d m i n a c c e s st o y o r k , c l i e n t , o r w o w
M / M / M( v i a B O 2 K )
D r o p s o l a r i s r e m o t e a c c e s sc o d e f o r a d m i n a c c e s st o c h e e t o
M / M / M
C A s C l i e n t
D
E
C
C , E
I C M P R e d i r e c t F i r e w a l lt o o u r D N S S e r v e r
M / M / L
S S H E x p l o i t - R e m o t eA c c e s s t o C h e e t o
L / M / M
P H A S E 3
0 0 10 0 2
0 0 5
1 s t : B O 2 K p o r t 5 32 n d : c r e a t e u s e ra c c o u n t
w i t h a d m i np r i v e l e g e s
o n y o r k
0 0 6 . 1 - d i d n ' tw o r k , u n k n o w n r e a s o n
P r o b e d f o rv u l n e r a b i l i t i e sb u t r e a c h e d s a m e
c o n c l u s i o n a s p h a s e1 .B r u t e f o r c e p a s s w o r d
c r a c k w o u l d b em o s t f e a s i b l e - b u t i n s ' t d o - a b l e i nR T 0 0 0 1 t i m e f r a m e
0 0 4 0 2 0
0 0 8 . 3
0 2 6
t r i e d w i t h o u t ? ? ?f i r s t - a n d f a i l e d
f l a g c a p t u r e d
2 0 2
2 0 3
FC a p t u r e ? ? ? r e q u e s t
? ? ? m o u n dL / L / M
2 0 42 0 5
0 1 1
0 1 3
t r i e d i td i r e c t l y f r o m 0 0 8 . 3 ,b u t d i d n ' t w o r k ;
t r i e d f r o m 0 2 1 & g o td e n i e d b e c a u s e o f 1
t e l n e t l i m i t
0 1 4
t r i e d i t , d i r e c t l yf r o m 0 0 8 . 3 ,
b u t d i d n ' t w o r k ;t r i e d f r o m 0 2 1 &s u c c e e d e d .
A l s o w e n t f r o m1 8 . 3 1 , b u t t h a t ' s
l e s s s t e a l t h y
k i l l o t h e rt e l n e t s e s s i o n s
0 1 2
a l l o w t e l n e t d i r e c t l yf r o m R T s y s t e m t o
s n i c k e r / m o u n d -c r e a t e u s e r a c c t o n R T
s y s t e m t o m a t c h o n e o n Y o r k .
0 2 1 u s e s n i f f e d p a s s w o r dt o a c c e s s o t h e rs y s t e m s - e x p l o i tu n e x p e c t e d m i s c o n f i gt o S S H f r o m R Ts y s t e m t o c h e e t o .
( t r i e d a c c e s s i n g s n i c k e r ,m o u n d , t s e t s e , &
b u t t e r f i n g e r b u t f a i l e d )
0 1 8 . 3 1
n o t f o l l o w e d - - >( c o u l d h a v eb e e n )
u p l o a d h a c k i n gt o o l s
t r y S S H a n d t e l n e t& s o l a r i s r o o t e x p l o i t
o n t s e t s e( f a i l e d )
t r y S S H a n d t e l n e tt o b u t t e r f i n g e r
( f a i l e d )
0 1 9 . 3 2
0 1 9 . 3 3
0 1 9 . 3 1
d e a d e n d
u s e s n i f f e d p a s s w o r dt o a c c e s s m o u n d( f a i l e d )
u s e s n i f f e d p a s s w o r dt o a c c e s s s n i c k e r( f a i l e d )
1 8 . 3 2
0 1 8 . 3 3
Methodology