slide 1 28 september 2006 aro kickoff meeting phillip porras cyber-ta: secure collaborative threat...
TRANSCRIPT
slide 1
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Cyber-Threat Analytics
Introduction
Phillip Porras - [email protected] Science Laboratory, SRI International
www.cyber-ta.org
28 September 2006
Introduction Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
Cyber-TA Kickoff Meeting
slide 2
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Collaborative Wide-Area (National-scale) Threat Detection and Mitigation
Problem Space:
• develop efficient "RICH" security content sharing infrastructures
• advance the state of the art on collaborative large-scale detection and mitigation schemes
• new threat dissemination/mitigation schemes to characterize emerging attack patterns - actionable results
AND • Protect the security postures (user privacy, policies, topologies, defenses, vulnerabilities) of
the data contributor
• Minimize (remove) the reliance on trust among contributors and repositories Research
(Large-scale) (Large-scale) MALWARE Researchers DATA PRIVACY Researchers
Operations
Cyber-TA Overview
Introduction Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
Cyber-TA Kickoff Meeting
slide 3
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Grand Challenges
• How to achieve an IA Common Operating Picture with mutually suspicious organizations, e.g., IC members, coalition partners, other law enforcement
• How to construct national-scale realtime correlation / alert forensic systems that scale to millions of events per day
• How to achieve privacy preserving IA data sharing (protocols, repositories, registration, analyses) with “minimal-trust”
• How to quantify the impact of our proposed privacy preserving countermeasures to the adversary workfactor
Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
IntroductionCyber-TA Kickoff Meeting
slide 4
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
2006 Consortium MembersData Privacy Group
Prof. Vitaly Shmatikov, University of Texas at AustinRoger Dingledine, Moria LaboratoryProf. Joan Feigenbaum, Yale University
Encrypted Computation GroupBrent Waters, SRIProf. Dan Boneh, Stanford UniversityProf. Amit Sahai, University of California at Los Angeles
Active and Passive Malware Analysis and MitigationProf. Paul Barford, University of WisconsinProf. Karl Levitt, University of California at DavisProf. Wenke Lee, Georgia-Tech Institute of TechnologyProf. Peng Ning, North Carolina State UniversityProf. Dawn Song, Carnegie Mellon UniversityPhil Porras / Al Valdes / Vinod Yagneswaren /
Jian Zhang / Steven Cheung / Linda Briesemeister, SRI
Threat Ops Center and Commercial TransitionMarcus Sachs, SRI InternationalRay Granvold, Promia IncorporatedLivio Ricciulli, Force-10 Networks Inc.Johannes Ulrich SANS Institute
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 5
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
DataPrivacy
Threat Detection
Cyber-TA Plans for 2006
Threat Mitigation
ThreatOps
Center
AppsProducts
9:00 - 9:40am Cliff Wang (ARO) / Phil Porras (SRI International)
Opening Remarks, Introductions, Project Overview
9:40 - 10:05am Vitaly Shmatikov (University of Texas) Data and Traffic Privacy
10:05 - 10:30am Brent Waters (SRI International)
Privacy-Preserving Encryption-data analysis
10:30 - 10:45am Break
10:45 - 11:10am Vinod Yegneswaran (SRI International) Active monitoring systems
11:10 - 11:35am Phil Porras (SRI International) Massive and distributed data correlation
11:35 - 12:00pm Wenke Lee (Georgia Tech)
Collaborative mitigation techniques
NOON - 1:00pm Lunch
1:00 - 1:25pm Marc Sachs (SRI International) Threat operations center and demonstration capabilities
1:25 - 1:50pm Livio Ricciulli (Force-10 Networks) Ultra-High-Volume Infrastructure protection
1:50 - 2:15pm Ray Granvold (Promia Inc.) Experiences in DoD NOC security management
2:15 - 2:30pm Closing Remarks
Today’s Agenda
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 6
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Design and field a security log repository and data collection infrastructure that
– allows mutually suspicious coalition partners to securely participate in alert sharing communities
– prevents leakage of contributor vulnerabilities and security posture while reporting detailed security log content
– provides extensive contributor control over anonymity services• resistant to “insider” repository browsing• resistant to traffic-based fingerprinting (to a degree!)• resistant to active data fingerprinting threats
– is scalable data analysis for 1000’s of contributors and in the presence of anonymized content
Examine collaborative malware defense strategies
2005 Prototype Release
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 7
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
CTA Infrastructure - Release Notes
1st reference implementation and deployment of a Privacy-Preserving Threat Recon Infrastructure w/ data analysis services
– User-controllable anonymization IDS/Firewall logs, aggregator, TLS over onion routing daemon, large-scale data repository center, web-based data portal/query/analysis of anoynmized logs
– Primary objectives of release:• Red team data production and adversary models • Provide datasets for web portal and data analysis purposes• Examine network link, including TOR, reliability and bandwidth issues• Rapid-prototype platform to build distributed correlation systems
– Initial release targets: SRI Menlo Campus, Rosslyn Corporate Office, UC Davis Computer Science Lab, SANS Institute Bethesda, MD
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 8
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
CTA System Diagram
Internet
Encrypted Anonymous Log Delivery Protocol
Sensor Z
CTA_Anonymizer v0.9
GP ASCII Log Parser
Anonymizer Service
Alert Aggregator
Meta-data ExtractorPlugin
MIXNETDeliver Daemon
XML SPEC
Log Parsing Rules
Field AnonymizationPolicy
Aggregation Policy
User meta-data Plugin policies
INFOSEC Log
Delivery Ack
TLS Session
TOR Circuit
TCP/IP
Cyber-TA RDBMS Manager
Delivery Ack
TLS Session
TOR Circuit
TCP/IP
1-30-day Summary Table Generator
Web Portal Query,Data Analyzer
www.cyber-ta.org(cyberta.dshield.org)
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 9
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Adversary Models – What’s in and out of scope?
IN SCOPE• Direct Contributor Linkage From Repository
• Network Traffic Analysis Agents
OUT OF SCOPEActive fingerprinting threats• PPFIX Dictionary Attacks• Multi-event pattern analysis• Rare-rule stimulation
Two-sided traffic analysis• Traffic-based timing attacks • Long lived connection statistical analyses
Org N
Org 2
Repository Insider
ActiveFingerprinter
TimingAttacks
TrafficEavesdropper
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 10
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Internet Portal and Analysis
CTA_Repository - Inventory View– provides a concise summary of entire REP
content– provides quick assessment of recent REP
dataflow volume/stats/trends (e.g., 1 day, 7 day, 30 day...)
– size of DB, # of Author_IDs (unique contributors), sensor types, event types, IP/port trends, data insertion rates, unique addrs (src/dst), (raw event count vs aggregated count)
CTA_Repository - Inventory View– provides a concise summary of entire REP
content– provides quick assessment of recent REP
dataflow volume/stats/trends (e.g., 1 day, 7 day, 30 day...)
– size of DB, # of Author_IDs (unique contributors), sensor types, event types, IP/port trends, data insertion rates, unique addrs (src/dst), (raw event count vs aggregated count)
http://www.cyber-ta.org Web portal password – available upon request
IntroductionCyber-TA Kickoff Meeting Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
slide 11
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Internet Portal and AnalysisRates/Trends Graphs –User controlled graph construction: Event_ID, Signature Category, PPFix SRC, Contributor, Ports, etc.
Rates/Trends Graphs –User controlled graph construction: Event_ID, Signature Category, PPFix SRC, Contributor, Ports, etc.
Statistical Summaries: Table-based, capturing EventIDs, Port-policy, PPFix Addrs
Statistical Summaries: Table-based, capturing EventIDs, Port-policy, PPFix Addrs
Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
IntroductionCyber-TA Kickoff Meeting
slide 12
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance
Web Portal – Where to get info / access ?
www.cyber-ta.org
• Today’s slides
• General project info
• Publications
• Software releases
• Live Internet monitoring
• Data set / resources
• Project news
• Consortium partner info
• Contributor registration
Project OverviewChallengesConsortium Members
Today’s Agenda2005 SummaryWeb Portal
IntroductionCyber-TA Kickoff Meeting