1 incident analysis. 2 why incident analysis? bad guys! threats growing vulnerabilities increasing...
Post on 21-Dec-2015
222 views
TRANSCRIPT
![Page 1: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/1.jpg)
1
Incident Analysis
![Page 2: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/2.jpg)
2
Why Incident Analysis?• Bad Guys!• Threats growing• Vulnerabilities Increasing• Internet now part of the social fabric
• Impact of major cyber-attack would be significant
• Cascading effects a major concern
• Reactive response must give way to Proactive preparation
![Page 3: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/3.jpg)
3
Analytic Approach
•The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet.
• Technical, Political, Economic, and Social triggers• Attacks and defenses• Vulnerabilities and corrections• Victims and perpetrators• Physical-world impacts
![Page 4: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/4.jpg)
4
One Effort – Looking Inside the Noise
Network Activity Example
Overall ActivitySeveral Gbytes/day
Noise - Below the Radar
![Page 5: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/5.jpg)
5
Traffic is business-dominated
Web Traffic (ports 80 and 443)
0
50000000
100000000
150000000
200000000
250000000
300000000
350000000
400000000
450000000
Date / Time GMT
Pa
cke
ts p
er
ho
ur
Outside Browsing Outside Web service Inside Browsing Inside Web Service
![Page 6: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/6.jpg)
6
A taxonomy of Attributes• Backscatter: Few sources, scattered evenly across
enterprise network, generally contains RST or ACK flags. • Scans: Single source, usually strikes the same port on many
machines, or different ports on the same machine• DoS: Multiple sources, single target, usually homogenous
(but no requirement). May be oddly sized• Worms: Scanning from a steadily increasing number of
hosts• Major servers: Identifiable by IP addresses.
![Page 7: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/7.jpg)
7
Let’s Play “Find The Scan”!
0
200000
400000
600000
800000
1e+06
1.2e+06
1.4e+06
1.6e+06
1.8e+06
2e+06
0 86400 172800 259200 345600 432000 518400 604800 691200
flows
Hmmmm
![Page 8: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/8.jpg)
8
Example DDoS Attack
![Page 9: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/9.jpg)
9
0
1000
2000
3000
4000
5000
6000
7000
0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 2.75 3.00 3.25 3.50 3.75 4.00
Elapsed Time (Hrs)
Cu
mu
lati
ve N
um
ber
of
Ho
sts
2525 hostsin 8 min
5892 hostsin 2 h 41 m
3838 hostsin 44 min
3025 hostsin 36 min
Example: SQLSlammer
![Page 10: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/10.jpg)
10
Slammer: Precursor Detection
0
20000
40000
60000
80000
100000
120000
140000
160000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4
Hour 1/24:00 1/25:04
Flo
ws
Series1
![Page 11: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/11.jpg)
11
Fusion Efforts• Small Packet Probes analyzed
• Patterns emerged
• Identified potential threat
• Analysis of CERT/CC Incident Data• Identified possible link between state and hacker groups
• Hacker communications assessment
• Working on profiles, country studies, event analysis
![Page 12: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/12.jpg)
12
Results of Fused Analysis• What was determined?
• Data collected showed definite network indicators
• Methodology can be developed to provide possible warning indicators
• Based on limited dataset, network indicators suggest possible malicious probes by China
• Network Indicators suggest number of motivations
• Exploitation
• Site mapping
• Intelligence gathering for further activity
![Page 13: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/13.jpg)
13
Incident data flow
Organization 1
Organization 2
Organization 3
Organization n
Observed
Event s
Repor ted
Incidents
Filter
Prioritize
Pr ior i t I zed
At tacks
Context
Context
![Page 14: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/14.jpg)
14
Why Share Incident Information?• Help in dealing with current attack• Improve future software• Better baseline for next attacks• Support non-technical solutions
– Prosecution– Diplomacy– Legislation
![Page 15: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/15.jpg)
15
Why not share Incident Information?
• Fear of publicity• Fear of stimulating attacks• Fear of educating attackers• Forcing action ahead of decision-makers• Fear of offending suppliers/customers
![Page 16: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/16.jpg)
16
How well does current response work?
• For some incidents – great!– Viruses / slow worms– Narrow attacks
• For others – not so great– Very fast worms– Covert compromises (Rootkits)– Broad attacks– Mass attacks
![Page 17: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/17.jpg)
17
W32/Hybris Com b
0
2
4
6
8
10
12
14
16
18
20
Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Installed w32/hybris 1 1 2 3
Failed w32/hybris 18 17 9 1 5 1
Actual-Use w32/hybris 1 1 3 1 2 2 1 1
Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Hybris Incidents
![Page 18: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/18.jpg)
18
RootKit Comb
0
2
4
6
8
10
12
14
16
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Installed rootkit 6 10 14 6 4 11 5 8 4 4
Failed rootkit 1 1 1 1
Actual-Use rootkit 2 2 11 2 3 4 3 3 6 1
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Rootkit Incidents
![Page 19: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/19.jpg)
19
Fusion FrameworkIncidents
I1 I2 … In
Clustering and Extrapolation
Extrapolated Incidents (X-Incidents)X1 X2 … Xm
Correlation and Abduction
X-Incident ChainsC1 C2 … Cm
Role-based Incident Severity Tier Assignment
IncidentsExcluded
Other factors:Political,Social,Economic
System AdminT1 T2 T3 T4 T5
Law EnfrcmntT1 T2 T3 T4 T5
Coord. CSIRTT1 T2 T3 T4 T5
System MissionCriticality Databases:DoD/MAC, Project Matrix, Key Asset Initiative
…
![Page 20: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/20.jpg)
20
Clustering and Extrapolation
–Clustering groups reports into meaningful classes–Similarity metric applied to common features
• Cohesion function calculates degree of similarity
• Clustering generates overlapping clusters (clumps)– Minimizes cohesion function betweens incident sets
–Extrapolation fills in the reporting gaps• Extrapolation criterion establishes when and how
–Generates extrapolated incidents (x-incidents)
![Page 21: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/21.jpg)
21
Correlation and Abduction– Identifies sequences that constitute staged attack
• Generates x-incident chains• Starting context establishes understanding of initial
system/network configuration
– Causal relationships through pre-/post-condition chaining• Precondition of first incident must satisfy starting context• Postcondition of each incident must satisfy precondition of the
subsequent incident
– Techniques available (abduction) for filling in gaps• Strings together x-incident chains using attack patterns• Abduction criterion establishes when and how
![Page 22: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/22.jpg)
22
Example
SubSeven Trojan horse
Leaves worm building “Bot
Network”
Denial-of-service attack
Enables
Launches
Ongoing uses of “Bot Network”
1. Clustering and extrapolation based on intruder tool signature
3. Correlation based on Leaves’ scan for SubSeven signature
4. Abduction using distributed denial of service pattern
2. Clustering based target of attack and flooding approach
![Page 23: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/23.jpg)
23
Challenges to Analysis Research
• Gathering sufficient datasets to make statistically valid judgments• Developing automated technical analysis tools• Developing a reliable methodology for cyber-analysis• Overcoming organizational bias against sharing information
![Page 24: 1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major](https://reader030.vdocuments.mx/reader030/viewer/2022033104/56649d615503460f94a42c80/html5/thumbnails/24.jpg)
24
Limits of Analysis•Inherently partial data
•Baseline in dynamic environment
•Correlation vs. Causation
•Implications–Need to be cautious in kinds of conclusions–Consider strategies for dealing with analysis
gone wrong