malware mimics for network security assessment
DESCRIPTION
Malware Mimics for Network Security Assessment. CDR Will Taff LCDR Paul Salevski March 7, 2011. Agenda. Motivation Introduction Vision Proposal What we did Way Ahead. 2. Motivation. 3. Motivation – In the Lab. 4. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Malware Mimics for Network Security
AssessmentCDR Will Taff
LCDR Paul SalevskiMarch 7, 2011
• Motivation• Introduction• Vision• Proposal• What we did• Way Ahead
2
Agenda
3
Motivation
4
Motivation – In the Lab
• Currently, DoD relies on Red Teams (trusted adversaries) for Information Assurance (IA) testing and evaluation of military networks
• This approach is unsatisfactory:• Relies on constrained resource
(Red Teams)• Limited in scope of effects
(safety/risk to host network)• Non-uniform/inconsistent
applicationOR• Confined to laboratory setting
(not “Train Like Fight”)5
Introduction
Introduction - The Way the Navy Is
Internet
Global Informatio
n Grid (GIG)
Owned and
Operated by DISA
Network Operating Centers
SIPR
NIPRJWICS
CENTRIXS
• We propose the development of a distributed software system that can be used by either simulated adversaries (such as Red Team) or trusted agents (such as Blue Team) to create scenarios and conditions to which a network management/defense team will need to react and resolve.
7
Proposal
8
Vision
STEP SiteNorthwest, VAFt. Meade, MD
Norfolk, VAMM-Server
Global Information Grid (GIG)
Global Information Grid (GIG)
USS Arleigh BurkeMM-Clients
9
Malware Mimic
• Have the “trainer” sitting anywhere• Trainer remotely controls a network of
pre-installed software nodes on training network simulating network malware/mal-behaviors• Simulate virus• Simulate bots• Simulate Internet worms• Simulate malicious “hackers”
• “Trainee” reacts to simulated effects in same manner as actual threats
• Network nodes consist of Java software packages running on top of pre-existing and unmodified network hosts• No (unwanted) impact to users• No need for additional hardware
• Network nodes coordinate effects via Trainer controlled Command and Control Server• Local or Offsite
• Solves problem of “flying in” a red team
10
Architecture
11
Anatomy of an Attack
12
Anatomy of an Attack with MM’s
13
Architecture - Physical Layout
14
Virtual Layout
15
Results
• More Complex Network Architecture• More complex Malware Mimics• Focus on higher security• Installation and testing onto larger and
operational networks• Communication between MM-Clients
16
Way Ahead
