minimizing losses from zero days – a new layer of defense (scit)
DESCRIPTION
Minimizing Losses from Zero Days – A New Layer of Defense (SCIT). Game-Change Concepts: Moving Target + Exposure Management. Next Generation Server Security Technology. Arun Sood Ph. D. Dept of Computer Science & International Cyber Center, SCIT Labs Inc http://cs.gmu.edu/~asood/scit - PowerPoint PPT PresentationTRANSCRIPT
SCIT
Minimizing Losses from Zero Days – A New Layer of Defense (SCIT)
Next Generation Server Security Technology
Arun Sood Ph. D. Dept of Computer Science & International Cyber Center, SCIT Labs
Inchttp://cs.gmu.edu/~asood/scit
http://www.scitlabs.com+1703.347.4494
Game-Change Concepts: Moving Target + Exposure Management
SCIT
Multi-National Security Breach
• http://news.bbc.co.uk/2/hi/technology/7118452.stm
• “A huge campaign to poison web searches and trick people into visiting malicious websites has been thwarted.”
• If a user searched Google for terms such as– "hospice", "cotton gin and its effect on slavery", "infinity" and many more – The first result pointed to a website from which malicious software was
downloaded and embedded on user system.
• Criminals in country A created domains that were mostly bought by companies in country B and hosted in country C. Tens of thousands of domains were used.
• These domains tricked the indexing strategy of Google to believe that these web pages were good and reliable source of information.
Our focus: targeted and organized attacks.
SCIT
Anatomy of an Hack
Foot print analysisWho is
NSLookupSearch Engines
Enumeration
ScanningMachines
PortsApplications
ExploitationBuffer Overflow
SpoofingPassword
DOS
Damage“Owning” IP Theft, Blackmail, Graffiti,
EspoinageDestruction
Analyze publicly available info. Set scope of attack and identify key targets
Check for vulnerabilities on each target Attack targets using
library of tools and techniquesFoot print analysis
Who isNSLookup
Search EnginesEnumeration
Automated ScanningMachines
PortsApplications Deliver Payload
Custom TrojanRootkit
Damage“Owning” IP Theft, Blackmail, Graffiti,
EspoinageDestruction
Attack targets using installed software
Richard Stiennon, May 2006, http://blogs.zdnet.com/threatchaos/?p=330
Manual A
pproachA
utomated A
pproach
• Identify Target
• Install Malicious Code
• Hack Other Machines
• Take over Domain Controller
SCIT
Attacking a Multi-tier ArchitectureWeb-App-DB-Domain Controller
• Step 1: Identify Target– Network address ranges– Host names– Exposed hosts– Applications exposed on those hosts– Operating system and application version information– Patch state of both the host and of the applications– Structure of the applications and back-end severs
• Step 2: Initial Compromise– Web pages are always exposed – opportunity for ingress
• Step 3: Elevate Privileges– Become a privilege user – like internal user on the target system
• Step 4: Hacking Other Machines– Own the network.
• Step 5: Take over Domain Controller
Jesper Johansson and Steve Riley , Protect Your Windows Network: From Perimeter to Data, Addison-Wesley Professional, 2005.
SCIT
The Problem
• Verizon Business (DBIR2009): 285 M records compromised for 90 sites. Customized malware hard to detect. Intrusion persists for days, weeks, months.– Network Solutions, Wyndham Hotels.
• Symantec produced 920,000 malicious signatures in 2009.
• 50% of all vulnerabilities in web apps.
• Half of disclosed vulnerabilities had no fixes.
• Recovery from a breach is costly: $6.3M [Ponemon Inst]
• Focus on targeted and organized attacks.
Current reactive approaches are inadequate.We introduce intrusion tolerance – a new paradigm.
SCIT
Verizon (DBIR2010): Time Frame
SCIT04/21/23 7
SCIT provides Intrusion Tolerance for servers…
Enterprise Server Firewall Hacker (Actual Photo)
SCIT Virtual Server
SC
IT V
irtual P
artitio
n
Every minute SCIT software cleans and restores the virtual server to its pristine state
The SCIT Solution
…using virtualization to restore the OS and application to a pristine state after attack!
SCIT
Defense in Depth Approach to Security
• Multi layered Approach to Security: Best if layers operate independently
• Firewalls depend on inspection of incoming packets
• IDS/IPS depend on inspection of incoming and outgoing packets– With increasing bandwidth and more matching requirements, the
cycles devoted to packet inspection will keep increasing
• Threat independent approaches are needed for protection against zero-days
• Other approaches should be included in the mix, including approaches that do not rely on packet inspection and have potential for threat independent performance:– White list of software– Time-dependent recovery-based intrusion tolerance
Cross Sector Cyber Threats Strategy
SCIT
The SCIT Solution
• Static Servers Converted to Dynamic Environment– Facilitates Incorporation of Diversity
• Threat Independent
• Rapid Recovery: Work Through an Attack
• Mission Resilience
• Emphasize Temporal Dimension
• Virtualization as a New Framework for Server Security
Cross Sector Cyber Threats Strategy
SCIT
How Does SCIT Provide Additional Security?
• SCIT servers – Regularly restored to a known state and remove malicious software installed by
attackers. – Provide protection while manufacturer is developing a patch, i.e. SCIT servers
are protected in the time period between vulnerability detection and patch distribution.
– Gives data center managers an additional level of freedom in developing a systematic plan for patch management.
• SCIT DNS servers – Domain name / IP address mapping is protected from malicious alteration, thus
avoiding improper redirection of the traffic.
• SCIT Web servers – Protect the corporate crown jewels, front ends for sensitive information, e.g.
customer or employee data sets, IP, and informational web sites. – Regularly restores the sites to known states, and makes it difficult for intruders
to undertake harmful acts such as deleting files. – Avoid long term defacements.– Reduces the risk of large scale data ex-filtration.
SCIT
Key Intrusion Tolerance Approaches
OASIS (DARPA) MAFTIA (EU) SCIT (GMU)
Fault Tolerance Based: Intrusion Detection First
Recovery Based
Structure Based Structure Based Time Dependent
Packet Inspection Yes Yes No
Voting Algorithm Yes Yes No
Deterministic No No Yes
Performance Impact
Yes Yes Yes
Diversity Required RequiredOptional. Diversity will
make scheme more robust
RecoveryPerformed upon
detecting intrusion.Performed upon
detecting intrusion. Built in automatic periodic
recovery.
See IEEE Security and Privacy paper for details
SCIT04/21/23 12
Comparison of IDS, IPS, SCIT
Issue Firewall, IDS, IPS Intrusion tolerance
Risk management. Reactive. Proactive.
A priori information required.
Attack models. Software vulnerabilities. Reaction rules.
Exposure time selection. Length of longest transaction.
Protection approach. Prevent all intrusions. Impossible to achieve.
Limit losses.
System Administrator workload.
High. Manage reaction rules. Manage false alarms.
Less. No false alarms generated.
Design metric. Unspecified. Exposure time: Deterministic.
Packet/Data stream monitoring.
Required. Not required.
Higher traffic volume requires.
More computations. Computation volume unchanged.
Applying patches. Must be applied immediately.
Can be planned.
SCIT04/21/23 13
Server RotationsExample: 5 online and 3 offline servers
Server Rotation
Offlineservers; inself-cleansing
Online servers;potentiallycompromised
Servers-Virtual-Physical
SCIT04/21/23 14
Server RotationsExample: 5 online and 3 offline servers
Server Rotation
Offlineservers; inself-cleansing
Online servers;potentiallycompromised
Servers-Virtual-Physical
SCIT04/21/23 15
Server RotationsExample: 5 online and 3 offline servers
Server Rotation
Offlineservers; inself-cleansing
Online servers;potentiallycompromised
Servers-Virtual-Physical
SCIT04/21/23 16
Server State Transitions
Additional States Planned for Analysis and Archiving
Current
SCIT04/21/23 17
SCIT Supports Session Persistence
• SCIT does not require changing the application server or application code
• SCIT servers support session persistence but do not migrate state
• Session data is stored in shared memory or shared by multicasting among the virtual servers
• Session info is data and not executable
SCIT04/21/23 18
SCIT - Intrusion Tolerance Approach
• Increase security by reducing exposure window– Exposure window is the time a server is online between rotations– Optimizes application-specific exposure windows to servers
• Decreasing available time for intrusion, reduces potential losses
• No packet inspection; No signatures; No detection
• SCIT does not eliminate vulnerabilities or prevent intrusions, but makes it difficult to exploit the vulnerability
• Additional layer of defense– Integrated system: prevention, detection, tolerance
• Reduce managed services cost
• Adaptive SCIT
• Increase availability – reduce down time for upgrades – fewer reboots
Loss Curve
Intruder Residence Time
Lo
ss
T
T
Co
st
SCIT
Transaction Length in Multi-tier Architecture
Layer Implementation Transaction Length
Client Layer Web site, DNS service Short
Middle Layer Authentication, Single Sign On Short
VPN, Streaming Media Long
Back End Layer Transaction Processing Short
File Access Mixed
Complex Database Queries Long
SCIT
Exposure Time Reductions
Application Current Server SCIT Server
Websites – Windows Server 1 day to 3 month 60 seconds
Websites – UNIX Server 1 month to 6 months 60 seconds
DNS services – Linux Server 3 months to 1 year 30 seconds
In the following slides we show that:
Reducing Exposure Time Significantly Reduces Expected Loss
SCIT
Security Risk Assessment
Threat Probability
Criticality Factor
Effort Required
Risk Factor(Criticality/Effort)
Threat Level(Threat Probability x Risk Factor)
Vulnerability Factor
Asset Priotiy
Impact (Loss Factor)
Exposure Factor (EF)(Threat Level x Impact)
Single Loss Expectancy(SLE)
Annual Loss Expectancy(ALE)
x Asset Value (AV)
x Annual Rate of Occurrence (ARO)
Follows SecurityFocus.com (Symantec), Microsoft
SCIT
Risk Shaping by Exposure Time
SCIT
Multi Tier Example
Zone 1
DatabaseServer
Zone 3
Content Management Server
Workstation
Un-trusted domain
High Risk
Corporate Trusted domain
Medium Risk
Private domain
Low Risk
Zone 2
SCIT
SCIT vs Traditional Cumm Single Loss Expectancy
$0
$10,000
$20,000
$30,000
$40,000
$50,000
$60,000
$70,000
$80,000
SCIT Exposure Time
Reducing Exposure Time Significantly Reduces Expected Loss
Multi Tier Architecture
Web serverDNS server
Content ManagerDatabase server
SCIT
Avoidance is Better Than Cleaning
• You cannot clean a compromised system by – patching it. – removing the back doors. – using some vulnerability remover. – using a virus scanner. – reinstalling the operating system over the existing installation.
• You cannot trust – any data copied from a compromised system. – the event logs on a compromised system. – your latest backup.
• The only proper way to clean a compromised system is to flatten and rebuild.
• CLEANING COMPROMISED SYSTEMS IS DIFFICULT. IT IS BETTER TO AVOID HACKING.
SCIT
Case Study: Payment Card Industry
• Cost per exposed accounts (legal and professional fees, customer contact, post event clean up and improvements)
– More than 1M accounts compromised: $50 per account– Few (1500) accounts compromised: $1500 per account
• Cost for protecting data – 100,000 customers
• Bottom Line: Cost of exposed accounts >> Cost of protection
• Reducing Exposure Time provides additional layer of defense - makes it more difficult to exploit vulnerabilities and steal data.
Method $ per customer Comments
Year 1 Recurring
Encrypt data at rest $5 $1 Application Changes
Host IDS $6 $2 False Alarm management
Continuous security audits $3 - $4 $3 - $4 Vulnerability scanning
Source: Rapid 7 – Vulnerability Management Trends. Also Gartner Group
SCIT
Sample Requirements Met by SCIT Servers
• Web site should not be defaced longer than 1 minute
• DNS tables should be restored within 1 minute
• System should reduce data ex-filtration – when combined with IDS the volume of data that can be maliciously retrieved can be computed
• To ensure clean servers, remove malware every minute
• Change the face of the website every minute
SCIT
Randomized Defensive Strategies
• Current servers are static and overexposed -almost sitting ducks
• Randomly change the exposed face of the target– Hide, obscure, alter, move target
• Develop approaches that are effective in server farms and at the point of the spear
• Issues to address:– Impact on system administration– Scalability
SCIT
Comparing 4 Architectures
IDS
NIDS + HIDS NIDS + SCIT
SCIT
SCIT
Results of Simulation
Parameters used in the simulationSimulation Metrics
Value (units)
Number of queries used
50,000
Intruder Residence Time (IRT)
0 minutes to 2 months
Mean IRT – Pareto distribution
48 hours
Exposure Time – 2 cases
1. 4 hrs 2. 4 mins
Data Ex-filtration rate
675 records/breach
Results of the simulationCase Total
damage (records)
No. of breaches
Mean Damage (records/breach)
NIDS 245,962 (100%)
192 1,281
SCIT: ET 4hrsSCIT: ET 4 mins
55,364 (23%)1,015 (0.4%)
508508
1092
NIDS + HIDS 210,578 (86%)
164 1,284
NIDS + SCIT(ET 4 hrs)NIDS + SCIT(ET 4 mins)
20,931 (9%)
383 (0.16%)
191
191
110
2
SCIT
Target Applications
• E-Commerce payments – long session of multiple short transactions
• Streaming media
• VPN• Complex Database Queries• Back end processing
Tra
nsa
ctio
n L
eng
thLo
ng
S
hort
Low HighValue for Exposure Window Management
• Web servers• DNS services• Single Sign On• Firewalls• Authentication (LDAP)• Transaction Processors
• File Transfer (size dependent)
SCIT04/21/23 32
Collaboration with Systems Integrators
• Lockheed Martin– Testing and validation of SCIT servers.– Funded SCIT research
• Northrop Grumman– Testing and validation of SCIT servers.– Matching partner – Virginia CTRF project
• Raytheon– Collaborated on SBIR proposal
SCIT
OverallThe SCIT platform does reduce exposure time and confuses attacker efforts.There is a slight performance degradation as exposure time is reduced.
Component Test Objectives FindingsBasic Web Server with Session persistence
Defacement (recovery)System Compromise (limit effects)Data Corruption (recovery)Data ex-filtration (limit effects)
The resilience of the underlying VM architecture proved effective at thwarting any long term or permanent damage to the platform as a result of malicious activity.
E-Commerce Application Defacement (recovery time)System Compromise (limit effects)Data Corruption (recovery)Data ex-filtration (limit effects)Shopping Cart Price manipulation
The findings were the same as the basic web server and the shopping cart was not subject to manipulation
Single Sign-On SQL injectionSystem CompromiseUnauthorized access
Due to effective firewall and authentication input filtering the SSO architecture proved immune to O/S Corruption and Database Exploitation attack vectors. The underlying rotation of SSO Virtual Machine instances proved transparent throughout the entire course of testing.
Testing by Northrop Grumman
SCIT
Lockheed Testing
• The overall security features of the SCIT system performed as advertised. This tool is very effective in ensuring application availability and the integrity of the web server itself. It provides a stable platform on which an enterprise can host web applications.
• “…The evaluators found that the first step, port scanning, was successfully accomplished. However, the Nessus software just hung when establishing sessions with the open ports it found. This was probably because the rotation of the servers deleted the session information that Nessus left on the servers. “
• Recovery from DoS attack– Verify that the system will automatically recover from a website defacement attack.– Verify that the system will automatically recover if the service is made unavailable.
• Resiliency– Verify that if the vulnerabilities were executed they would not seriously impact the overall
system
• SCIT does not fix app/OS vulnerabilities; does not protect against the integrity, and confidentiality of the user’s session and sensitive data; these properties are the same as that of the application.
• Current SCIT implementations do not change the application code.
SCIT
Quick Review + Road Map
SCIT: Why? How? Scope. Independent Validation.
Performance.
DOD Network. Specific Server: SCIT – DNS.
Scalability.
Plans.
Demo
SCIT04/21/23 36
Performance & Functionality Stress Tests
• Workload: number of user sessions/minute (50,100,125)
• User session: – Series of request and response from server
– Select item from drop down list and add it to persistent storage
• OpenSTA is used to generate workload– 3 runs per case.
• Duration of run = 3 * Exposure time for the run– each VM is tested at least once
• Workload consists of N requests every 10 secs.
• Exposure times of 2,3 and 4 minutes, No Rotation
• Stand alone web server for Non-SCIT test.
SCIT04/21/23 37
Performance Test Results
SCIT Server Environment
• Entry Level DELL System•Dual processor – 4 cores each•Memory: 4 GB
• Slackware OS• Apache, Tomcat,
Shopping Cart (Java)
Exp Time (minutes) User Sessions Avg. Response Time (secs)
STD Dev
2 m 50 6.16 0.07
2 m 100 6.24 0.01
2 m 125 6.27 0.02
3 m 50 6.10 0.04
3 m 100 6.15 0.02
3 m 125 6.31 0.05
4 m 50 6.08 0.04
4 m 100 6.15 0.02
4 m 125 6.14 0.02
No Rotation 50 6.03 0.01
No Rotation 100 6.03 0.00
No Rotation 125 6.04 0.00
SCIT04/21/23 38
• Sustaining Networks • SCIT provides additional layer of defense.
• Tactical Networks• SCIT provides continuity of operations, automatic recovery.
SCIT and DoD Networks
Network Relative Size Frequency of Change
Security Support Staff
Sustaining Network
Many servers. Worldwide.
Slowly changing. Large & talented support
Tactical Network
Fewer servers. Smaller region.
Potential for rapid change.
Limited support. Frequent staff rotations.
SCIT04/21/23 39
• DODI 8500.2Enclave and Computing Environment IntegrityECID-1 Host Based IDSHost-based intrusion detection systems are deployed for major applications and for network management assets, such as routers, switches, and domain name servers (DNS).
• Payment Card Industry Data Security StandardConsumer Data Protection RequirementCompensating Control
Standards and Compliance Requirements
SCIT04/21/23 40
• Web site/ Ecommerce• Commercial Data Centers• Government Critical Infrastructure sites
(e.g. Emergency preparedness)• Database server protection• DNS servers• SSO servers • Cloud Computing Services
Potential Target Audience
SCIT04/21/23 41
DNS & DNSSEC & SCIT-DNS
• DNS is an essential part of Internet. – Used where names are used – web, email, web services, etc– DNS was designed for trusted environment.
• DNSSEC adds end-to-end security to DNS.– OMB has mandated DNSSEC.– “.. represents an infinitesimal presence .”
(http://dns.measurement-factory.com/surveys/200910.html) – Particularly challenging in some environments, like tactical.
• SCIT – DNS– DNSSEC is the preferred solution.– SCIT-DNS provides near DNSSEC trust with DNS convenience– Focus of Army SBIR
SCIT04/21/23 42
SCIT – DNS
Trust Degradation With Time
0
0.2
0.4
0.6
0.8
1
1.2
0 1 2 3 4 5 6 7
Time
Tru
stDNS SCIT-DNS DNSSEC
SCIT04/21/23 43
SCIT in Server Farms
Scalability Issues
•Can SCIT be incorporated in Enterprise environments?– Many servers– Many applications
•Can SCIT work in a multiple apps per server environment?
•Can SCIT VMs be distributed across the server farm?
•Can SCIT effectively exploit multi-core architectures?
Version 1 Objectives
•System Admin Function– Many apps and servers– Monitoring of the system state– Diagnostics
•Deployment of VMs– App related VMs are assigned to
the servers• Distribute after testing at a
staging server• System captures VM map to
facilitate deployment
•Distributing the sever load – Prelim simulation model– Resource Allocation model
SCIT
Staging Server
04/21/23 44
Pristine Image VM
SCIT Configuration & Construction
SCIT04/21/23 45
Current Status• Validated the scalability of SCIT: Developed SCIT Infrastructure
System (SIS)– Monitor server farm from a single point– Diagnostics from a single location– Automate the staging, testing and deployment of SCIT apps
• Pristine images, clones, dispatcher, controller• Specified the key management requirements• Configuration
– Simulation of SCITized multiple application server farm
• Independent validation at Lockheed units– Testing at Gaithersburg, Omaha, Rockville – Capture new use cases: upload and download of files taking 3 to 4 minutes: Share
Point
• Independent validation at Northrop Grumman Triad Labs - Colorado
• Moving target defense
• SCIT DNS
• SCIT SSO – SAML compatibility
• Community of interest: pubs, invited presentations and workshops
• Parallel Effort: Development, Quantitative, Simulation
SCIT04/21/23 46
Way Ahead
• Further Validation and Certification– Seeking Pilot project opportunities
• Examine long duration applications– Up to 5 minute uploads
• SCIT improvements– Dispatcher is static; can this be rotated; what about apps distributed
across server boxes– Dynamism enables diversity in deployment: OS, App, Memory Image– Multi-level rotations: apps, OS, hardware
• SCIT reconnaissance
• SCIT in cloud computing, Virtualized Desk Top Infrastructure
• Multiple apps per server
• Adaptive SCIT; Memory image based IDS; Hardware Enabled SCIT
SCIT04/21/23 47
IP Protection and Recognition
Issued Patents:
• " Self-Cleaning System“, US 7549167. Issued 6/16/2009. Inventors: Yih Huang and Arun Sood
• "SCIT-DNS: Critical Infrastructure Protection through Secure DNS Server Dynamic Updates", US 7680955. Issued 03/16/2010. Inventors: David Arsenault, Yih Huang and Arun Sood.
• “Single Use Server System", US 7725531. Issued May 25, 2010 Inventors: David Arsenault, Yih Huang and Arun Sood.
Pending Patents
• "Data Alteration Prevention System", Utility Patent Application No.: 11/419,832, 5/23/2006, Docket No.: GMU-05-037U. Inventors: David Arsenault, Yih Huang, and Arun Sood.
• Two additional patents applied in 2010.
Research Support: • Army (TATRC), NIST/CIPP, SUN, CTRF/Northrop Grumman, Lockheed Martin
Awards:
• Winner Security Technologies for Tomorrow – GSC and CNI-Expo competition 2 June 2010.• 2nd place GSC Cyber Security Challenge 13 Novermber2009. GSC=Global Security
Challenge, associated with London Business School.
SBIR:• Army – SCIT DNS with focus on tactical environment.
SCIT04/21/23 48
Benefits of SCIT
• SCIT removes malware every minute without detection– “.. 85 percent of the 285 million records breached in the year were
harvested by custom-created malware.” Verizon.
• SCIT reduces data ex-filtration– Data ex-filtration is slow gradual process to avoid IDS detection &
SCIT interrupts the flow every minute
• SCIT does not rely on signatures and is threat independent– IPS / IDS depend on signature matching and focus on known
threats. SCIT relies on exposure time control.
• SCIT automatically recovers from defacement or software deletion attacks: mission resilient
• SCIT reduces intrusion response (alerts) management cost– SCIT provides an additional dimension to separate false alarms.
SCIT
SCIT: Additional Capability
• Apply hot patches– Operating Systems– Applications
• Potential for fast recovery from bad patches
• Technology that converts a static system (“sitting duck”) into dynamic system– Different types of diversity: admin cost – security trade off
• Explicit use of time in secure system design
SCIT04/21/23 50
SCIT Publications + Contact Info
• SCIT technical publications
• Links to media reports
• Links to demo videos
http://cs.gmu.edu/~asood/scit
http://www.scitlabs.com
Questions?Arun Sood
{[email protected], [email protected]}
+1703.347.4494