1、Active Defenses to Cyber AttacksUW Information School/Agora Workshop09/12/03Supported by a research grant from Cisco Systems Critical Infrastructure Assurance GroupAgenda Three floating moderators“Three hour tour”format Background(45 minutes)Open discussion of issues(1 hour)Attack Scenario(20 minute
2、s)9 potential AD actions(2 hours)10-15 minutes eachDesired outcome Get feedback on current outline of Active Defense Get ideas on pros/cons of AD actions Identify avenues of legal/ethical/technical research Identify alternatives and possible changes in laws,public/private CompSec policies Have a fun
3、 time!Background Topic discussed in Pre-Agora meeting June 8,2001 and again in Q1 2003 Current USG interest Ongoing private sector interest Lack of common definitions Potential impact on national&international debateSenate debateIf we can find some way to do this without destroying their machines,we
4、d be interested in hearing about that.If thats the only way,then Im all for destroying their machines.If you have a few hundred thousand of those,I think people would realize the seriousness of their actions.Theres no excuse for anyone violating copyright laws.”Utah Senator Orrin HatchInformation As
5、surance Information Assurance(IA)concerns information operations that protect and defend information and information systems by ensuring availability,integrity,authentication,confidentiality,and non-repudiation.This includes providing for restoration of information systems by incorporating protectio
6、n,detection,and reaction capabilities.Source:National Security Telecommunications and Information Systems Security Instruction(NSTISSI)No.4009,January 1999Attacks(Strategic level)Denial of Service Theft/alteration of data Web page defacement Industrial espionage Theft of services/resources“Stepping
7、stones”/anonymity Caching data/malware Violation of copyright(“warez”)Attacks(Tactical level)Remote service exploitation Log alteration/rootkits Sniffers Covert channel comms Stepping stones Encryption Address forgery/hijacking Distributed attacks Reflected attacksAttack Specifics(example)Denial of
8、Service Resource consumption HostProcessorMemoryNetwork services NetworkBandwidthRouter Resources(see Host above)Crashing RedirectionYou are hereYou are hereDefenses(Strategic level)Firewalls IDS Logging/monitoring Host(e.g.,accounts,processes,services)Network(flows,connections,data)Honeypots/Honeyn
9、ets Augment FW/IDS DeceptionDefenses(Tactical level)Topological/Access control changes Sniffing/keystroke logging Scanning Traffic redirection Traffic analysis Honeypots/Honeynets Remote exploitation Denial of ServiceBig loss over timeWarbucks lost commissions on stock tradesSmall loss over timeIndi
10、vidual selling used books on AmazonStages of Response 0-Unconscious 1-Involved 2-Interactive 3-Cooperative Response 4-Non-cooperative(AD)Response“Unconscious”Stage 0:“Right out-of-the-box”“The firm/system owner/operator takes no active role,either directly or through proxy,to modify,improve,enhance,
11、or alter defensive capabilities inherent in the hardware,firmware,and/or software as delivered from the manufacturer or installer.”“Involved”Stage 1:“Doing Business”“The firm/system owner/operator establishes(either directly or via proxy)a baseline,tailored,day-to-day defensive posture involving onl
12、y resources directly owned or operated by that owner/operator.The posture is maintained/kept current.”“Interactive”Stage 2:“Weve Got a Problem”“The firm/system owner/operator applies measures,in response to warning or evidence of malfeasance,to resources directly owned or operated by them.The measur
13、es are beyond the baseline because they cause some loss of flexibility,capability,or ease of use and the owner/operator does not want/intend them to become routine business practice.”“Cooperative Response”Stage 3:“Reach out”“The firm/system owner/operator engages other organizations/firms/systems to
14、 take measures intended to attribute,mitigate,or eliminate the threat through cooperative efforts beyond the ability of the owner/operator to effect but within the lawful authority of the cooperating other party or parties.”“Non-cooperative Response”Stage 4:“.and Touch Someone.”“The firm/system owne
15、r/operator takes measures,with or without cooperative support from other parties,to attribute,mitigate,or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could(if cooperative)attribute,mitigate,or eliminate the threat.”Active Defense Ag
16、ora workshop on June 8,2001 defined“Active Defense”to be activity at Stage 4 Stage 4 has levels,though Less intrusive to more intrusive Less risky to more risky Less disruptive to more disruptive Justification for and defense of your actions may depend on how well you progress through all 4 stagesLe
17、vels of Active Defense 4.1-Non-cooperative intelligence collection External services(finger,netstat,nbtstat)Back doors/remote exploit to access internal services 4.2-Non-cooperative cease&desist 4.3-Retribution or counter-strike 4.4-Preemptive defenseWhat Do We Need to Know?Are your losses and the p
18、otential risk to you at least equal to the benefit gained if you are successful?Who is it?Or“Attribution;the$64,000 question.”What are you contemplating doing?What effect do you intend to achieve?What blow back could occur?What Do We Need to Know?What are your personal and organizational risks?Who c
19、an help?Who are you going to call if you do this?Who/what is the target?How do you know?Who defines what active defense is for you?Was there another way?Or“Creative Response versus Active Defense”Best Practice is to Think Ahead Risk Mitigation Strategy:Early,early,early Pre-arranged moves with your
20、ISP Business interruption insurance Before-the-fact discussions with the Law Pre-arranged responses within Time things out Range of response options for the CEO Who provides the oversight of this decision?Other Points If this hurts your head,be glad youre not in Congress Dark Noise:Its there and its
21、 useful People with the power of nation states Roles of government Can it provide recourse?Can it ever get fast enough?Agora as mentorUnintended consequences Xerox PARC,1978 Researchers use worms to automate tasks on Alto network Innocuous code corrupted 200 systems crash,reboot,crash Morris worm in
22、 1988 also buggy Even Nachi isnt perfectOudots reaction to Blaster Used“honeyd”to pretend to be vulnerable Windows box Opened fake worm port(4444/tcp)Captured worm payload using tftp Provided prototype cleanup code(that worked!)SysAdmins at UW polled:76 respondentsOpen DiscussionAttack Scenario Play
23、ers Warbucks Financial Services Target Medical Center at the University of Hard Knocks Francis X.Hackerman C_primeWarbucks Financial Services Boutique stock services for high$clients Real-time quotes from their web site CRM system used in-house Voice over IP comms Laptops for ul/dl data and email Al
24、l systems tightly integrated for speed,flexibility,customized serviceHard Knocks U Large State U w/four campuses Combined Academic/Clinical Med Center(Target Medical Center)TMC has Computerized Physician Order Entry(CPOE)system connected to Electronic Medical Record(EMR)system TMC used as DDoS agent
25、s HKU used as stepping stone,cache and DDoS handler(on different campuses)Francis X.Hackerman CISO of Warbucks Recent graduate of HKU School of Information Management Was notorious hacker in High School Considers himself a highly skilled“hired gun”when it comes to computer networksC_prime Security E
26、ngineer at Hard Knocks University Senior member of incident response team Represents HKU on Higher Ed ISAC Her background includes mathematics,programming,system administrationAttack Attacker owns 2000-3000 hosts world-wide(stepping stones,DDoS agents)Attacker choses to take out all services at Warb
27、ucks via massive rolling DDoS attack(100-300 hosts at a time)Warbucks network is inoperative-difficulty tracing attack sources,but notes some at TMC,HKU,many other.edus,etc.HKU IRT was already investigating intrusions to hosts on their net(have isolated malware)Possible consequence of a disruptive A
28、D action towards TMCs network is death of a patientResponse Hackerman and C_prime both go through Stages 1 to 3 DDoS traffic cannot be entirely blocked by their upstream network provider DDoS network too large/dynamic to contact all sites involved Explore options at Stage 4Action A C_prime finds a s
29、niffer log on a compromised TMC system.This log exposes an account and password on a host in Canada(used as a cache and stepping stone by the attacker).She has the ability to enter the Canadian system with root privilege,and could periodically run operating system commands to monitor use and/or copy
30、 files off the system.Action B Using this same password,she could also shut this host down temporarily or semi-permanently,requiring administrator intervention.This could disable some/all of the DDoS network(cant be sure)Consequence:Host goes downAction C C_prime identifies means of controlling(even
31、 disabling)DDoS agents on other hosts.This knowledge could be used to shut down just the DDoS agents on all affected hosts at once during a DDoS attack.Consequence:DDoS agents stoppedAction D Hackerman scans the entire network at TMC,identifying all nodes(IP address,operating system type,all service
32、s enabled,versions of services.)Sends results to TMC network contact.Gets no reply.Action E Hackermans scan finds a router vulnerable to a one or more remote DoS attacks.Has the option of using exploits to disable this router.Consquence:Outage would affect all hosts on TMCs network that share this r
33、outer.(Possible result:Patient dies)Action F Hackerman scans just the identified DDoS agents at HKU&TMC(identifying operating system type,all services enabled,versions of services).Finds they are vulnerable to a remote exploit.Could use this means to enter and disable network access to these hosts.S
34、imilar to what RIAA/MPAA were proposing for copyright violators Consequence:Host losses network access(Similar to E)Action G Hackermans scan shows a large number of Windows desktops vulnerable to various DCOM flaws.Could modify publicly available exploits/worms to affect only systems on the HKU,TMC
35、networks,shutting them down.Consequence:Many hosts go down(Similar to E)Action H Another alternative for Hackerman could be to use DCOM exploits to take over control of one or more systems on TMCs network,using them to sniff traffic of the intruder as stepping stones are used.This could identify the
36、 intruder,or at least get one hop closer Consequence:None?Action I Hackerman is contacted by C_prime,who knows Warbucks is victim of massive DDoS.Provides Hackerman with information about suspected DDoS handlers,perhaps even attackers other stepping stones.Hackerman could attack these sites to try to pre-empt another round of attacks on Warbucks network.Consequence:?Action JAction KAction L
