1 Carnegie Mellon University Waging War Against the New Cyberwarrior Tom Longstaff [email protected] CERT Coordination Center Software Engineering Institute

1 Carnegie Mellon University

Waging War Against the New Cyberwarrior

Tom Longstaff [email protected]

CERT Coordination Center Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

Sponsored by the U.S. Department of Defense


Incidents Reported to CERT/CC

2001 52,6582002 82,094


Vulnerabilities Reported

2001 2,437

2002 4,129


Cyber Strategy

Cyber-war is not just simple hacking Sociology of warriors vs. hackers

- Morale- Organization- Vigilance vs. assumed invulnerability

Motivation of warriors vs. hackers

- Accountability vs. anarchy- Delayed vs. immediate gratification- Internal vs. external gratification

Preparation of warriors vs. hackers

- Training- Intelligence / strategy


Incident Trends


Intruder Technology Intruders use currently available technology to develop new technology

scan

compromise

propogate coordinate

1997 1998 1999 2000

scan scan scan

compromisecompromise

propogate

scan

compromise

coordinate


Information Collection, Analysis and Sharing for Situational Awareness


Overview

Challenge statement• Too much data – too little information – not shared

Operational Need CERT Vision/Goals Our Approach Project Maturity Wrap up


Data Challenge System & Network Administrators overwhelmed

• Data overload• Important data often not collected• Local/parochial focus

Poor Network Situational Awareness Network Security Information is not shared

• Unconnected “Islands of Information”• Ineffective, non-standard security tools and processes• Non-technical reasons (organizational and liability)• Unwilling to yield autonomy to gain better information

Attackers share information more efficiently


Our Vision

An operationally flexible system providing:•Clear avenues for exchanging relevant data•Improved local monitoring•Improved cueing methods•Cross organization analytical capabilities•Improved indications and warningImproved indications and warning•Cross organization situational awareness


Our Goal

Collect structured, sanitized, and representative situational awareness data in a standardized format to:• Recognize and respond faster (prior to damage)

• Permit collection of focused information on activity and trends

• Alert operators for proactive response• Provide tools for sites to manage incident information


Bi-directional Solution

Top-down•Collection, organization, and analysis of data from wide, shallow sensors

Bottom-up•Federation of data from narrow, deep sensors-Alerts from IDSs and Firewalls-Raw data from sniffers & recorders


Top-Down Approach

Similar to the DEW line* – early indication that an attack may be coming facilitated by sensing the entire network Analysis for I&W• Hacking involves reverse engineering: the attacker must

probe, examine and determine the “right” approach• Frequently precursors to attacks are buried in the “noise”• Improve our ability to detect attacker behavior in the pre-

attack stages Preventive Analysis• Detect configuration errors

* DEW - Distant Early Warning


Top-Down

Edge Router

Netflow Collector

Firewall/Router

100MbT1

InternetOC3

Intranet

Real time collection;analysis and alert tools


Top-Down Collect coarse data• No payload data• Headers Only – Source, Destination IP and ports;

protocol; times; traffic volumes (e.g. packets and bytes)• Both inbound and outbound

Collect wide data• >95% network coverage• Multiple networks

Collect a lot of data• Requires a data center with large computational and

storage capacity to facilitate historical analysis• Scalable collection and analysis• Outbound data indicates planted code or insiders


Top-Down - Wide Shallow Sensors

Netflow• Originally defined by CISCO but increasingly

becoming standard• See what the router sees

Records of “flows” created at the router• Assist in routing and in reporting network traffic

statistics Consists of flow records aggregated from packets Sent to a collector and aggregated into different information records for varied analysis.


Inbound Slammer Traffic

UDP Port 1434 Flows

0

5000000

10000000

15000000

20000000

25000000

30000000

35000000

40000000

0 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18

Hour 1/24:00-1/25:18

Flows


Slammer: Precursor DetectionUDP Port 1434 - Precursor

0

20000

40000

60000

80000

100000

120000

140000

160000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4

Hour 1/24:00 1/25:04

Flo

ws

Series1


Focused on hours 6, 7, 8, 13, 14 Identified 3 primary sources, all from a known adversary

All 3 used a fixed pattern Identified responders: 2 out of 4 subsequently compromised.

Slammer: Precursor Analysis


Detecting Scans

Detect scans against client network hosts•Higher intensity scans•“Low and slow” scans •Coordinated (distributed) scanning


Low-Packet FilteringSessions Vs. Time, December 12th-14th 2002

0

50

100

150

200

250

300

350

400

450

Time

Time (30 second bins)

Records

LowPacketSessions

All tcpSessions


Stealth Tool Detection

We are studying extremely slow (“1 packet a day scanner”) traffic on the Internet.

As an initial trial, we identified sources sending between 1 and 3 packets of TCP (non-Web) traffic per day into the client’s networks. We applied this to the period September 1-11, finding that 0.00001% of the traffic matched this pattern.

Further analysis yielded a fingerprint for one tool. The tool’s profile appears to match Compaq Insight Manager XE on the client network.


Bottom-Up Approach

Using data from Commercial Off the Shelf (COTS) security solutions already deployed

• e.g., Intrusion Detection Systems, firewalls, system logs, Snort, RealSecure, PIX, IPTables, syslog

Custom-developed technology (AirCERT), currently not present in commercial products, to integrate, convert, analyze, and share the data Combination enables analysis of security event data from across administrative domains

• Different entities• Different scales:

- Subsidiary- Corporation- Sector


Bottom-Up

Sensor(Packet Capture)

IDSSystem

WebServer

MailServer

AirCERTCollector

Intranet

Firewall/Router

To other subnets….


Bottom-Up

Collect data from by security devices (firewalls and intrusion detection devices)• All or part of a packet• Testimonials (e.g., IDS alerts), and associated contextual

data Collect widely varied data• Maximize network diversity (e.g., edge vs. transit; many

administrative domains)• Maximize sensor diversity (e.g., IDS, firewall)

Configurable volume of data • Determined by local site and collaborators• Scalable collection and analysis


Bottom-Up

Implementation• Flexible, open-source, standards-based reference

implementation of an Internet-scalable threat assessment system

Capability consists of components for• Data Collection• Data Sharing


Edge Router

100MbT1

OC3

Sensor(Packet Capture)

IDSSystem

WebServer

MailServer

Collector

Intranet

Internet

Netflow Collector

Firewall/Router

Implementation


What Do You Do With This Data? Predictive numerical and statistical analysis• Calculate long-term trends• Profile traffic – map servers, create baselines• Continual monitoring for attack precursors

Traffic Analysis• Routing Anomalies and flaws• Packet/Byte Characteristics

Weak general results can drive strong focused analysis Analysis from Top-Down can drive Bottom-Up, and vice-versa


What Else Do You Do With This Data?

Manage and analyze event data at all points in reporting hierarchy to detect and identify• Compromise with cross-site data• Coordinated, distributed attacks• Slow and stealthy scans• Network attack “fronts”• Multi-site trends

- Distinguish between local and global activity– Targeted scans– Vulnerability probes


Integrating Top-Down & Bottom-Up Analysis

Augment data collection and configuration at the “leaves” Supplement or verify existing local security analyses and processes Employing cues gained from analysis at the “root”, focus analysis on data previously deemed benign or ignored Verify suggestive top-down and cross-site analysis by the selective analysis of data collected at the “leaves”


ACID can only analyze what is in the Alert Database

ACID Architecture

Network Link

AlertDatabase

Web Server (PHP)

Browser(Analyst #1)

Snort or Firewall

Browser(Analyst #N)

Browser(Analyst #2)

ACID


Views of Data (grouping)

• ACID has no implicit analysis functionality -- only presents the data by

- Event (Signature)- Classification- IP Address- Port- Flow- Time- Sensor

- Charts grouped by time, IP, classification and ports

- User defined queries


Event (Signature) viewUnique Alert

• Identifies the different type of attacks

from Main, click on number next to ‘Unique Alert’

Signature Classification

Total Number of Occurrences

ReferenceNumber of Sensors

Number of Src/Dst IP

First/LastOccurrence


Classification view

• Identifies the different event classifications

From Main, click on the number next to ‘categories’

ClassificationNumber of

EventsTotal Number

of Occurrences

Number of Sensors


First/Last Occurrence


Address view

• Identifies mostly frequently attacked machines• Identifies network blocks of frequent attackers

From Main, click on number after ‘IP’

IP Address Total Number

of all Events

Fully QualifiedDomain Name

Number of times seen in opposite direction

Number of Unique Events

Number of Sensors


Port view

• Identifies most commonly targeted services

From Main, click on number after ‘Port’

Port Number of Unique Events

Number of Sensors Number of

Src/Dst IP


Total Number

of all Events


Flow view

• Identifies suspicious events by flow activity

From Main, click on number after ‘Unique IP LInks’

FQDN and IP of Source

FQDN and IP of Destination

Protocol

Number of Unique Events

Total Number

of all EventsUnique Destination

Ports


Sensor view

• Aggregate statistics on sensor

From Main, click on number next to ‘# of Sensors’

Sensor ID Total Number

of all Events

Sensor Name Number of Unique Events




Temporal view Alert Listing• Identifies event chronology

Returned by any Searches or Alert Listing Snapshots[ Query Seq. Number, Sensor ID, Event ID ]

TimestampEvent (Signature)Src/Dst

IP and Port

Layer-4 IP encapsulated

protocol


Temporal view (2)Graph Alert Detection Time

• Graphs number of alerts aggregating on hour, day, or month

• Visually represents peak attack periods

From Main, click on ‘Graph Alert Detection Time’

Time IntervalNumber of Events occurring in the

time interval


Drill-Down: Individual Alert

Click on the ID in any Alert Listing


Drill-Down: IP Address

• Provides statistics on an individual IP address• Links to external registries and tools to gather information

about the address

Click on the IP address in any Alert Listing


User Interface: Main


User Interface: NavigationACID Browser “Back”buttonCurrently Selected Criteria

Browsing Buttons Alert Actions

Checkbox to select alert


Analysis Example: Most Frequently Targeted TCP Services


Project Maturity

Top-Down• Highly efficient data partitioning and packing format

- Does not rely on a relational database– Packs 90+Gb per day into less than 30Gb

• Generic analysis tools written to perform ad-hoc analysis- Processes a day’s worth of data in under 10 minutes- Rapid analytical tool development API

• Operational deployment at sponsor site Bottom-Up

• Prototype collection infrastructure developed and tested• Active involvement in IETF security standards activity• Pilot testing in progress


Project Maturity: Continuing Efforts

Involve more pilot sites Improve analytical capabilities Improve automated configuration Continue standards development efforts Increase collection diversity by supporting additional COTS Persuade vendors to adopt standards Planned Extensions to Netflow Analysis• Enhanced with additional data based on payload but packed

into the existing form-factor• Aggregation into session records• Matching aggregated session records into transaction

records


Summary

Transformational approach to data collection, sharing, analysis and response for Computer Network Defense Provides timely, focused information to operators – providing cues for immediate action Provides tools for local, tailored analysis Provides local, enterprise and Internet Situational Awareness information Levels the playing field


Modeling and Simulation

How do we drink from this fire hose?

Goal is to use the volume of information to gain a predictive power over our adversaries


Emergent Algorithms

Recover

Recognize & Resist

Adapt

Attack

New Ideas

• Survivability is an emergent property of a system

• Emergent algorithms are distributed computations that fulfill mission requirements in the absence of central control and global visibility

• Local actions + Near-neighbor interactions => Complex global properties

Impact

• A new methodology for the design of highly survivable systems and architectures • Ability to produce desired global effects through cooperative local actions distributed throughout a system (“self-stabilizing”)

Current Research

Design an emergent algorithm simulation environment and language (“Easel”) to:

• Simulate and visualize the effects of specific cyber-attacks, accidents and failures

• Create a test-bed for mission-critical systems


The nature of complex, unbounded systems Easel is a new computer language designed to simulate complex, unbounded systems. Such systems exhibit the following properties• Large numbers of autonomous components • Incomplete and imprecise information• Limited local knowledge• No central control• Bounded number of neighbors• Competing objectives

Such systems are more survivable because of • adaptability• graceful degradation• no critical points of failure• awareness of the local environment


Six explorations in survivability

cascade failure in organizations failure propagation through an organizational network network topology generation survivability is a function of topology simple network message routing illustration of a very simple routing algorithm network attackers and defenders attackers compromise and defenders patch epidemic dynamics local contact leads to global infection seismic collapse of a building elastic response of linked beams to seismic shaking


Where can Easel help? Provide independent verification that complex system designs have no serious survivability flaws

Analyze scenarios with respect to impact of:• design assumptions• human error• incomplete or imprecise information• common mode failures• single point of failure leading to cascading failure

• organized malicious attacks


Dealing with the Threat - Fusion Analysis Efforts

Data Collection• AirCERT• Open source correlation

Individual Event Analysis

Statistical Analysis

Modeling and Simulation


What’s Next?

Our coordination of information must be commensurate with the enemy’s ability to use this information against us

We must create a new world of checks and balances to match the appropriate use of information in the pursuit of malfeasants

The key to this revolution is local administration of information while maintaining global coordination


Changes in Intrusion Profile

1988• exploiting passwords• exploiting known vulnerabilities

Today• exploiting passwords• exploiting known

vulnerabilities• exploiting protocol flaws• examining source and

binary files for new security flaws

• abusing anonymous FTP, web servers, email

• installing sniffer programs• IP source address

spoofing• denial of service attacks• widespread, automated

scanning of the Internet• deep vuls in SNMP, SSL,

WEP, …

The definition of “vulnerability” on the Internet is approaching that of the DoD in trusted systems


Scanning for Victims

Today: Wide scale scanners collect information on 100,000s of hosts around the Internet

Sniffers now use the same technology as intrusion detection tools

Number and complexity of trust relationships in real systems make victim selection easier


Scanning for Victims

Tomorrow:

Use of data reduction tools and more query-oriented search capability will allow reuse of scan data

Inexpensive disk and computation time will encourage the use of cryptography and persistent storage of scan data

Scan data becomes a commodity like marketing information


The Future of Probes

We’re very likely to see more:

• widespread brute-force scanning with little regard for being detected

• stealthy probes like SYN and FIN that require packet logging to detect

• attempts to hide the origin of the probes through spoofing and decoys

• automated vulnerability exploits that probe and compromise in a single step


Typical Intruder Attack

Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts

Internet

Yesterday


Distributed Coordinated Attack

Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts

Internet

Today


Distributed Coordinated Attack

Uses 100s to 1000s of clients (10,000s)

Is triggered by a “victim” and “time” command

Command channels include IRC, SNMP, ICMP

May include dynamic upgrade and be spread by worms

Will simultaneously attack the victim from all clients

Today used in DoS attacks only


Issues for Responding to DoS Attacks

Filtering/detecting this attack is problematic!

The intruder’s intent is not always clear in denial of service attacks. The intruder might be• using the DoS attack to hide a real attack• misusing resources to attack someone else• attempting to frame someone else for the attack• disabling a trusted host as part of an intrusion

Attacks also frequently involve• IRC abuse• intruders attacking each other• retaliation for securing systems


The Future is Automation

Put these together and what do you get?• tools to scan for multiple vulnerabilities• architecture identification tools• widely available exploits• pre-packaged Trojan horse backdoor programs• delivery and recon through active content

Bad news!

Together, these publicly available tools could be modified to launch wide-spread scans and compromise systems automatically.


Warning Signs of Today

We

•Tolerate unexpected program behavior

•Place little value on software quality

•Assemble parts with no clear idea what each part does nor who created it

•Spread highly capable and functional components through the hands of the unenlightened


Tom Longstaff’s Predictions for the Next Decade (well, at least the next 3 years)

Network crime on the rise Many countries and NGOs preparing information warfare weapons

Insiders and planted vulnerabilities control the battlespace

Information warfare will be combined with traditional tactics (e.g., Iraq)

Documents

1 Carnegie Mellon University Waging War Against the New Cyberwarrior Tom Longstaff [email protected] CERT Coordination Center Software Engineering Institute