Embed Size (px)
Citation preview
1
TheActive Response Continuumto Cyber Attacks
David DittrichThe Information School/Center for Information Assurance and Cybersecurity
University of WashingtonAusCERT 2005
2
Overview
Why consider Active Responses?
What is the “Active Response Continuum?”
Ethical issues
Potential solutions
3
Why Consider Active Responses?
4
The James-Younger Gang and the Pinkerton Agency
5
Piracy and Privateering
6
Attacks on supercomputer Centers
7
You are… where???
8
Deterrence to Strategic InfoWar
SIW is attack on critical infrastructureMilitary relies on Civilian InfrastructuresPrivate industry controls Civ. Inf.
Typical deterrent meansDenial (not likely!)Punishment (who is attacking?)
Answer: Encourage industry to improve defenses (hardening and response)
Building a Deterrence Policy Against Strategic Information Warfare,by Geoffrey S. French
9
Impediments to response
“Private Intrusion Response,”Stevan D. Mitchell and Elizabeth A. Banker (11 Harv. J. Law & Tec 699)Issues cited
Difficulties in detectionLimited reportingJurisdictional complexityResource constraints on LE
10
Issues (cont.)
CFAA limits private response
LE capabilities vs. private sector
Options few between criminal remedies and doing nothing
• You have to know who attacked you to use civil or criminal remedies
Authors call for balanced public/private approach (more on this later…)
11
Growing public debateGrowing public debate
“Are you tired of feeling vulnerable to the latest security vulnerabilities? Are you fed up with vendors who take too long to release security patches, while criminals waste no time in exploiting those very same holes? Do you want to know who, exactly, is really trying to hack your network? Do you think EVERYONE should be responsible for securing their owns systems so they can't be used to attack yours? Do you think you have the right to defend yourself, your network, and ultimately your business against aggressors and adversaries? If so, Aggressive Network Self-Defense is the book for you. Learn how you can take your security into your own hands to identify, target, and nullify your adversaries.”
12
ForewordThere is a certain satisfaction for me in seeing this book published. When I presented my "strike-back" concept to the security community years ago, I was surprised by the ensuing criticism from my peers. I thought they would support our right to defend ourselves, and that the real challenge would be educating the general public. It was the other way around, however. This is why I'm happy to see Aggressive Network Self-Defense published. It shows that people are beginning to consider the reality of today's Internet. Many issues are not black and white, right or wrong, legal or illegal. Some of the strike-back approaches in this book I support. Others, I outright disagree with. But that's good--it gives us the chance to truly think about each situation--and thinking is the most important part of the security business. Now is the time to analyze the technologies and consider the stories presented in this book before fiction becomes reality.
Timothy M. Mullen, CIO and Chief Software Architect for AnchorIS.Com
13
What is the“Active Response Continuum?”
14
Framework of actions
Attacks vs. Defenses
Strategy and Tactics
Three perspectives on “action”Stages of (Cooperative) Response
Levels of “Force”
Stages of Security Operations
Viability of Actions
15
Considerations
Focus or target of the attack(specific, individual vs. general, mass)Type of attackIntent of attackLikelihood that attack is using "innocent" third parties as conduitsConsequences of attackLength of attack
16
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
Attack sophistication vsIntruder Technical Knowledge
Increasing Attack SophisticationIncreasing Attack Sophistication
1998
17
High
Low
Patching
Firewalls
IDS/IPS
Network Traffic Analysis
Honeynets
Tools/ Techniques
DefenseSophistication
ReverseEngineering
Deception Operations
Defense sophistication vsDefender Technical Knowledge
Defense SophisticationDefense Sophistication
High Quality Forensics/Incident Reporting
DefenderKnowledge
DDoS mitigation
18
Stages of Response(Agora Workshop, June 2001)
0 - Unconscious
1 - Involved
2 - Interactive
3 - Cooperative Response
4 - Non-cooperative (AD) Response
19
“Non-cooperative Response”
“The firm/system owner/operator takes measures, with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”
20
Active Defense
Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4Stage 4 has levels, though
Less intrusive to more intrusiveLess risky to more riskyLess disruptive to more disruptive
Justification for your actions depends on how well you progress through all 4 stagesResponse is slowed when differentials occur
21
Levels of Active Response Actions4.1 - Non-cooperative “intelligence” collection
External services(service enumeration, banner grabbing)Internal services(Back doors, login/password, remote exploit, session hijack)
4.2 - Non-cooperative “cease & desist”“Interdiction” ala Berman-Coble(a.k.a. “Hollywood hacking”) BillDisabling malware
4.3 - Retribution or counter-strike4.4 - Pre-emptive defense
22
AD Response PathAD Response Path
23
Risk in ideal caseRisk in ideal case
24
Col. John Boyd’sCol. John Boyd’s “OODA Loop” “OODA Loop”
Source: “The Swift, Elusive Sword,” Center for Defense Information, http://www.cdi.org/
25
Phases of security operations
PreparationTraining, instrumentation, knowledge acquisition to "prime the OODA Loop pump"
ExecutionEngaging in the OODA Loop
After action reviewBuilding orientation capacity
26
Levels of “Force”
Source: “Handbook of Information Security” article on Active Response, byDavid Dittrich and Kenneth E. Himma, forthcoming, John Wiley & Sons
27
Viability of actions (IMHO)
Fight DDoS with DDoS (No way)
Pre-emptive DoS (Highly unlikely)
Retribution (Very risky)
Back-tracking (Risky)
Information gathering (Less risky)
Ambiguity/dynamism (Least risky)
28
Some implications
Attacking is easy Attack back is easyAdvanced attacks Advanced DefensesTrained people are less likely to cause harm# of people with advanced response skills is smallDemands placed on special training that is rare today (How to increase?)
29
Some implications
Need a way to effectively engage LE early enough to help (but this only works if they have capacity to follow through)How to increase capacity & justify the added training for private sector?Will clamping down on advanced responders w/o a viable alternative encourage attackers?
30
Ethical issues
31
Ethics - The Defense Principle
Use “force” to protect self/othersProportionality of response
Necessary to cease harm
Directed only at those responsible
32
Ethics - The Necessity Principle
Morally acceptable to infringe a right if and only if:
Infringing results in greater moral value
Good of protecting << Result of infringing
There is no other option besides infringing
33
Ethics - The Evidentiary Principle
Morally permissible to take action under principle P if you have adequate reason to believe all preconditions of applying P are satisfied
34
Conclusions (from HoIS article)Some legal precedent for Defense and Necessity principles (NYS code)
A clear escalation path should be followed
Keeping resource differentials low is desirable (e.g., ISACs)
Higher levels require greater resources (need for public funding?)
Source: “Handbook of Information Security” article on Active Response, byDavid Dittrich and Kenneth E. Himma, forthcoming, John Wiley & Sons
35
Potential Solutions
36
What is needed?
Rapid data collection/analysis
Large body of knowledge of attack tools/techniques
Determine how attacker is operating
Assess available options/outcomes
Act
37
The “Ideal” solutionOptimizes limited LE resources
Takes advantage of InfoSec experts
Provides high-quality evidence to LE
Requires min. standards (skills, tools)
Ensures accountability of actions
Oversight by LE/courts
Supports cross-border responses
38
Balanced Public/Private Approach(Mitchell & Banker)
Oversight
Certification
Licensing
39
M&B - Benefits from public/private approach
Computer Security Industry getsStandards
Defined liability
Marketing advantage from license
Spur growth in tools
40
M&B - Benefits…
LE gets Cadre of trained professionals
“Ready made” cases
Better info about complex computer crime
41
M&B - Benefits…
Public getsTrust in quality of service
Confidentiality
Less risk of third-party damage
42
M&B - Issues to be resolved
Under what authority? (Fed or State?)
Who should be covered?
Mandatory or permissive?
Required changes in the law
International implications
43
Private Search & Seizure
No 4th Amend. restriction to private search (provided not acting as agent & LE does not exceed private search)U.S. v. Jacobsen, 466 U.S. 109 (1984)
If stolen property is easily destructible or concealable, emergency private search may be justifiablePeople v. Williams, 53 Misc. 2d 1086, 1090, 281 N.Y.S.2d 251, 256 (Syracuse City Ct. 1967)
44
Remotely executed search warrants
Remote search described like physical search
Electronic copy provided to judge (similar to FAX today)
Judge provides verbal approval (followup in writing)
Warrant executed remotely
45
All Party Internet Group (UK)
Recommend changes to UK’s Computer Misuse Act (CMA)
Make impairing access to data a crimePermissive policy for private prosecutions Consider EURIM recommendations
• Standardized digital evidence collection rules• Registers of experts• Limited warrant special constables• International investigation teams
46
““Special Constables” (UK)Special Constables” (UK)
47
““Special Master” (US)Special Master” (US)
48
New Zealand
49
Singapore(11 Nov 2003)
50
Existing model: 10 CFR 1046.1
Department of Energy Physical Protection of Security Interests
Required of all contractor employees at govt. owned facilities, whether or not privately run
Defines personnel
Defines knowledge, skills, abilities
Defines (re)training requirements
51
Cooperative Association
IR team members must meet skill requirements & use standard toolsAll members agree to IR “rules of engagement”Liability limited by contractAll actions must be reviewed by an oversight BoardLE provides check against abuse
52
How bad an idea wasHow bad an idea was“Make Love Not Spam?”“Make Love Not Spam?”
(Let me count the ways.)
David DittrichThe Information SchoolUniversity of Washington
53
Over 100,000 downloads ofthe screen saverActivates in standby modeGets XML list of targets (URL blist)
<target id="TVRnMA;;" domain="www.artofsense.com" hits="2251" bytes="6436860" percentage="96.5" responsetime01="410.0” responsetime02="410.0" location="US" url="http://www.artofsense.com/english/" />
Sends mal-formed HTTP GET requests
<makeLOVEnotSPAM>5?l[?ojMlm(Ngjm?_?vp+*xz4l(C5></makeLOVEnotSPAM>
Implementation
54
Stated motives - Molte PollmanStated motives - Molte Pollman“I have to be very clear that it's not a denial-of-not a denial-of-service attackservice attack…that would be illegalthat would be illegal, but we can send a strong signal that spam is send a strong signal that spam is unacceptableunacceptable.”“We slow the remaining bandwidth to 5 slow the remaining bandwidth to 5 percentpercent. It wouldn't be in our interests to [carry out DDoS attacks]. It is to increase the cost of increase the cost of spammingspamming. We have an interest to make this, economically, not more attractive.”“[We decided we] should attack the flow of attack the flow of money and make it harder to profitmoney and make it harder to profit from [spamming].”Web site: “AnnoyAnnoy a spammer now!”
55
“Effects of the campaign”
Netcraft detects two Chinese sitesare completely unavailable
56
Relevant Ethical Principles
The Defense Principle
The Necessity Principle
The Evidentiary Principle
Punitive actions not ethical/legal
57
Justification - Defense
Is the force proportional?N spam emails == X Gb?
Is it targeted properly?Customers of spammers, not spammers
Innocent third parties?
58
Justification - Necessity
Does it achieve a greater moral value?(i.e., costing spammers $$$)
Is there any other way to raise spammers’ costs?
Is this a greater moral value than unimpeded use of purchased network resources?
59
Justification - Evidence
Is there adequate reason to believe all preconditions are satisfied?
60
Conclusion
Morally and ethically, Lycos failed to prove MLNS was justifiable
They clearly had a punitive motive
They may have used excessive “force”
61
Further legal considerations
Violation of CFAA (or similar) laws?Informed consent/misrepresentation?Liability for damages to innocent parties?What if miscreants trick MLNS into attacking .mil sites, or innocent .com sites?
62
Thanks and questions
Contact: Dave DittrichInformation Assurance ResearcherThe Information School
dittrich(at)u.washington.eduhttp://staff.washington.edu/dittrich/
