Upload
mkhalil28scribd
View
221
Download
0
Embed Size (px)
Citation preview
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
1/23
Approved for Public Release, Distribution Unlimited.
Dan KaufmanDirector, Information Innovation Office
An analytical framework for cyber security
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
2/23
Approved for Public Release, Distribution Unlimited
An analytical framework for cyber security
November 2011
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
3/23
What we hear.
Approved for Public Release, Distribution Unlimited.
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
4/23
Goal
Demonstrateasymmetric ease ofexploitation of DoDcomputer versusefforts to defend.
Result
Multiple remotecompromises of fullysecurity compliant andpatched HBSScomputer within days:
2 remote accesses.
25+ local privilegeescalations.
Undetected by hostdefenses.
Attackers penetrate the architecture easily
HBSS WorkstationPenetration Demonstration
Total Effort: 2 people, 3 days, $18K
= Host Based Security System (HBSS)
Hijacked
web page
Infected .pdfdocument
HBSS Costs: Millions of dollars a year for software and licenses
alone (not including man hours)Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
5/23
Users are the weak link
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
6/23
The supply chain is potentially compromised
Approximately 3500 ICs.
200 unique chip types.
208 field programmable gate arrays (FPGAs).
64 FPGA and 9 ASIC types across 12subsystems.
78% of FPGAs and 66% of ASICs manufactured
in China and Taiwan.
FPGAManufacture Location
Asia
Europe
USA
FPGA
JSF FPGA & ASIC Usage
AsiaEurope
USA
ASICManufacture Location
Approved for Public Release, Distribution Unlimited.
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
7/23
Our physical systems are vulnerable to cyber attacks
Small group of academics took
control of a car using Bluetoothand OnStar. They were able todisable the brakes, control the
accelerator, and turn on theinterior microphone.[1]
Chinese cyber attack:Highly sophisticated and targetedattack on Google corporateinfrastructure (known as Aurora)
False speedometer readingNote that the car is in park[1] K. Koscher, et al. "Experimental Security Analysis of a Modern Automobile," in Proceedings of
the IEEE Symposium on Security and Privacy, Oakland, CA, May 16-19, 2010.
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
8/23
We are doing a lot, but we are losing ground
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
9/23
Ground truth
Federal Cyber Incidents and Defensive Cyber Spendingfiscal years 2006 2010 [1] GAO analysis of US-CERT data.
GAO-12-137 Information Security: Weaknesses ContinueAmid New Federal Efforts to Implement Requirements
[2] INPUT reports 2006 2010
Federal DefensiveCyber Spending [2]
($B)
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
Cyber IncidentsReported to
US-CERT [1]
by Federalagencies
2006 2007 2008 2009 20100.0
2.0
4.0
6.0
8.0
10.0
Approved for Public Release, Distribution Unlimited.
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
10/23
Why?
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
11/23
We are divergent with the threat
Malware:125 lines of code*
Linesof
Code
1985 1990 1995 2000 2005 2010
xxxx
DEC Seal Stalker
Milky Way
Snort
Network FlightRecorder
Unified ThreatManagement10,000,000
8,000,000
6,000,000
4,000,000
2,000,000
0
Security software
* Public sources of malware averaged over 9,000 samples(collection of exploits, worms, botnets, viruses, DoS tools)
x
x
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
12/23
User patterns are exploitable
A recent Defcon contest challenged participants to crack 53,000 passwords.
In 48 hours, the winning team had 38,000.
Profile for thewinning team,Team Hashcat
Time
#
Passwords
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
13/23
Vulnerability Title Fix Avail? Date Added
XXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation Vulnerability No 8/25/2010
XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service Vulnerability Yes 8/24/2010
XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 8/20/2010
XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass Weakness No 8/18/2010
XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass Vulnerability No 8/17/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities Yes 8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption Vulnerability No 8/12/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/10/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow Vulnerabilities No 8/10/2010
XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow Vulnerability Yes 8/09/2010
XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass Vulnerability No 8/06/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities No 8/05/2010
XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 7/29/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation Vulnerability No 7/28/2010
XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery Vulnerability No 7/26/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service Vulnerabilities No 7/22/2010
Additional security layers often create vulnerabilities
Awaiting Vendor Reply/Confirmation Awaiting CC/S/A use validationVendor Replied Fix in developmentColor Code Key:
6 of thevulnerabilitiesare in security
software
October 2010 vulnerability watchlist
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
14/23
These layers increase the attack surface
DLLs: run-time environment= more commonality
Application specific functions
Constant surface areaavailable to attack
Regardless of theapplication size,the system loadsthe same number
of supportfunctions.
For every 1,000 linesof code, 1 to 5 bugs
are introduced.
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
15/23
We amplify the effect by mandating uniform architectures
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
16/23
The US approach to cyber security is dominated by a strategythat layers security on to a uniform architecture.
We do this to create tactical breathing space,but it is not convergent with an evolving threat.
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
17/23
Technology is not the only culprit nor the only answer.
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
18/23
There are multiple choices for addressing the supply chain vulnerability:
Resort to manufacturing all chips in trusted foundries.
This is not feasible or sustainable.
Screen all chips in systems critical to National Security or our economic base.Despite recent advances in screening technology, this is not feasible, affordable, orsustainable at the scales required.
Economics matter
Selective screening coupled with diplomatic sanctionsmay create new solutions that are both feasible and sustainable.
3,500 ICs on the F-35 Single FPGA = 400 million
transistors
Modern chips = 2.5 billiontransistors
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
19/23
Understanding them in the context of game theory reveals theproblem.
Business incentives matter
Bot HerderCost
Bot HerderReturn Antivirus
CostAntivirus
Return
Short Long
Small High High Low High
Small High 0 High Low
TraditionalC2 Botnet
NewP2P Botnet
Strategy 2:
AES*branch
Solution exists:weekly patch,kills branch
Solution needed:high cost solution,kills tree
StormBotnet
Strategy 1:
XOR branch
Bot Herder strategy example:
The security layering strategy and antitrust has created crossincentives that contribute to divergence.
= exclusive or logical operation
*= Advanced Encryption Standard
Root Tree Branch
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
20/23
Layering and uniformity have created unintendedconsequences we are in need of new choices
Belief Approach Example Unintendedconsequence
Defense in depth Uniform, layerednetwork defense
Host Based SecuritySystem
Larger attack surfaceintroduces more areasof exploitability forattackers
Homogeneous targetsthat amplify effects
Users are best line ofdefense
Operator hygiene 15 character password Users take short cutsand become enemyassets
The interplay of technology,policy, incentives will favor
better security.
Antitrust lawrulings, use of
COTS
Competition andindependence in
security software andCOTS
Cross incentives thatundermine security
We need new choices that create:Users as the best line of defense without impeding operations.Layered defense without increasing surface area for attack.Heterogeneous systems that are inherently manageable.
Examples:
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
21/23
We missed it too
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
22/23
lets fix it.
Approved for Public Release, Distribution Unlimited
8/10/2019 2011 11 07 Cyber Analytical Framework.pdf
23/23
#DARPACyber