Embed Size (px)
Citation preview
Malware Mimics for Network Security
Assessment
Malware Mimics for Network Security
AssessmentCDR Will Taff
LCDR Paul SalevskiMarch 7, 2011
CDR Will TaffLCDR Paul Salevski
March 7, 2011
• Motivation• Introduction• Vision• Proposal• What we did• Way Ahead
2
AgendaAgenda
3
MotivationMotivation
4
Motivation – In the LabMotivation – In the Lab
• Currently, DoD relies on Red Teams (trusted adversaries) for Information Assurance (IA) testing and evaluation of military networks
• This approach is unsatisfactory:• Relies on constrained resource
(Red Teams)
• Limited in scope of effects (safety/risk to host network)
• Non-uniform/inconsistent application
OR
• Confined to laboratory setting (not “Train Like Fight”)
5
IntroductionIntroduction
Introduction - The Way the Navy Is
Introduction - The Way the Navy Is
Internet
Global Informatio
n Grid (GIG)
Owned and
Operated by DISA
Network Operating Centers
SIPR
NIPR
JWICS
CENTRIXS
• We propose the development of a distributed software system that can be used by either simulated adversaries (such as Red Team) or trusted agents (such as Blue Team) to create scenarios and conditions to which a network management/defense team will need to react and resolve.
7
ProposalProposal
8
VisionVision
STEP SiteNorthwest, VAFt. Meade, MD
Norfolk, VAMM-Server
Global Information Grid (GIG)
Global Information Grid (GIG)
USS Arleigh BurkeMM-Clients
9
Malware MimicMalware Mimic
• Have the “trainer” sitting anywhere• Trainer remotely controls a network of
pre-installed software nodes on training network simulating network malware/mal-behaviors• Simulate virus• Simulate bots• Simulate Internet worms• Simulate malicious “hackers”
• “Trainee” reacts to simulated effects in same manner as actual threats
• Network nodes consist of Java software packages running on top of pre-existing and unmodified network hosts• No (unwanted) impact to users• No need for additional hardware
• Network nodes coordinate effects via Trainer controlled Command and Control Server• Local or Offsite
• Solves problem of “flying in” a red team
10
ArchitectureArchitecture
11
Anatomy of an AttackAnatomy of an Attack
12
Anatomy of an Attack with MM’s
Anatomy of an Attack with MM’s
13
Architecture - Physical LayoutArchitecture - Physical Layout
14
Virtual LayoutVirtual Layout
15
ResultsResults
• More Complex Network Architecture• More complex Malware Mimics• Focus on higher security• Installation and testing onto larger and
operational networks• Communication between MM-Clients
16
Way AheadWay Ahead
QuestionsQuestions
CDR Will Taff – [email protected] Paul Salevski – [email protected]
CDR Will Taff – [email protected] Paul Salevski – [email protected]
