Post on 19-May-2020
transcript
NOTE: THIS IS YOUR TITLE SLIDE.
If you use the Walk-in Slide, you may replace the gray LANL logo on the Title Slide with your organization’s logo and delete the NNSA logo/management statement.
If you DO NOT use one of the two the Walk-in Slide options, you MUST keep the LANL and NNSA logos and management statement on this Title Slide.
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
Intrusion Tolerance and the Problem with Best Practices
Mike FiskChief Information Officer
Los Alamos National Laboratory
September 2017
Los Alamos National Laboratory
2
NOTE:This is the lab color palette. ➔ Orientation: The Los Alamos Agenda
• Instrumenting computers and networks and curating the data
• Bridge between ugly, artifact-filled data and domain scientists and mathematicians
• Releasing significant data sets to advance the science of cybersecurity
• Streaming and parallel analysis systems• Scalable, distributed, usable, federated,
privacy preserving• Anomalous change detection & machine
learning• Statistical approaches to quantifying likelihood• Many excellent collaborations with Imperial
faculty, students, postdocs• Industry spin-outs
• Use the data to reduce impact of intrusions• Intrusion tolerance• Data-driven strategies
Los Alamos National Laboratory
3
NOTE:This is the lab color palette. ➔ How much would you pay for this patch?
LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(),
error.getArgs())
Los Alamos National Laboratory
4
NOTE:This is the lab color palette. ➔
Equifax: $6B loss in market capital.
Los Alamos National Laboratory
5
NOTE:This is the lab color palette. ➔
[Oxford Economics/CGI Group 2017]
Los Alamos National Laboratory
6
NOTE:This is the lab color palette. ➔
Intrusion-Tolerance & Security of Complex Distributed Systems
• Our work emphasizes security properties of large systems with interdependencies• Individual nodes are imperfect and a
compromise is inevitable• Cyber/physical systems with real-world
impacts• Objectives:
• Reduce overall system impact (scale, duration, and outcome) of intrusion
• Detect system compromises inside the perimeter
• Engineer for intrusion tolerance• Interdependence → Independence
• Cost to Defense < Cost to Offense
Los Alamos National Laboratory
7
Premise: Cybersecurity decision making is poor when it is not data driven
Reactive Best-Practice Decisions • If you’ve suffered a breach, it is
because your security was too weak and you should fix that weakness.• Find a best practice and adopt it
• More security is better
Data-Driven Decisions• Prioritize security investments
based on cost-effectiveness• Quantify effectiveness using
data and models• Secure the weakest link
Los Alamos National Laboratory
8
The Weakest Link Matters: Software Vulnerabilities vs. Authentication
• 1% of breaches involve exploiting software vulnerabilities
• Diminishing returns on patching
• 100% of breaches involve stolen credentials• <4% involve brute force guessing• 34% involve phishing• 33% involve use of stolen
credentials
2017 Verizon Data Breach Report
Los Alamos National Laboratory
9
NOTE:This is the lab color palette. ➔
Hour 0
Hour 1
Hour 2
Intruders Steal Authentication CredentialsTo Traverse Networks
C1
C2 C3 C4
C1C5
C6
C12
C7 C8
C9 C10 C11
C13 C14 C15 C16 C17C18
C1
C2 C3 C4 C12
C9 C19 C7
C10
C5
C20
C21
Normal Use
Intruder Explores
Normal Use & Multiple Intruders
Authentication graphs: Analyzing User Behavior Within an Enterprise Network [Kent 2015]
Los Alamos National Laboratory
10
NOTE:This is the lab color palette. ➔ Simple Engineering Decisions Impact Intrusion Tolerance
Connected Components and Credential Hopping in Authentication Graphs [Hagberg 2014]
Effect of authentication credential cache size on connected component size
Cache size = 5 Cache size = 3
Percent of network reachable by user trust relationships [Lemons, et al]
Los Alamos National Laboratory
11
NOTE:This is the lab color palette. ➔
Multiple Adversary Alternatives to Achieve an Objective
Benefit > Cost
Benefit < Cost
Eliminating or raising cost of a an alternative is only useful if there are no other alternatives with equal or better cost benefit.
Los Alamos National Laboratory
12
NOTE:This is the lab color palette. ➔ 2004 Case Study
Philip Gabriel Pettersson (16-years old)• Stole Cisco source code• Compromised most supercomputer centers
(SDSC, JPL, NASA, etc.)• Captured SSH passwords at one site to move to next• One-time passwords slowed him down --- for 1 day
• Then he started hijacking SSH sessions to bypass authentication [IhaQueR 2002]
Los Alamos National Laboratory
13
Case Study: U.S. Government Cyber Sprint for PIV Smartcards
• Personal Identity Verification (PIV) card for government employees and contractors• User identity proofing• Authentication (Chip & PIN)• Developed in 2004-5
• Reusable password for remote access cited in OPM breach of private information of 17M individuals
• White House required agencies to require PIV for computer login• On each agency's report card
Employees Required to Use PIV
Is this cost effective policy?
Los Alamos National Laboratory
14
NOTE:This is the lab color palette. ➔
A Measure of Effectiveness: Intruder Productivity
• Intruder Productivity = Access Duration / Delay• Access Duration: Amount of time that adversary maintains access• Delay: Amount of time the adversary has to wait to obtain access
≥1 Access most of the time0 < x < 1 Some access 0 No access
• Related Work• Risk = Expected Loss = Probability x Consequence• Cost-Benefit (purely monetary comparison)
• Defender ROI: Expected loss avoided by the defender / Cost of improved defense [Wei 01]• Security improvements translated to reduced probability of loss• Subjective: Will this technology reduce intrusions by 20%?• Does not measure increased attacker costs to obtain the a successful intrusion
• Attacker ROI: Defender reduces the attacker ROI by increasing cost of attack [Cremonini 05]• Still measured as (subjective) probability of compromise
• Intruder Productivity is a time-based measure of cost of attack• Decreased intruder productivity is a measure of effectiveness for the defense
Los Alamos National Laboratory
15
Scenarios for Analysis
Authentication Technologies• Password• One-Time Password
• Smart card
Scenarios• Guess
• Brute force guessing• Phish
• User tricked into entering information on a fake website
• Pivot• User’s client has already been
compromised• Used to obtain access to another
service/system• 51% of breaches involve malware —
typical enabler for pivot [Verizon 17]
Los Alamos National Laboratory
16
NOTE:This is the lab color palette. ➔ Standards and Models
• Data for many policies & behaviors is enterprise-specific• We use parameters from national standards when possible
• 3 password failures allowed every 15 minutes [CNSS 1253]• 180-day max password lifetime [NIST 800-53]
• λ=90day expected duration when compromised • Frequency of authentication events is modeled on a workplace
• 8-hour day plus 1-hour break; 1 authentication per hour
Expected time until the next authentication event: u1 = 15.4 hoursExpected time until user is present: u2 = 14.5 hours
Los Alamos National Laboratory
17
Passwords
• Guess: Single password may be hard to guess
• In a large population, some password is easy to guess• 26% of passwords come
from a small dictionary of 10,143 common passwords [Dell’Amico 2010]
• When targeting many accounts, equivalent of ~10-bits of random values [Bonneau 2012]
• Easily stolen (keylogger, memory, etc.) [XKCD]
Los Alamos National Laboratory
18
NOTE:This is the lab color palette. ➔ One-Time Password
• Time-based One Time Password (TOTP) Standard• New password every 30 seconds• Server accepts passwords from 90 second window
to allow for clock skew• Cryptographically random number, but short enough
to transcribe• Phish: A single one-time password can be stolen via
phishing• Limited window of opportunity to use it
• Time-based vs. sequence-based systems• Pivot: Can steal a password as it is entered on a
client by a user• Assumption: token is not on a compromised device
• Keyfob, smartphone app, etc
Los Alamos National Laboratory
19
NOTE:This is the lab color palette. ➔ “Guess” Scenario Productivity
• Passwords• Delay:
• 10-bits of random• 3 failures allowed every 15 minutes [CNSS 1253]• Assume >=342 accounts → 210 Guesses in 1 minute
• Success in <1 minute• Duration: 180-day max [NIST 800-53] → 90-day expected (λ)• Productivity = 90d / 1m = 105
• One-Time Passwords• Duration: 45 seconds (half of 90 second window)• Assume 7-digit numeric passwords• Assume no more than 3 guesses per account per 15 minutes [CNSS]
• More than 90-seconds per guess for an account• Makes it a Bernoulli process since valid password changes each time• p = 3 / 107 ; expected number of guesses = 107 / 3• For 10,000 accounts, delay = 107 / 3 / (10,000 * 3 / 15m) = 27.8 hours
• 33 guesses per second • Productivity = 45s / 1667m = 10-3
• Smartcards• Assume TLS protocol or equivalently secure • Cryptographically secure: credential will expire before guessed• Productivity = 0
Los Alamos National Laboratory
20
NOTE:This is the lab color palette. ➔ “Phish” Scenario Productivity
• Assume 1 day delay for successful phish (need better data)• Passwords
• Duration is remaining lifetime of password (expected value is 90 days)• Productivity = 90d / 1d = 102
• One-Time Passwords• A one-time password can be stolen via phishing
• Limited window of opportunity to use it• Time-based vs. sequence-based systems
• Assume clocks in sync → Expected age of password is 15 seconds• Valid duration is 75 seconds
• Productivity = 75s / 1d = 10-3
• Smartcards• Assume TLS protocol or equivalently secure
• TLS protocol cryptographically proves participation between two named parties (the card key and a network service)
• A phishing site cannot reuse that proof against another service• Cryptographically secure: credential will expire before guessed• Productivity = 0
Los Alamos National Laboratory
21
NOTE:This is the lab color palette. ➔ Intruder Productivity by Mechanism
Los Alamos National Laboratory
22
NOTE:This is the lab color palette. ➔ “Pivot” Scenario Productivity
• Recall that expected time until user present is u1 = 15.4h• Passwords
• Delay: Expected time until the next authentication event: u1 = 15.4h• Duration is remaining lifetime of password (expected value is 90 days)• Productivity = 90d / 15.4h = 102
• One-Time Passwords• Delay: Expected time until the next authentication event: u1 = 15.4h• Duration:
• Assume clocks in sync → Expected age of password is 15 seconds
• Valid duration is 75 seconds• Productivity = 75s / 15.4h = 10-3
• Smartcards• Assume TLS protocol or equivalently secure • Cryptographically secure: credential will expire before guessed• Productivity = 0
Los Alamos National Laboratory
23
NOTE:This is the lab color palette. ➔ Smartcards
• Smartcard trusts a terminal for user interaction• No built-in display or human input• Many attacks on smartcard authentication
systems are against the terminal/protocol• Your computer is your terminal
• General purpose computers are not secure• Keystroke logging• PIN stored in memory in Windows• User may not know transactions are even
occurring• Smartcard can be used remotely
• Pivot productivity depends on usage• Lowest Risk: Card is inserted only when used
and promptly removed• Common: Card is inserted entire time user is
present• Highest Risk: Card is left in computer at all
times (or is a virtual smartcard on builtin hardware)
Chip & PIN Terminal
General Purpose Computer
Los Alamos National Laboratory
24
NOTE:This is the lab color palette. ➔ Intruder Productivity by Mechanism
Threat models matter. Adding the pivot scenario changes the preferred technology.
Los Alamos National Laboratory
25
NOTE:This is the lab color palette. ➔ NTLMv2
Authentication mechanism enabled by default on all Windows systems
• 1998 upgrade of 1980’s OS/2 network authentication protocol• Uses a long-lived credential (hash of a password) stored on clients
and servers• Credential only expires when user’s domain password is changed• Credential exists even if user doesn't have (know) password
• Guess: Protected (unless password is known to user)• Cryptographic challenge response protocol
• Phish: Protected• Unless user uses a password, then same as a password
• Pivot: Unprotected, Credential stored in plain text in memory• Duration: Remaining lifetime of the “password”: 90-days on average• Delay: none
Los Alamos National Laboratory
26
NOTE:This is the lab color palette. ➔ Intruder Productivity by Mechanism
If you have NTLMv2 enabled, not much can help you.
Adversary will find the weakest link
Los Alamos National Laboratory
27
NOTE:This is the lab color palette. ➔
Policy change from NTLMv2+Passwords to NTLMv2+Smartcards: Effectiveness: ≤ 0Cost: Significant (many $M)
Cost Effectiveness
min security = Largest intruder productivity across scenariosmin delay = Minimum delay across scenarios
• An adversary may only need one shot
Adversary will find the weakest link.
Los Alamos National Laboratory
28
NOTE:This is the lab color palette. ➔
Conclusions
• Security of large, complex systems (macro cybersecurity) is important• Underemphasized in academia compared to “micro cybersecurity”• Engineer for intrusion tolerance
• The importance of measures that matter
• A “best-practices” approach to cybersecurity may be not be effective or efficient• Adversaries seek the weakest link• Investments in non-weakest links may be a waste of time and money• Defense can bankrupt itself responding to attacker stimuli
• The importance of reproducible data-driven science
• I challenge this community to come up with new ways to measure intrusion tolerance from data and reason about system design
Los Alamos National Laboratory
29
NOTE:This is the lab color palette. ➔
Thank you!
Mike.Fisk@lanl.gov
Joint work with Alex Kent, Aric Hagberg, Nathan Lemons, Curt Hash, Alex Brugh, Aaron McPhall, Boris Gelfand,
Aaron Pope, James Wernicke, Mike Kyle, et al