Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 218 times |
Download: | 0 times |
1
Incident Analysis
2
Why Incident Analysis?• Bad Guys!• Threats growing• Vulnerabilities Increasing• Internet now part of the social fabric
• Impact of major cyber-attack would be significant
• Cascading effects a major concern
• Reactive response must give way to Proactive preparation
3
Analytic Approach
•The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet.
• Technical, Political, Economic, and Social triggers• Attacks and defenses• Vulnerabilities and corrections• Victims and perpetrators• Physical-world impacts
4
One Effort – Looking Inside the Noise
Network Activity Example
Overall ActivitySeveral Gbytes/day
Noise - Below the Radar
5
Traffic is business-dominated
Web Traffic (ports 80 and 443)
0
50000000
100000000
150000000
200000000
250000000
300000000
350000000
400000000
450000000
Date / Time GMT
Pa
cke
ts p
er
ho
ur
Outside Browsing Outside Web service Inside Browsing Inside Web Service
6
A taxonomy of Attributes• Backscatter: Few sources, scattered evenly across
enterprise network, generally contains RST or ACK flags. • Scans: Single source, usually strikes the same port on many
machines, or different ports on the same machine• DoS: Multiple sources, single target, usually homogenous
(but no requirement). May be oddly sized• Worms: Scanning from a steadily increasing number of
hosts• Major servers: Identifiable by IP addresses.
7
Let’s Play “Find The Scan”!
0
200000
400000
600000
800000
1e+06
1.2e+06
1.4e+06
1.6e+06
1.8e+06
2e+06
0 86400 172800 259200 345600 432000 518400 604800 691200
flows
Hmmmm
8
Example DDoS Attack
9
0
1000
2000
3000
4000
5000
6000
7000
0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 2.75 3.00 3.25 3.50 3.75 4.00
Elapsed Time (Hrs)
Cu
mu
lati
ve N
um
ber
of
Ho
sts
2525 hostsin 8 min
5892 hostsin 2 h 41 m
3838 hostsin 44 min
3025 hostsin 36 min
Example: SQLSlammer
10
Slammer: Precursor Detection
0
20000
40000
60000
80000
100000
120000
140000
160000
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4
Hour 1/24:00 1/25:04
Flo
ws
Series1
11
Fusion Efforts• Small Packet Probes analyzed
• Patterns emerged
• Identified potential threat
• Analysis of CERT/CC Incident Data• Identified possible link between state and hacker groups
• Hacker communications assessment
• Working on profiles, country studies, event analysis
12
Results of Fused Analysis• What was determined?
• Data collected showed definite network indicators
• Methodology can be developed to provide possible warning indicators
• Based on limited dataset, network indicators suggest possible malicious probes by China
• Network Indicators suggest number of motivations
• Exploitation
• Site mapping
• Intelligence gathering for further activity
13
Incident data flow
Organization 1
Organization 2
Organization 3
Organization n
Observed
Event s
Repor ted
Incidents
Filter
Prioritize
Pr ior i t I zed
At tacks
Context
Context
14
Why Share Incident Information?• Help in dealing with current attack• Improve future software• Better baseline for next attacks• Support non-technical solutions
– Prosecution– Diplomacy– Legislation
15
Why not share Incident Information?
• Fear of publicity• Fear of stimulating attacks• Fear of educating attackers• Forcing action ahead of decision-makers• Fear of offending suppliers/customers
16
How well does current response work?
• For some incidents – great!– Viruses / slow worms– Narrow attacks
• For others – not so great– Very fast worms– Covert compromises (Rootkits)– Broad attacks– Mass attacks
17
W32/Hybris Com b
0
2
4
6
8
10
12
14
16
18
20
Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Installed w32/hybris 1 1 2 3
Failed w32/hybris 18 17 9 1 5 1
Actual-Use w32/hybris 1 1 3 1 2 2 1 1
Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Hybris Incidents
18
RootKit Comb
0
2
4
6
8
10
12
14
16
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Installed rootkit 6 10 14 6 4 11 5 8 4 4
Failed rootkit 1 1 1 1
Actual-Use rootkit 2 2 11 2 3 4 3 3 6 1
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Rootkit Incidents
19
Fusion FrameworkIncidents
I1 I2 … In
Clustering and Extrapolation
Extrapolated Incidents (X-Incidents)X1 X2 … Xm
Correlation and Abduction
X-Incident ChainsC1 C2 … Cm
Role-based Incident Severity Tier Assignment
IncidentsExcluded
Other factors:Political,Social,Economic
System AdminT1 T2 T3 T4 T5
Law EnfrcmntT1 T2 T3 T4 T5
Coord. CSIRTT1 T2 T3 T4 T5
System MissionCriticality Databases:DoD/MAC, Project Matrix, Key Asset Initiative
…
20
Clustering and Extrapolation
–Clustering groups reports into meaningful classes–Similarity metric applied to common features
• Cohesion function calculates degree of similarity
• Clustering generates overlapping clusters (clumps)– Minimizes cohesion function betweens incident sets
–Extrapolation fills in the reporting gaps• Extrapolation criterion establishes when and how
–Generates extrapolated incidents (x-incidents)
21
Correlation and Abduction– Identifies sequences that constitute staged attack
• Generates x-incident chains• Starting context establishes understanding of initial
system/network configuration
– Causal relationships through pre-/post-condition chaining• Precondition of first incident must satisfy starting context• Postcondition of each incident must satisfy precondition of the
subsequent incident
– Techniques available (abduction) for filling in gaps• Strings together x-incident chains using attack patterns• Abduction criterion establishes when and how
22
Example
SubSeven Trojan horse
Leaves worm building “Bot
Network”
Denial-of-service attack
Enables
Launches
Ongoing uses of “Bot Network”
1. Clustering and extrapolation based on intruder tool signature
3. Correlation based on Leaves’ scan for SubSeven signature
4. Abduction using distributed denial of service pattern
2. Clustering based target of attack and flooding approach
23
Challenges to Analysis Research
• Gathering sufficient datasets to make statistically valid judgments• Developing automated technical analysis tools• Developing a reliable methodology for cyber-analysis• Overcoming organizational bias against sharing information
24
Limits of Analysis•Inherently partial data
•Baseline in dynamic environment
•Correlation vs. Causation
•Implications–Need to be cautious in kinds of conclusions–Consider strategies for dealing with analysis
gone wrong