1

Incident Analysis

2

Why Incident Analysis?• Bad Guys!• Threats growing• Vulnerabilities Increasing• Internet now part of the social fabric

• Impact of major cyber-attack would be significant

• Cascading effects a major concern

• Reactive response must give way to Proactive preparation

3

Analytic Approach

•The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet.

• Technical, Political, Economic, and Social triggers• Attacks and defenses• Vulnerabilities and corrections• Victims and perpetrators• Physical-world impacts

4

One Effort – Looking Inside the Noise

Network Activity Example

Overall ActivitySeveral Gbytes/day

Noise - Below the Radar

5

Traffic is business-dominated

Web Traffic (ports 80 and 443)

0

50000000

100000000

150000000

200000000

250000000

300000000

350000000

400000000

450000000

Date / Time GMT

Pa

cke

ts p

er

ho

ur

Outside Browsing Outside Web service Inside Browsing Inside Web Service

6

A taxonomy of Attributes• Backscatter: Few sources, scattered evenly across

enterprise network, generally contains RST or ACK flags. • Scans: Single source, usually strikes the same port on many

machines, or different ports on the same machine• DoS: Multiple sources, single target, usually homogenous

(but no requirement). May be oddly sized• Worms: Scanning from a steadily increasing number of

hosts• Major servers: Identifiable by IP addresses.

7

Let’s Play “Find The Scan”!

0

200000

400000

600000

800000

1e+06

1.2e+06

1.4e+06

1.6e+06

1.8e+06

2e+06

0 86400 172800 259200 345600 432000 518400 604800 691200

flows

Hmmmm

8

Example DDoS Attack

9

0

1000

2000

3000

4000

5000

6000

7000

0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 2.75 3.00 3.25 3.50 3.75 4.00

Elapsed Time (Hrs)

Cu

mu

lati

ve N

um

ber

of

Ho

sts

2525 hostsin 8 min

5892 hostsin 2 h 41 m

3838 hostsin 44 min

3025 hostsin 36 min

Example: SQLSlammer

10

Slammer: Precursor Detection

0

20000

40000

60000

80000

100000

120000

140000

160000

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4

Hour 1/24:00 1/25:04

Flo

ws

Series1

11

Fusion Efforts• Small Packet Probes analyzed

• Patterns emerged

• Identified potential threat

• Analysis of CERT/CC Incident Data• Identified possible link between state and hacker groups

• Hacker communications assessment

• Working on profiles, country studies, event analysis

12

Results of Fused Analysis• What was determined?

• Data collected showed definite network indicators

• Methodology can be developed to provide possible warning indicators

• Based on limited dataset, network indicators suggest possible malicious probes by China

• Network Indicators suggest number of motivations

• Exploitation

• Site mapping

• Intelligence gathering for further activity

13

Incident data flow

Organization 1

Organization 2

Organization 3

Organization n

Observed

Event s

Repor ted

Incidents

Filter

Prioritize

Pr ior i t I zed

At tacks

Context

Context

14

Why Share Incident Information?• Help in dealing with current attack• Improve future software• Better baseline for next attacks• Support non-technical solutions

– Prosecution– Diplomacy– Legislation

15

Why not share Incident Information?

• Fear of publicity• Fear of stimulating attacks• Fear of educating attackers• Forcing action ahead of decision-makers• Fear of offending suppliers/customers

16

How well does current response work?

• For some incidents – great!– Viruses / slow worms– Narrow attacks

• For others – not so great– Very fast worms– Covert compromises (Rootkits)– Broad attacks– Mass attacks

17

W32/Hybris Com b

0

2

4

6

8

10

12

14

16

18

20

Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01

Installed w32/hybris 1 1 2 3

Failed w32/hybris 18 17 9 1 5 1

Actual-Use w32/hybris 1 1 3 1 2 2 1 1

Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01

Hybris Incidents

18

RootKit Comb

0

2

4

6

8

10

12

14

16

Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01

Installed rootkit 6 10 14 6 4 11 5 8 4 4

Failed rootkit 1 1 1 1

Actual-Use rootkit 2 2 11 2 3 4 3 3 6 1

Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01

Rootkit Incidents

19

Fusion FrameworkIncidents

I1 I2 … In

Clustering and Extrapolation

Extrapolated Incidents (X-Incidents)X1 X2 … Xm

Correlation and Abduction

X-Incident ChainsC1 C2 … Cm

Role-based Incident Severity Tier Assignment

IncidentsExcluded

Other factors:Political,Social,Economic

System AdminT1 T2 T3 T4 T5

Law EnfrcmntT1 T2 T3 T4 T5

Coord. CSIRTT1 T2 T3 T4 T5

System MissionCriticality Databases:DoD/MAC, Project Matrix, Key Asset Initiative

…

20

Clustering and Extrapolation

–Clustering groups reports into meaningful classes–Similarity metric applied to common features

• Cohesion function calculates degree of similarity

• Clustering generates overlapping clusters (clumps)– Minimizes cohesion function betweens incident sets

–Extrapolation fills in the reporting gaps• Extrapolation criterion establishes when and how

–Generates extrapolated incidents (x-incidents)

21

Correlation and Abduction– Identifies sequences that constitute staged attack

• Generates x-incident chains• Starting context establishes understanding of initial

system/network configuration

– Causal relationships through pre-/post-condition chaining• Precondition of first incident must satisfy starting context• Postcondition of each incident must satisfy precondition of the

subsequent incident

– Techniques available (abduction) for filling in gaps• Strings together x-incident chains using attack patterns• Abduction criterion establishes when and how

22

Example

SubSeven Trojan horse

Leaves worm building “Bot

Network”

Denial-of-service attack

Enables

Launches

Ongoing uses of “Bot Network”

1. Clustering and extrapolation based on intruder tool signature

3. Correlation based on Leaves’ scan for SubSeven signature

4. Abduction using distributed denial of service pattern

2. Clustering based target of attack and flooding approach

23

Challenges to Analysis Research

• Gathering sufficient datasets to make statistically valid judgments• Developing automated technical analysis tools• Developing a reliable methodology for cyber-analysis• Overcoming organizational bias against sharing information

24

Limits of Analysis•Inherently partial data

•Baseline in dynamic environment

•Correlation vs. Causation

•Implications–Need to be cautious in kinds of conclusions–Consider strategies for dealing with analysis

gone wrong