Castle Warrior: Redefining 21st Century Network Defense Monty McDougal

Raytheon Information Security Solutions (ISS) 1200 South Jupiter Road

Garland, TX 75042 +1 (972) 205-8650

monty_d_mcdougal@raytheon.com

ABSTRACT Historically, network security has often been equated to the medieval practice of building castles and walls to keep intruders at bay. In today’s world of network castles, the castle paradigm has largely served us well for the last 15-20 years, but attacks are evolving to counter the once great firewalls that have protected our network castles and our crown jewels. It is time to revisit the castle doctrine and evolve our defenses to address the new targeted threats.

Categories and Subject Descriptors C.2.0 [Computer-Communication Networks]: General – security and protection.

General Terms Design, Economics, Security, Theory.

Keywords Targeted Attack, Spear-Phishing, Network Security, Perimeter Security, Castle, Firewall, Egress, Ingress, Covert Channels, Asymmetric Economics.

1. INTRODUCTION Historically, network security has often been equated to the medieval practice of building castles and walls to keep intruders at bay. Early castles faced many threats from techniques such as battering rams, ladders, and even siege. Over time, technical advances (e.g. the advent of gunpowder) slowly eroded the power of these once great structures as a sound method of defending one’s kingdom.

In today’s world of network castles, we use our walls to protect against threats such as port scanning, Denial of Service (DoS), viruses / worms, buffer overflows, zero day flash / Warhol worms [1]. The castle paradigm has largely served us well for the last 15-20 years, but attacks are evolving to counter the once great firewalls that have protected our network castles. No longer will patch-and-pray, Intrusion Detection Systems (IDS), or server hardening provide adequate protection for our crown jewels.

Sophisticated attackers are eroding our perimeters though attacks on our users and our client applications. We live in a world where the insider threat is real, be it from a malicious internal user or via an internal compromised client machine. Our users are being spear-phished and we face one-off custom/polymorphic malware that renders our anti-virus solutions ineffective.

It is time to revisit the castle doctrine. We still need our walls, but we need to assume they have been compromised. It is time to start using our walls to control egress as well as ingress. It is time for stronger internal separations and monitoring internal to the castle walls. It is time to start building traps for intruders, start using active deception, and to speed up our response time in dealing with those we detect. In short we must evolve our defenses to address the new threats.

This paper is based on lessons learned from the trenches by organizations facing advanced threats targeted against government / Defense Industrial Base (DIB) networks [2]. Similar attacks have been reported against other entities such as Tibetan activist groups [3] and the banking industry. This is an attempt to generalize the issues and lessons learned dealing with these threats but do not represent any one entity or attacker.

2. CURRENT CASTLE THEORY 2.1 HISTORICAL CASTLES Historically, kingdoms were defended by building castle walls to keep the intruders out. This involved limiting ingress points to the castle while deploying outward facing defenses to ensure enemies remain outside the gates. Guards and internal defenders were deployed to look for signs of malicious activity inside the castle walls, but the majority of the defenses faced outward.

2.2 NETWORK CASTLES In today’s world of network castles, defenders deploy firewalls to keep the attackers out. Network architectures are carefully designed to limit ingress points to the network through strong boundary devices. Outward facing defenses are deployed to ensure enemies remain outside the firewall while IDS and logging are used to look for signs of malicious activity reaching internal networks.

2.3 STORMING THE CASTLE Historical castles faced many challenges over their effective lifespan. Early attacks such as battering rams, ladders, and siege allowed attackers willing to take significant losses to wage an effective attack against these defenses. Over time, evolutionary attacks emerged such as bows / arrows and gun powder significantly reduced the effectiveness of these defenses.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CSIIRW '09, April 13-15, Oak Ridge, Tennessee, USA Copyright © 2009 ACM 978-1-60558-518-5 ... $5.00

Similarly, attacks against network castles have significantly evolved. Early attacks such as port scanning, Denial of Service (DoS), viruses / worms, buffer overflows, zero day flash / Warhol worms created significant challenges for many network castles. More recently a class of more determined and resourced attackers has emerged against many high-value targets. These attackers have introduced an evolutionary shift in tactics to include spear phishing, targeted network attacks, one-off and polymorphic threats targeted at individual entities as opposed to mass malware.

Threats from persistent attackers have largely shifted from servers and core infrastructure to clients as an entry and exit point into the network. These are often exploited as a targeted one-off attack.

Some of the most commonly utilized attack vectors include:

• Email born attacks

o Malicious attachments

o Blended phishing attacks that cross into the web space

o Encrypted mail (expected)

• Web born attacks via redirects and malicious iFrames

o Ad sites

o Targeted attacks to frequented sites (emerging)

• Application attacks

• Social engineering attacks using open-source reconnaissance

• Insider attacks (historical)

• Supply chain (emerging)

Most of the current threats being used by attackers today are only of moderate level of sophistication in comparison to active security research availability publicly in the research community. Most of the more advanced tactics that could be used have marginal benefit and return on investment for the attacker until the more common attacks fail to achieve their goals. Attacker tactics may evolve further over time, but for now the attackers have no need to move to more innovative techniques to circumvent the conventional security practices of .most organizations.

With all the discussion of the failures of historical and network castles, it is easy to find oneself asking, is the castle doctrine dead? For historical castles, the answer is likely yes due to force mobility, force projection, and modern “shock and awe” [4]. For network castles, the answer is likely no, but traditional paradigms and ways of doing business are completely broken! Given the conventional network castle’s weaknesses against targeted attacks, we must assume a determined and resourced attacker will get inside because we simply cannot keep all of them out.

2.4 CASTLE ECONOMICS Economics is vitally important to fully understand information warfare as it is being played against the evolving advanced persistent threat(s). The costs to defend and attack are rarely equal values which introduces the concept of asymmetric costs for attackers and defenders. Where costs differ, the asymmetric advantage can be applied to multiply force and effect against the enemy. Similarly, resources often incur asymmetric costs when

they are in limited supply for a defender or attacker. It is never a good idea to be on the wrong end of this relationship if it can be avoided.

Castles have their own economic challenges because building and defending castles is expensive. Limited budgets exist for both activities, but defenders must mitigate all possible threats if defense is based around the castle paradigm. In general, it is much more expensive to defend than attack and this creates an asymmetric cost challenge for the defender because a single flaw can mitigate the other defensive efforts. As the size of the castle increases, so do the costs incurred to guard and maintain it effectively. Similarly, entrances and exists are historical weak points that increase with size and complexity of the castle making larger castles more expensive to defend.

Attackers face a different economic landscape because attackers need not defeat all defenses; they simply need to circumvent the one(s) that impede their access to the castle. Attackers generally have fewer resources than the defenders giving them an asymmetric cost advantage of much lower costs in order to achieve their goals. Significant open source security research is available to the attacker with minimal costs or they can develop their own. It is important to understand an attacker’s goal may be to “win” by making the defender spend more money than they do. Of course defenders with enough resources may be able to exploit the asymmetric resources disadvantage of an attacker to make it too expensive or futile for a given attacker to attack the defender. The Soviet and American Cold War is the classic example of these concepts.

Another significant difference between castles of old and modern network castles is the relationship of risk vs. reward. In both scenarios, defenders face significant losses, but attackers have a significantly different threat environment.

For historical castles, failed attacks often resulted in loss of life or limb for the attacker. Defenders controlled the battlefield and attackers had to make a significant commitment to physically move their resources to engage in the attack. Even when attacks were successful, significant losses were to be expected in attacking a heavily fortified defense. Rewards were high, but so were the risks and expected losses.

With network castles, there is a significant asymmetric balance of risk vs. reward for the network attacker and attackers can often remain anonymous. A failed network attack has little to no penalty for the attacker, especially when crossing international borders. Risk is low and rewards are high making network castles very attractive targets for the attacker.

3. 21st CENTURY CASTLE THEORY 3.1 REDEFINING THE CASTLE With all the discussion of the failures of network castles, it is easy to find oneself asking, why build network castles? In short it is because earlier threats still exist. Not all attackers are willing to devote the time and resources required to wage a targeted attack against a kingdom. Castle walls keep the roving hordes out; if nothing else, they help filter the noise level down from the less skilled attackers in the horde allowing us to see the real threats. Fortunately, costs are fairly low to defend against the threat from the horde so enterprises should continue to defend against these

threats. At the same time defenders should note that castle walls will not defend against skilled attackers who understand how to overcome them using a more sophisticated attack method. It is also important not to underestimate the horde’s ability to learn new skills! Advanced attacks today will become the norm over time.

3.2 ASSUME ATTACKERS WILL GET INSIDE THE WALLS Defenders need to assume attackers are going to get inside the castle walls. If organizations have historically relied on their castle walls for their only defense, it is time to reevaluate that stance. It is time to consider an intruder tolerance model. This is the concept of risk management vs. risk avoidance. Politically this may be a challenge in many kingdoms, but it is impossible to keep threats out.

Software is inherently vulnerable to human coding error and attackers are always going to be able to exploit these flaws to gain access inside the castle walls. Zero day, polymorphic, and targeted threats cannot be conventionally defended against. Patch and pray is not sufficient protection because there is always a window of exposure between exploit development and patch availability. Current trending indicates this window of exposure is being exploited more rapidly than in the past. For attackers with enough resources, waging a targeted attack within this window of opportunity can be significant.

Attacks against end-points further perpetuate this problem. Mail clients, browsers, desktop applications, remote access, client devices, and Web 2.0 all add significant complexity for the defender of an enterprise while giving significant opportunity for the attacker.

Beyond the traditional software threats, defenders also face insider threats (how are users and administrators vetted?), social engineering threats (how well are your users trained/), supply chain threats (who provides your hardware/software/consulting?), etc. Despite all the difficult topics here, defenders still need to try and make it hard for attackers. Exploit your asymmetric resource advantage if at all possible!

3.3 PROTECT THE CROWN JEWELS The keepers of the castle need to aggressively identify and defend the crown jewels of the kingdom. Defenders should apply the most aggressive defenses to the targets of highest value. Moving these assets into protective compartments and enclaves provides a higher degree of protection based on higher scrutiny for access.

For this to succeed, a method of classifying and identifying the valuable assets of the kingdom must be employed. This can be an incredibly difficult problem in most modern enterprise class networks but it is a vital task to achieve in order to secure the kingdom.

3.4 CASTLES WITHIN CASTLES Traditionally, most castle defenses have been focused at the perimeter. Once these defenses were breached, security of the castle is largely compromised; once the first attacker is in, he can let in his friends and the game is over for the defender.

As opposed to the traditional one wall model, defenders should utilize compartmentalization of the castle as a completely different paradigm to limit the damage that can be caused by a single breach. If an attacker compromises one wall, they should find another one stronger than the previous one. Defenders should seriously consider reversing the traditional model! The strongest defenses should be closest to target (e.g. data) and get increasingly weaker as you reach the perimeter.

3.5 TURN THY CASTLE AROUND One of the things castle defenders often overlook is that castle walls can be used offensively too. If we are going to spend a significant amount of money building castle walls, then we should make them serve multiple purposes by using the walls to stop attackers from exiting unnoticed as well as their role in preventing ingress in the first place. Walls can be used to channel the enemy into points which are closely watched, controlled, or used to actively deceive.

Defenders should pay as much or more attention to their egress rules as their ingress rules. Traditional security controls have been focused on what is entering the kingdom (network). It is time to start watching what is leaving. Even if attackers get in, we really want to make sure the crown jewels (data) do not go out the door easily. Walls should be used to slow data exfiltration and to facilitate the monitoring of data flows. Defenders can use their walls to facilitate situational awareness by limiting the amount of data that is being watched in a given castle.

3.6 WATCH FOR SECRET TUNNELS It does no good to be watching the castle door if attackers are not using it! If the attacker are masquerading their attacks as traffic you know about or expect, they can bypass both your incoming and outgoing controls. Defenders should watch for things masquerading as legitimate traffic allowed to pass through the gates (firewall and web proxy). Advanced threats commonly use protocols such as HTTP, HTTPS, DNS, and SMTP to bypass traditional network boundary devices by using traffic which is normally allowed. Defenders need to be actively looking for traffic which is intentionally being hidden within the normal traffic of the network.

Additionally, defenders need to watch for traffic that is going over or under the walls and bypassing the gate all together. In particular, defenders should be wary of rogue modems, rogue wireless, Business to Business (B2B) connections, and physical access.

3.7 KNOW THY CASTLE Defenders have one major advantage over the attacker. It is their castle. Assuming the defender has a proper configuration baseline, they know the normal state of their castle. This can be incredibly difficult in a large enterprise environment, but strong security is heavily dependent on stringent host-based lockdown and configuration control. Defenders need to use whitelists as opposed to blacklists in defining their security controls By implementing a default deny concept for unknown execution of code thus negating many possibilities for nefarious activities.

Once defenders have established a whitelist baseline, they should watch for and aggressively investigate anomalies within the enterprise. Defenders can leverage knowledge of their network to

choose their battlefields by forcing attackers into vulnerable positions in order to advance. In doing so, the defender has an opportunity to set traps for the attacker and monitor them for intrusions.

3.8 AGGRESSIVELY DEFEND THY CASTLE As defenders we may not be able to keep the attackers out of the castle, but we should kill them with extreme prejudice for being there! It is imperative to limit the window of time an attacker has inside the walls to perform their activities. Defenders should focus on real time detection capabilities and attempt to speed up the response times in dealing with all intrusions.

Active deception and misdirection of the enemy may be a possible way of slowing their attacks or learning their tactics (e.g. honeynets). If defenders can introduce enough fake information into an attacker’s view of the enterprise, then it can introduce a significant level of distrust into the enemy’s perceived value of the attack or the information that was compromised.

4. EVOLVING THE CASTLE The use of bow / arrows and gun powder forced historical castles to evolve. Modern attackers using targeted methods and other technological revolutions are forcing network castles to evolve as well. Defenders cannot abandon our defenses though we must adapt how they are used and deployed to address new technologies. Wireless, VoIP, mobile computing devices, B2B, and other partnering relationships continue to add new challenges to securing the enterprise.

Equally, it is important to understand much of the insecurity of the castle stems from the day-to-day activities of the people living and working there. This is especially true in today’s network castles. It is strongly encouraged that when building future defenses, that these activities be revisited in the light of the new threats and new technologies. Re-engineering or otherwise abandoning processes is warranted given the threats that are now showing up at the castle door. Convincing the King or Queen of this may be a hard sell when it impacts tax collection, but it is imperative to take action now while there are still assets in the kingdom worth defending. Business as usual can no longer be business as usual.

5. CONCLUSION It is a lot easier to write the words on this scroll than to actually execute them, especially in an enterprise environment. Worse, a lot of the tools that are needed to defend large kingdoms do not even exist.

There are clearly several core technologies that appear to be keys in winning a fight against targeted threats:

• Signature-based detection (host and network)

• Heuristic-based detection (host)

• Heuristic-based solutions addressing the email and web threats

• End-point lockdown

• Application white-listing (especially if done heuristically)

• Sandboxing / jailing (especially at the OS level)

• Firewalls / ACLs (for dynamic rule propagation to sensors)

• Strong zoning technologies and architectures to segment networks

• Event correlation (multi-sensor and intelligent correlation / mining)

• Compliance on connect / Network Access Control (NAC)

Supporting technologies which are needed to enable the above:

• Encryption

• Data labeling / data classification

• Virtualization

• Deep freeze / configuration roll-back

• Patch management

Despite the challenges we face in moving new directions, the existing defense paradigm is completely broken and it is getting worse every day and cannot be ignored. Creative solutions in this space are possible, but it will require changes in the way business is done in many organizations. It is time to aggressively start defending the kingdom or there will be no kingdom to defend. It is time for a call to arms because this problem is not going to be addressed by just the castle defense team.

6. ACKNOWLEDGMENTS Many thanks to my colleagues at Raytheon Information Security Solutions (ISS) and other DIB partners for very helpful discussions and ideas on these topics.

7. REFERENCES [1] Weaver, N. 2001. “Warhol Worms: The Potential for Very

Fast Internet Plagues,” Aug. 15, 2001. http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm.

[2] Grow, B., Epstein, K., and Tschang, C. 2008. “The New E-spionage Threat,” BusinessWeek, Apr. 10, 2008. http://www.businessweek.com/print/magazine/content/08_16/b4080032218430.htm.

[3] Grow, B. 2008. “Activist Groups Under Cyber Attack”, BusinessWeek, Apr. 11, 2008. http://www.businessweek.com/print/magazine/content/08_16/b4080000613818.htm.

[4] Ullman, H. and Wade, J. 1996. “Shock And Awe: Achieving Rapid Dominance”, National Defense University, 1996. http://www.dodccrp.org/files/Ullman_Shock.pdf

CSIIRW '09, April 13-15Oak Ridge, Tennessee, USA

Monty McDougalRaytheon Information Security

Solutions (ISS)+1 (972) 205-8650

monty_d_mcdougal@raytheon.com

Castle Warrior: Redefining

21st Century Network Defense

Copyright © 2009 Raytheon Company. All rights reserved.Customer Success Is Our Mission is a registered trademark of Raytheon Company.

Page 2

CSIIRW '09

Castle Doctrine

� Historical– Build walls to keep the intruders out– Limit ingress points to the castle– Deploy outward facing defenses to keep enemies outside the gates– Use guards to look for signs of malicious activity inside the castle walls

� Network– Deploy firewalls to keep the attackers out– Limit ingress points to the network– Deploy outward facing defenses to keep enemies outside the firewall– Use IDS to look for signs of malicious activity reaching internal

networks

Networks And Castles Share Commonalities

Page 3

CSIIRW '09

Storming Historical Castles

� Early Attacks– Battering Rams– Ladders– Siege

� Evolutionary Attacks– Bows and Arrows– Gun Powder

Traditional Castles Had Weaknesses…

Page 4

CSIIRW '09

Storming Network Castle� Early Attacks

– Port Scanning– DoS– Viruses / Worms– Buffer Overflows– Zero Day Flash / Warhol Worms

� Evolutionary Attacks– Spear Phishing and Targeted Attacks– One-Off and Polymorphic Threats

Network Castles Have Weaknesses Too

Page 5

CSIIRW '09

Is The Castle Doctrine Dead?

� Historical Castles – Yes– Force mobility, force projection & “Shock and Awe”

� Network Castles – No– But… Traditional paradigms are completely broken!– Assume attackers will get inside (we simply cannot keep them all out)

� Why Build Network Castles Then?– Early Threats Still Exist

� Castle Walls keep out the roving hordes at fairly low cost� If nothing else we need to filter the noise level down to see the real threats

– Unfortunately, Castle Walls will not defend against skilled attackers understanding how to circumvent these barriers using a more sophisticated attack method

– Don’t underestimate the horde’s ability to learn these new skills!� Advanced attacks today will become the norm over time

It Is Time To Evolve The 21st Century Network Castle

Page 6

CSIIRW '09

Asymmetric Economics� Defense

– Building and defending castles is expensive– Defenders must mitigate all possible threats to the Castle

� Asymmetric Cost challenge because a single flaw can mitigate the other defenses� Defenders “may” be able to exploit Asymmetric Resources of an attacker to make it too

expensive or futile for a given attacker to attack the defender– As the size / complexity of the castle increases, so do the costs incurred to

guard / maintain it effectively� Attack

– Attackers have much lower costs– Attackers need not defeat all defenses, they simply need to circumvent the

one(s) that impede their access to the castle– Attackers generally have less resources than the defenders but have an

Asymmetric Cost advantage� Significant public / open source security research is available to the attacker with

minimal costs or they can develop their own� Attacker’s goal may be to “win” by making the defender spend more than they do

– Unlike with Traditional Castles, attackers face little risk of life or limb with high returns from their spoils of war

Asymmetric Economics Presents Real Challenges

Page 7

CSIIRW '09

Assume Attackers Will Get In� Attackers are going to get inside the walls

– Software is inherently vulnerable to human coding error– Consider an Intruder Tolerance model (Risk Management vs. Risk Avoidance)

� It is impossible to keep threats out– Zero day, polymorphic and / or targeted threats cannot be conventionally

defended against� Patch and pray is not sufficient protection

– Attacks against end-points perpetuate this problem� Mail clients, browsers, desktop applications, remote access, client devices, Web 2.0

– Insider threats (how are users and administrators vetted?)– Supply chain threats (who provides your hardware/software/consulting?)

� You should still make it hard for them– Exploit your Asymmetric Resource advantage!

� Modern Network Castles need controls which assumes attackers are going to be inside the castle walls– They probably already are… even if you don’t know it!

Move To A Model That Assumes Attackers Can Get In

Page 8

CSIIRW '09

Turn Thy Castle Around� Traditionally, most castle defense have been focused at the perimeter

– Once breached, security is largely compromised� Castle walls can be used offensively too

– Use walls to stop attackers from exiting– Channel the enemy into points which are closely watched and controlled

� Ingress vs. Egress rules– Traditional controls have been focused on what is entering the kingdom– It is time to start watching what is leaving because even if they get in we really

want to make sure the crown jewels (data) don’t go out the door� Slow data exfiltration and monitor data flows

– Use the walls to create situational awareness

� Compartmentalization of the Castle can be used as a completely different paradigm to limit the damage that can be caused by a single breach– Try reversing the traditional model!– Use a model where the strongest defenses are closest to target (e.g. data) and get

increasingly weaker as you reach the perimeter

Use The Castle Walls To Your Advantage

Page 9

CSIIRW '09

Know Thy Castle� Defenders have one major advantage over the attacker… it is their castle� Assuming the defender has a proper baseline, they know what is the

normal state of their castle– Strong host-based lockdown and configuration control– Use whitelists as opposed to blacklists– Watch for and aggressively investigate anomalies

� Watch for secret tunnel as they can bypass your controls– Watch for things masquerading as legitimate traffic allowed to pass through the

gates� HTTP / HTTPS, DNS, email, etc.

– Watch for traffic that is going over / under the walls and bypassing the gate all together� Rogue modems, rogue wireless, physical access, etc.

� Defenders can leverage this to choose the battlefield by forcing attackers into vulnerable positions in order to advance– Set traps and monitor them for intrusion

Leverage The Home Field Advantage

Page 10

CSIIRW '09

Aggressively Defend Thy Castle� Aggressively identify and defend the Crown Jewels of the kingdom

– Apply the most aggressive defenses to the targets of highest value– A method of classifying and identifying the valuable assets of the kingdom must

be employed– Moving these into protective compartments and enclaves facilitates providing a

higher degree of protection based on higher scrutiny of access� We may not be able to keep the attackers out of the castle, but we should

kill them with extreme prejudice for being there!� Limit the window of time an attacker has inside the walls to perform their

activities– Focus on real time detection capabilities– Speed up the response times

� Deception and misdirection of the enemy may be a possible way ofslowing their attacks or learning their tactics (e.g. honeynets)

� If only we could ride out and burn our attackers Castle down…

Know What Is Valuable & Speed Up Response Time

Page 11

CSIIRW '09

Parting Words From A Sage…� It is a lot easier to write the words on this scroll than to actually do them

– A lot of the tools that are needed don’t even exist� That said, the existing defense paradigm is completely broken and it is

getting worse every day so the problem cannot be ignored� It is time to have a call to arms and aggressively start defending the

kingdom or there will be none to defend� Much of the insecurity of the Castle stems from the day-to-day activities of

the people living / working there� It is strongly encouraged that when building future defenses, that these

activities be revisited in the light of the new threats and new technologies� We cannot abandon our defenses even though we must adapt how they

are used and deployed in the face of future challenges– Wireless– VOIP– Mobile Computing / Mobile Devices– B2B and Partnering Relationships

Evolve Thy Castle… Or Be Prepared To Die In It

Page 12

CSIIRW '09

Biography� Monty McDougal, Principal Security Engineer, has been working for

Raytheon IIS for the last 8+ years performing tasks ranging fromprogramming to system administration. Monty has an extensive programming background spanning 13+ years in web development. His work has included development/integration/architecture/accreditation work on numerous security projects including multiple governmentprograms, internal and external security assessments, wireless assessments, DCID 6/3 compliant web-based single sign-on solutions, PL-4 High-Speed Controlled Interfaces (guards), reliable human review processes, audit log reduction tools, mail bannering solutions, and advanced anti-malware IRADs.

� Monty holds the following major degrees and certifications: BBA in Computer Science / Management (double major) from Angelo State University, MS in Network Security from Capitol College, CISSP, ISSEP, ISSAP, GCFA, GCIH, GCUX, GCWN, GREM, GSEC, GAWN-C, and serves on the SANS Advisory Board.