Beyond Reactive Management of Network Intrusions

Professor Sushil Jajodia

Center for Secure Information Systemsjajodia@gmu.eduhttp://csis.gmu.edu/jajodia

Outline

•Problem•Approach•Benefits•Challenges

The Perfect Storm

• Network configurations are ever more sophisticated

• Vulnerabilities are becoming more complex• Remediation resources are sparseA total solution is a combination of technology and services I will describe the technology component

VulnerabilityScanner

WWW

FrontendRouter

BackendRouter

Firewall

ServerLAN

ClientLAN

DMZ

W2K Web

Server

W2KExchange

Server

DMZRouter

Linux Mail

Server

`

WinXPClient

`

W2K ProClient

5 Server

3 Router

2 Firewall

2 PC

LegendSymbol Count Description

OracleDB

Server

W2K Web

Server

Firewall

DBLAN

4

VulnerabilityScanner

41 Vulns 15 Vulns

160Vulns

158Vulns

47Vulns

60 Vulns

107 Vulns

AttackTarget

External Attacker

Limitations of Vulnerability Scanners

• Generate overwhelming amount of data • Example Nessus scan

– Elapsed time: 00:48:07– Total security holes found: 255– High severity: 40– Low severity: 117– Informational: 98

• No indication of how vulnerabilities can be combined • Can an outside attacker obtain access to the Crown

Jewels?• Where does a security administrator start?

Limitations of IDSs

• Generate overwhelming number of alerts• Many false alerts – normal traffic or

failed attacks• Alerts are isolated • No indication of how alerts can be

combined • Incomplete alert information• Where does a security administrator

start?• Is the attacker trying to obtain access to

Crown Jewels?• Require extensive human intervention

Summary

• Current security measures largely independent

• Little synergy among tools• Vulnerabilities considered in isolation may

seem acceptable risks, but attackers can combine them to produce devastating results

What is lacking?

• “A distributed system is one in which the failure of computer you didn’t even know existed can render your own computer unusable” – Leslie Lamport

• Context for total network security• How outsiders penetrate firewalls and

launch attacks from compromised hosts• Insider attacks

9

The reality – security concernsare highly interdependent.

Simply Listing ProblemsMisses the Big Picture!

Penetration Testing

• Few experts available• Red teams can be expensive• Tedious• Error-prone• Impractical for large networks• No formal claims

Attack Graphs

• An attacker breaks into a network through a chain of exploits where each exploit lays the groundwork for subsequent exploits

• Chain is called an attack path• Set of all possible attack paths form an attack

graph• Generate attack graphs to mission critical

resources• Report only those vulnerabilities associated with

the attack graphs

Related Work

• Phillips and Swiler NSPW 1998• Templeton and Levitt NSPW 2000• Ritchey and Ammann S&P 2000• Wing, Jha et al. CSFW 2002 • Ammann et al CCS 2002 • Ou et al. CCS 2006• Sawilla and Ou ESORICS 2008

Firewall

Attacker

Web Server Mail ServerHub

NT4.0IIS

Linuxattack tools

10.10.100.10

10.10.101.10

10.10.100.20

Linuxwu_ftpd

Reference

• Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, John Williams, "Cauldron: Mission-centric cyber situational awareness with defence in depth," Proc. MILCOM Conf., Baltimore, MD, November 7-10, 2011.

g

g

1

Minimal-Cost Network

Hardening

Solution 1 Solution 1Solution 1

Solution 1 Solution 1Solution 1

Solution 2 Solution 2

Solution 2 Solution 2

No impactNo impact

Reference

• Massimiliano Albanese, Sushil Jajodia, Steven Noel, "A time-efficient approch to cost-effective network hardening using attack graphs," Proc. 42nd Annual IEEE/IFIP International Conference on Dependable and Networks (DSN), Boston, Mass, June 25-28, 2012.

25

Attack Graph Visualization Problem

Even small networks can yield complex attack graphs!

2/21/2008 26

WWW

FrontendRouter

BackendRouter

Firewall

ServerLAN

ClientLAN

DMZ

W2K Web

Server

W2KExchange

Server

DMZRouter

Linux Mail

Server

`

WinXPClient

`

W2K ProClient

5 Server

3 Router

2 Firewall

2 PC

LegendSymbol Count Description

OracleDB

Server

W2K Web

Server

Firewall

DBLAN

AttackTarget

External Attacker

27

2/21/2008 28

2/21/2008 29

Alert Correlation

• Correlate alerts to build attack scenarios• For efficient response, this must be done in

real time

Related Work

• Based on a priori knowledge, such as the prepare-for relationship (Cuppens et al S&P’02, Ning et al CCS’02 CCS’03, etc.)

• Based on statistical analysis, such as temporal similarity between alert sequences (Lee et al RAID’03, Dacier et al KDD’02, Valdes et al RAID’01, etc.)

• Hybrid approaches (Ning et al ACSAC’04, Lee et al ESORICS’04, Morin et al RAID’02, etc.)

Attack Graph Approach

• Provides context for alarms• Can help with forensic analysis, attack

response, attack prediction

Hypothesizing and Predicting Alerts

• Correlation based on the prepare-for relationship is vulnerable to alerts missed by IDSs - Reassembling a broken attack scenario is expensive and error-prone

• By reasoning about the inconsistency between the knowledge (encoded in attack graph) and the facts (represented by received alerts), missing alerts can be hypothesized

• By extending the facts in a way that is consistent with the knowledge, possible consequences of current attacks can be predicted

Reference

• Lingyu Wang, Anyi Liu, Sushil Jajodia, "An efficient and unified approach to correlating, hypothesizing, and predicting network intrusion alerts," Proc. 10th European Symposium on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 3679, September 2005, pages 247-266.

Two Sides of Security

• Just what is “predictive?

• Common Operating Picture

• Situational Awareness

• I have 700 vulnerabilities – now what?!?

Monitoring/Management Predictive

Plus more than 60 other vendors

3 vendors

“Put my problems/my risks in context”

Our Approach• Network Capture

– builds a model of the network

– represents data in terms of corresponding elements in Vulnerability Reporting and Exploit Specifications

• Vulnerability Database – a comprehensive repository

of reported vulnerabilities• Graph Engine

– simulates multi-step attacks through the network, for a given user-defined Attack Scenario

– analyzes vulnerability dependencies, matching exploit preconditions and post-conditions

– generates all possible paths through the network (for a given attack scenario)

Network Capture

VisualAnalysis

OptimalCounter

Measures

Vulnerability Database

NVD

ExploitConditions

AttackScenario

GraphEngine

EnvironmentModel

Vulnerability Scanning

FoundScan

Asset Inventory

Firewall Rules

Aggregate / Correlate / Visualize

Benefit from Synergies

• Common Operating Picture

• Situational Awareness

• Patching servers vs changing firewalls

• Combined vulnerabilities are real

FirewallsVulnerability Scans

Patch Mgmt/Asset MgmtOther

Where do I need to focus my resources?!

OverallGraph

GraphElements

HardeningLog

ExploitDetails

Main AttackGraph View

ExploitField

HardeningRecommendations

Toolbars

38

UnconstrainedStart/Goal

39

AttackStart

Constrained Start

40

AttackStart

AttackGoal

Constrained Start and Goal

41

AttackStart

AttackGoal

AttackStart

Direct Paths

42

Harden

First-LayerRecommendation

43

Harden

Harden

Last-LayerRecommendation

44

Harden

Harden

Minimum-EffortRecommendation

45

2/21/2008 46

Security Metrics

AlarmCorrelationAnd AttackResponse

SensorPlacement

NetworkHardening

CAULDRON has NumerousApplications

Summary of CAULDRON• Automated analysis of all possible attack paths

through a network– Resulting attack “roadmap” provides context for

optimal defenses– Transforms volumes of isolated facts into manageable,

actionable results

• Integrates with existing tools for capturing network configuration

• Your network is provably secure, with minimum effort

• A useful tool for making informed decisions about network security

Zero-day Attacks

• Lingyu Wang, Sushil Jajodia, Anoop Singhal, Steven Noel, "k-Zero day safety: Measuring the security risk of networks against unknown attacks," Proc. 15th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6345, 2010, pages 540-557.

49

Cyber Situation Awareness• An ever increasing number of critical applications and

services rely on Information Technology infrastructures– Increased risk of cyber attacks– Increased negative impact of cyber attacks

• Attackers can exploit network configurations and vulnerabilities (both known and unknown) to incrementally penetrate a network and compromise critical systems– Manual analysis is labor-intensive and error-prone– Vulnerabilities are often interdependent, making traditional point-

wise vulnerability analysis ineffective– Services and machines on a network are interdependent

• Need for tools that provide analysts with a “big picture” of the cyber situation

50

CSA Capabilities: Enterprise Network

Internet

Web Server (A)

Mobile App Server (C)

Catalog Server (E)

Order Processing Server (F)

DB Server (G)

Local DB Server (D)

Local DB Server (B)

Current situation. Is there any ongoing attack? If yes, where is the attacker?

Impact. How is the attack impacting the enterprise or mission? Can we asses the damage?

Evolution. How is the situation evolving? Can we track all the steps of an attack?

Behavior. How are the attackers expected to behave? What are their strategies?

Forensics. How did the attacker create the current situation? What was he trying to achieve?

Information. What information sources can we rely upon? Can we assess their quality?

Prediction. Can we predict plausible futures of the current situation?

Scalability. How can we ensure that solutions scale well for large networks?

51

Situation Knowledge Reference Model

Index & Data

Structures

Topological Vulnerability Analysis

CSA Framework Architecture

Monitored Network

Analyst

Alerts/Sensory Data

Cauldron Switchwall

Vulnerability Databases

NVD OSVDCVE

Stochastic Attack Models

GeneralizedDependency Graphs

Graph Processing

and Indexing

Dependency AnalysisNSDMine

r

Scenario Analysis & Visualization

Network Hardening

Unexplained Activities Model

Adversarial modeling

Heavy Iron

Reference

• Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang, eds., Cyber Situational Awareness: Issues and Research, ISBN: 98-1-4419-0139-2, Springer International Series on Advances in Information Security, 2009, 252 pages.

• Arun Natrajan, Peng Ning, Yao Liu, Sushil Jajodia, Steve E. Hutchinson, "NSDMine: Automated discovery of network service dependencies," Proc. 31st Annual Int'l. Conf. on Computer Communications (INFOCOM), Orlando, FL, March 25-30, 2012, pages 2507-2515.

• Massimiliano Albanese, Sushil Jajodia, Andrea Pugliese, V. S. Subrahmanian, "Scalable analysis of attack scenarios," Proc. 16th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6879, V. Atluri and C. Diaz, eds., Leuven, Belgium, September 12-14, 2011, pages 416-433.

Further Information:

Sushil Jajodiajajodia@gmu.edu(703) 993-1653http://csis.gmu.edu/jajodia