csce 727 cyber attacks and risk management. csce 727 - farkas2 attack sophistication vs....

CSCE 727CSCE 727

Cyber Attacks and Risk Cyber Attacks and Risk ManagementManagement

CSCE 727 - Farkas 2

Attack Sophistication vs.Intruder’s Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack

Copyright: CERT, 2000

CSCE 727 - Farkas 3

Attack Sophistication vs.Intruder’s Technical Knowledge

From: http://people.ubuntu.com/~duanedesign/SurvivabilityandInformationAssuranceCurriculum/01survive/01survive.html

Attack TrendAttack Trend

CSCE 727 - Farkas 4

CSCE 727 - Farkas 5

ReadingReadingRequired:Denning Chapter 8, 9, 14Hutchins et al, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, White paper,http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Interesting Reading:DHS repairing internal security operations, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/seworld20140409-dhs-repairing-internal-security-operationsStudent develops new way to detect hackers, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409-student-develops-new-way-to-detect-hackersMeasuring smartphone malware infection rates, Homeland Security News Wire, April 9, 2014, http://www.homelandsecuritynewswire.com/dr20140409-measuring-smartphone-malware-infection-rates

CSCE 727 - Farkas 6

AttackAttack

Internet Engineering Task Force: RFC 2828:

“ An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of the system.”

CSCE 727 - Farkas 7

Normal FlowNormal Flow

Information source

Information destination

CSCE 727 - Farkas 8

InterruptionInterruption

Information source


Asset is destroyed of becomes unavailable - AvailabilityExample: destruction of hardware, cutting communicationline, disabling file management system, etc.

CSCE 727 - Farkas 9

InterceptionInterception

Information source


Unauthorized party gains access to the asset – ConfidentialityExample: wiretapping, unauthorized copying of files

CSCE 727 - Farkas 10

ModificationModification

Information source


Unauthorized party tampers with the asset – IntegrityExample: changing values of data, altering programs, modify content of a message, etc.


Fabrication Fabrication

Information source


Unauthorized party insets counterfeit object into the system – AuthenticityExample: insertion of offending messages, addition of records to a file, etc.


Phases of AttackPhases of Attack Improve detection by examining which “phase” an

intruder’s behavior is identified Attack phases:

– Intelligence gathering: attacker observes the system to determine vulnerabilities

– Planning: attacker decide what resource to attack (usually least defended component)

– Attack: attacker carries out the plan– Inside the system:

Hiding: attacker covers tracks of attack Future attacks: attacker installs backdoors for future entry points


Passive AttackPassive Attack

“Attempts to learn or make use of information from the system but does not affect system resources” (RFC 2828)

Sniffer


SniffersSniffers

All machines on a network can “hear” ongoing traffic

A machine will respond only to data addressed specifically to it

Network interface: “promiscuous mode” – able to capture all frames transmitted on the local area network segment


Risks of SniffersRisks of Sniffers

Serious security threatCapture confidential information

– Authentication information– Private data

Capture network traffic information


Passive attacks

Interception (confidentiality)

Disclosure of message contents Traffic analysis


Disclosure of message contentDisclosure of message content

Intruder is able to interpret and extract information being transmitted

Highest risk:authentication information – Can be used to compromise additional system

resources


Traffic AnalysisTraffic Analysis

Intruder is not able to interpret and extract the transmitted information

Intruder is able to derive (infer) information from the traffic characteristics


Protection Against Passive Protection Against Passive AttacksAttacks

Shield confidential data from sniffers: cryptography

Disturb traffic pattern: – Traffic padding – Onion routing

Detect and eliminate sniffers


Detection of Sniffer ToolsDetection of Sniffer Tools Difficult to detect: passive programs Tools:

– Promisc – Linux – cmp – SunOS 4.x: detects promiscuous mode– AntiSniff (L0pht Heavy Industries, Inc. ): remotely

detects computers that are packet sniffing, regardless of the OS

Interesting read: S. Truth, How to Test for Sniffing Vulnerabilities, http://web.securityinnovation.com/appsec-weekly/blog/bid/63274/How-to-Test-for-Sniffing-Vulnerabilities


Active attacksActive attacks

“Attempts to alter system resources of affect their operation” (Internet Enginering Task Force, RFC 2828)


Active attacks

Interruption Modification FabricationDOS, DDOS (integrity) (integrity)(availability)

Replay Masquarade(Authentication) (Authentication)


Protection against DoS, DDoSProtection against DoS, DDoS

Hard to provide full protectionSome of the attacks can be prevented

– Filter out incoming traffic with local IP address as source

– Avoid established state until confirmation of client’s identity

Internet trace back: determine the source of an attack


Degradation of ServiceDegradation of Service

Do not completely block service just reduce the quality of service


Intrusion ControlIntrusion Control

It is better to prevent something than to plan for loss.

Problem: Misuse happens!


NeedNeed::

Intrusion Prevention: protect system resources

Intrusion Detection: (second line of defense) identify misuse

Intrusion Recovery: cost effective recovery models


Intrusion PreventionIntrusion Prevention

First line of defenseTechniques: cryptography, identification,

authentication, authorization, access control, security filters, etc.

Not good enough (prevention, reconstructions)


Intrusion Detection System Intrusion Detection System (IDS(IDS))

Looks for specific patterns (attack signatures or abnormal usage) that indicate malicious or suspicious intent

Second line of defense against both internal and external threats

See recommended reading!


Intrusion Detection SystemsIntrusion Detection Systems

Deter intrudersCatch intrudersPrevent threats to fully occur (real-time IDS)Improve prevention techniquesIDS deployment, customisation and

management is generally not trivialSee required reading!


Audit-Based Intrusion Audit-Based Intrusion DetectionDetection

Intrusion Detection System

Audit DataProfiles, Rules, etc.

Decision

Need:• Audit data• Ability to characterize behavior


Audit DataAudit Data Format, granularity and completeness depend on the

collecting tool Examples

– System tools collect data (login, mail)– Additional collection of low system level– “Sniffers” as network probes– Application auditing

Honey Net Needed for

– Establishing guilt of attackers– Detecting suspicious user activities


Audit Data AccuracyAudit Data Accuracy

Collection method– System architecture and collection point– Software and hardware used for collection

Storage method– Protection of audit data

Sharing– Transmission protection and correctness– Availability


IDS CategoriesIDS Categories1. Time of data analysis

Real-time v.s. off-the-line IDS2. Location where audit data was gathered

Host-based v.s. network-based v.s. hybrid3. Technique used for analysis

Rule-based v.s. statistic-based4. Location of analysis

Centralized, distributed, network-based5. Pattern IDS looking for

Misuse v.s. anomaly-based v.s. hybrid


Intrusion RecoveryIntrusion Recovery Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement Enhance defensive security Reconstructive methods based on:

– Time period of intrusion– Changes made by legitimate users during the effected

period– Regular backups, audit trail based detection of effected

components, semantic based recovery, minimal roll-back for recovery.


What is “Survivability”?What is “Survivability”?

To decide whether a computer system is “survivable”, you must first decide what “survivable” means.

36

Risk AssessmentRisk Assessment

RISKRISK

Threats

Vulnerabilities Consequences

37

Real Cost of Cyber AttackReal Cost of Cyber Attack

Damage of the target may not reflect the real amount of damage

Services may rely on the attacked service, causing a cascading and escalating damage

Need: support for decision makers to – Evaluate risk and consequences of cyber attacks– Support methods to prevent, deter, and mitigate

consequences of attacks

38

Risk Management Framework(Business Context)

Understand BusinessContext

Identify Business and Technical Risks

Synthesize and RankRisks

Define RiskMitigation Strategy

Carry Out Fixesand Validate

Measurement and Reporting

39

Understand the Business ContextUnderstand the Business Context

“Who cares?”Identify business goals, priorities and

circumstances, e.g., – Increasing revenue– Meeting service-level agreements– Reducing development cost– Generating high return investment

Identify software risk to consider

40

Identify Business and Technical Identify Business and Technical RisksRisks

“Why should business care?” Business risk

– Direct threat– Indirect threat

Consequences– Financial loss– Loss of reputation– Violation of customer or regulatory constraints– Liability

Tying technical risks to the business context in a meaningful way

41

Synthesize and Rank the RisksSynthesize and Rank the Risks

“What should be done first?” Prioritization of identified risks based on business

goals Allocating resources Risk metrics:

– Risk likelihood– Risk impact– Risk severity– Number of emerging risks

42

Define the Risk Mitigation Define the Risk Mitigation StrategyStrategy

“How to mitigate risks?”Available technology and resourcesConstrained by the business context: what

can the organization afford, integrate, and understand

Need validation techniques

43

Carry Out Fixes and ValidateCarry Out Fixes and Validate

Perform actions defined in the previous stage

Measure “completeness” against the risk mitigation strategy– Progress against risk– Remaining risks– Assurance of mechanisms

Testing

44

Measuring and ReportingMeasuring and Reporting

Continuous and consistent identification and storage of risk information over time

Maintain risk information at all stages of risk management

Establish measurements, e.g., – Number of risks, severity of risks, cost of

mitigation, etc.

45

Assets-Threat Model (1)

Threats compromise assets

Threats have a probability of occurrence and severity of effect

Assets have values

Assets are vulnerable to threats

Threats Assets

46

Assets-Threat Model (2)

Risk: expected loss from the threat against an asset

R=V*P*S R risk V value of asset P probability of occurrence of threat V vulnerability of the asset to the threat

47

Risk Acceptance

Certification How well the system meet the security

requirements (technical)

Accreditation Management’s approval of automated system

(administrative)

Readings for the Student Presentations 04/14/2014

Yinyan He – Zahid H. Qureshi. 2007. A review of accident modelling approaches for complex

socio-technical systems. In Proceedings of the twelfth Australian workshop on Safety critical systems and software and safety-related programmable systems - Volume 86 (SCS '07), Tony Cant (Ed.), Vol. 86. Australian Computer Society, Inc., Darlinghurst, Australia, Australia, 47-59. http://dl.acm.org/citation.cfm?id=1387046

Frank Peloquin

Robert D. Larkin, Juan Lopez, Jr., Jonathan W. Butts, and Michael R. Grimaila. 2014. Evaluation of security solutions in the SCADA environment. SIGMIS Database 45, 1 (March 2014), 38-53. , http://dl.acm.org/citation.cfm?id=2591060

David Rodriquez – Yakkala V. Naga Manikanta and Anjali Sardana. 2012. Protecting web applications

from SQL injection attacks by using framework and database firewall. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI '12). ACM, New York, NY, USA, 609-613., http://dl.acm.org/citation.cfm?id=2345495


csce 727 cyber attacks and risk management. csce 727 - farkas2 attack sophistication vs....

Documents