Malware Mimics for Network Security Assessment CDR Will Taff LCDR Paul Salevski March 7, 2011 CDR...

Malware Mimics for Network Security

Assessment

Malware Mimics for Network Security

AssessmentCDR Will Taff

LCDR Paul SalevskiMarch 7, 2011

CDR Will TaffLCDR Paul Salevski

March 7, 2011

• Motivation• Introduction• Vision• Proposal• What we did• Way Ahead

2

AgendaAgenda

3

MotivationMotivation

4

Motivation – In the LabMotivation – In the Lab

• Currently, DoD relies on Red Teams (trusted adversaries) for Information Assurance (IA) testing and evaluation of military networks

• This approach is unsatisfactory:• Relies on constrained resource

(Red Teams)

• Limited in scope of effects (safety/risk to host network)

• Non-uniform/inconsistent application

OR

• Confined to laboratory setting (not “Train Like Fight”)

5

IntroductionIntroduction

Introduction - The Way the Navy Is

Introduction - The Way the Navy Is

Internet

Global Informatio

n Grid (GIG)

Owned and

Operated by DISA

Network Operating Centers

SIPR

NIPR

JWICS

CENTRIXS

• We propose the development of a distributed software system that can be used by either simulated adversaries (such as Red Team) or trusted agents (such as Blue Team) to create scenarios and conditions to which a network management/defense team will need to react and resolve.

7

ProposalProposal

8

VisionVision

STEP SiteNorthwest, VAFt. Meade, MD

Norfolk, VAMM-Server

Global Information Grid (GIG)

Global Information Grid (GIG)

USS Arleigh BurkeMM-Clients

9

Malware MimicMalware Mimic

• Have the “trainer” sitting anywhere• Trainer remotely controls a network of

pre-installed software nodes on training network simulating network malware/mal-behaviors• Simulate virus• Simulate bots• Simulate Internet worms• Simulate malicious “hackers”

• “Trainee” reacts to simulated effects in same manner as actual threats

• Network nodes consist of Java software packages running on top of pre-existing and unmodified network hosts• No (unwanted) impact to users• No need for additional hardware

• Network nodes coordinate effects via Trainer controlled Command and Control Server• Local or Offsite

• Solves problem of “flying in” a red team

10

ArchitectureArchitecture

11

Anatomy of an AttackAnatomy of an Attack

12

Anatomy of an Attack with MM’s

Anatomy of an Attack with MM’s

13

Architecture - Physical LayoutArchitecture - Physical Layout

14

Virtual LayoutVirtual Layout

15

ResultsResults

• More Complex Network Architecture• More complex Malware Mimics• Focus on higher security• Installation and testing onto larger and

operational networks• Communication between MM-Clients

16

Way AheadWay Ahead

QuestionsQuestions

CDR Will Taff – wrtaff@nps.eduLCDR Paul Salevski – pmsalevs@nps.edu

CDR Will Taff – wrtaff@nps.eduLCDR Paul Salevski – pmsalevs@nps.edu