View
219
Download
0
Category
Preview:
Citation preview
Malware Mimics for Network Security
Assessment
Malware Mimics for Network Security
AssessmentCDR Will Taff
LCDR Paul SalevskiMarch 7, 2011
CDR Will TaffLCDR Paul Salevski
March 7, 2011
• Currently, DoD relies on Red Teams (trusted adversaries) for Information Assurance (IA) testing and evaluation of military networks
• This approach is unsatisfactory:• Relies on constrained resource
(Red Teams)
• Limited in scope of effects (safety/risk to host network)
• Non-uniform/inconsistent application
OR
• Confined to laboratory setting (not “Train Like Fight”)
5
IntroductionIntroduction
Introduction - The Way the Navy Is
Introduction - The Way the Navy Is
Internet
Global Informatio
n Grid (GIG)
Owned and
Operated by DISA
Network Operating Centers
SIPR
NIPR
JWICS
CENTRIXS
• We propose the development of a distributed software system that can be used by either simulated adversaries (such as Red Team) or trusted agents (such as Blue Team) to create scenarios and conditions to which a network management/defense team will need to react and resolve.
7
ProposalProposal
8
VisionVision
STEP SiteNorthwest, VAFt. Meade, MD
Norfolk, VAMM-Server
Global Information Grid (GIG)
Global Information Grid (GIG)
USS Arleigh BurkeMM-Clients
9
Malware MimicMalware Mimic
• Have the “trainer” sitting anywhere• Trainer remotely controls a network of
pre-installed software nodes on training network simulating network malware/mal-behaviors• Simulate virus• Simulate bots• Simulate Internet worms• Simulate malicious “hackers”
• “Trainee” reacts to simulated effects in same manner as actual threats
• Network nodes consist of Java software packages running on top of pre-existing and unmodified network hosts• No (unwanted) impact to users• No need for additional hardware
• Network nodes coordinate effects via Trainer controlled Command and Control Server• Local or Offsite
• Solves problem of “flying in” a red team
10
ArchitectureArchitecture
• More Complex Network Architecture• More complex Malware Mimics• Focus on higher security• Installation and testing onto larger and
operational networks• Communication between MM-Clients
16
Way AheadWay Ahead
Recommended