Embed Size (px)
DESCRIPTION
Beyond Reactive Management of Network Intrusions. Professor Sushil Jajodia Center for Secure Information Systems [email protected] http:// csis.gmu.edu/jajodia. Outline. Problem Approach Benefits Challenges. The Perfect Storm. Network configurations are ever more sophisticated - PowerPoint PPT Presentation
Citation preview
Beyond Reactive Management of Network Intrusions
Professor Sushil Jajodia
Center for Secure Information [email protected]://csis.gmu.edu/jajodia
Outline•Problem•Approach•Benefits•Challenges
The Perfect Storm
• Network configurations are ever more sophisticated
• Vulnerabilities are becoming more complex• Remediation resources are sparseA total solution is a combination of technology and services I will describe the technology component
VulnerabilityScanner
WWWFrontendRouter
BackendRouter
Firewall
ServerLAN
ClientLAN
DMZ
W2K Web
Server
W2KExchange
Server
DMZRouter
Linux Mail
Server
`
WinXPClient
`
W2K ProClient
5 Server
3 Router
2 Firewall
2 PC
LegendSymbol Count Description
OracleDB
Server
W2K Web
Server
Firewall
DBLAN
4
VulnerabilityScanner
41 Vulns 15 Vulns
160Vulns
158Vulns
47Vulns
60 Vulns
107 Vulns
AttackTarget
External Attacker
Limitations of Vulnerability Scanners
• Generate overwhelming amount of data • Example Nessus scan
– Elapsed time: 00:48:07– Total security holes found: 255– High severity: 40– Low severity: 117– Informational: 98
• No indication of how vulnerabilities can be combined • Can an outside attacker obtain access to the Crown
Jewels?• Where does a security administrator start?
Limitations of IDSs• Generate overwhelming number of alerts• Many false alerts – normal traffic or
failed attacks• Alerts are isolated • No indication of how alerts can be
combined • Incomplete alert information• Where does a security administrator
start?• Is the attacker trying to obtain access to
Crown Jewels?• Require extensive human intervention
Summary
• Current security measures largely independent
• Little synergy among tools• Vulnerabilities considered in isolation may
seem acceptable risks, but attackers can combine them to produce devastating results
What is lacking?
• “A distributed system is one in which the failure of computer you didn’t even know existed can render your own computer unusable” – Leslie Lamport
• Context for total network security• How outsiders penetrate firewalls and
launch attacks from compromised hosts• Insider attacks
9
The reality – security concernsare highly interdependent.
Simply Listing ProblemsMisses the Big Picture!
Penetration Testing
• Few experts available• Red teams can be expensive• Tedious• Error-prone• Impractical for large networks• No formal claims
Attack Graphs• An attacker breaks into a network through a chain
of exploits where each exploit lays the groundwork for subsequent exploits
• Chain is called an attack path• Set of all possible attack paths form an attack
graph• Generate attack graphs to mission critical
resources• Report only those vulnerabilities associated with
the attack graphs
Related Work
• Phillips and Swiler NSPW 1998• Templeton and Levitt NSPW 2000• Ritchey and Ammann S&P 2000• Wing, Jha et al. CSFW 2002 • Ammann et al CCS 2002 • Ou et al. CCS 2006• Sawilla and Ou ESORICS 2008
Firewall
Attacker
Web Server Mail ServerHub
NT4.0IIS
Linuxattack tools
10.10.100.10
10.10.101.10
10.10.100.20
Linuxwu_ftpd
Reference
• Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, John Williams, "Cauldron: Mission-centric cyber situational awareness with defence in depth," Proc. MILCOM Conf., Baltimore, MD, November 7-10, 2011.
g
g
1
Minimal-Cost Network
Hardening
Solution 1 Solution 1Solution 1
Solution 1 Solution 1Solution 1
Solution 2 Solution 2
Solution 2 Solution 2
No impactNo impact
Reference
• Massimiliano Albanese, Sushil Jajodia, Steven Noel, "A time-efficient approch to cost-effective network hardening using attack graphs," Proc. 42nd Annual IEEE/IFIP International Conference on Dependable and Networks (DSN), Boston, Mass, June 25-28, 2012.
25
Attack Graph Visualization Problem
Even small networks can yield complex attack graphs!
2/21/2008 26
WWWFrontendRouter
BackendRouter
Firewall
ServerLAN
ClientLAN
DMZ
W2K Web
Server
W2KExchange
Server
DMZRouter
Linux Mail
Server
`
WinXPClient
`
W2K ProClient
5 Server
3 Router
2 Firewall
2 PC
LegendSymbol Count Description
OracleDB
Server
W2K Web
Server
Firewall
DBLAN
AttackTarget
External Attacker
27
2/21/2008 28
2/21/2008 29
Alert Correlation
• Correlate alerts to build attack scenarios• For efficient response, this must be done in
real time
Related Work
• Based on a priori knowledge, such as the prepare-for relationship (Cuppens et al S&P’02, Ning et al CCS’02 CCS’03, etc.)
• Based on statistical analysis, such as temporal similarity between alert sequences (Lee et al RAID’03, Dacier et al KDD’02, Valdes et al RAID’01, etc.)
• Hybrid approaches (Ning et al ACSAC’04, Lee et al ESORICS’04, Morin et al RAID’02, etc.)
Attack Graph Approach
• Provides context for alarms• Can help with forensic analysis, attack
response, attack prediction
Hypothesizing and Predicting Alerts• Correlation based on the prepare-for relationship is
vulnerable to alerts missed by IDSs - Reassembling a broken attack scenario is expensive and error-prone
• By reasoning about the inconsistency between the knowledge (encoded in attack graph) and the facts (represented by received alerts), missing alerts can be hypothesized
• By extending the facts in a way that is consistent with the knowledge, possible consequences of current attacks can be predicted
Reference
• Lingyu Wang, Anyi Liu, Sushil Jajodia, "An efficient and unified approach to correlating, hypothesizing, and predicting network intrusion alerts," Proc. 10th European Symposium on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 3679, September 2005, pages 247-266.
Two Sides of Security
• Just what is “predictive?
• Common Operating Picture
• Situational Awareness
• I have 700 vulnerabilities – now what?!?
Monitoring/Management Predictive
Plus more than 60 other vendors
3 vendors
“Put my problems/my risks in context”
Our Approach• Network Capture
– builds a model of the network
– represents data in terms of corresponding elements in Vulnerability Reporting and Exploit Specifications
• Vulnerability Database – a comprehensive repository
of reported vulnerabilities• Graph Engine
– simulates multi-step attacks through the network, for a given user-defined Attack Scenario
– analyzes vulnerability dependencies, matching exploit preconditions and post-conditions
– generates all possible paths through the network (for a given attack scenario)
Network Capture
VisualAnalysis
OptimalCounter
Measures
Vulnerability Database
NVD
ExploitConditions
AttackScenario
GraphEngine
EnvironmentModel
Vulnerability Scanning
FoundScan
Asset Inventory
Firewall Rules
Aggregate / Correlate / Visualize
Benefit from Synergies
• Common Operating Picture
• Situational Awareness
• Patching servers vs changing firewalls
• Combined vulnerabilities are real
FirewallsVulnerability Scans
Patch Mgmt/Asset MgmtOther
Where do I need to focus my resources?!
OverallGraph
GraphElements
HardeningLog
ExploitDetails
Main AttackGraph View
ExploitField
HardeningRecommendations
Toolbars
38
UnconstrainedStart/Goal
39
AttackStart
Constrained Start
40
AttackStart
AttackGoal
Constrained Start and Goal
41
AttackStart
AttackGoal
AttackStart
Direct Paths
42
Harden
First-LayerRecommendation
43
Harden
Harden
Last-LayerRecommendation
44
Harden
Harden
Minimum-EffortRecommendation
45
2/21/2008 46
Security Metrics
AlarmCorrelationAnd AttackResponse
SensorPlacement
NetworkHardening
CAULDRON has NumerousApplications
Summary of CAULDRON• Automated analysis of all possible attack paths
through a network– Resulting attack “roadmap” provides context for
optimal defenses– Transforms volumes of isolated facts into manageable,
actionable results• Integrates with existing tools for capturing
network configuration• Your network is provably secure, with minimum
effort• A useful tool for making informed decisions about
network security
Zero-day Attacks
• Lingyu Wang, Sushil Jajodia, Anoop Singhal, Steven Noel, "k-Zero day safety: Measuring the security risk of networks against unknown attacks," Proc. 15th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6345, 2010, pages 540-557.
49
Cyber Situation Awareness• An ever increasing number of critical applications and
services rely on Information Technology infrastructures– Increased risk of cyber attacks– Increased negative impact of cyber attacks
• Attackers can exploit network configurations and vulnerabilities (both known and unknown) to incrementally penetrate a network and compromise critical systems– Manual analysis is labor-intensive and error-prone– Vulnerabilities are often interdependent, making traditional point-
wise vulnerability analysis ineffective– Services and machines on a network are interdependent
• Need for tools that provide analysts with a “big picture” of the cyber situation
50
CSA Capabilities: Enterprise Network
Internet
Web Server (A)
Mobile App Server (C)
Catalog Server (E)
Order Processing Server (F)
DB Server (G)
Local DB Server (D)
Local DB Server (B)
Current situation. Is there any ongoing attack? If yes, where is the attacker?
Impact. How is the attack impacting the enterprise or mission? Can we asses the damage?
Evolution. How is the situation evolving? Can we track all the steps of an attack?
Behavior. How are the attackers expected to behave? What are their strategies?
Forensics. How did the attacker create the current situation? What was he trying to achieve?
Information. What information sources can we rely upon? Can we assess their quality?
Prediction. Can we predict plausible futures of the current situation?
Scalability. How can we ensure that solutions scale well for large networks?
51
Situation Knowledge Reference Model
Index & Data
Structures
Topological Vulnerability Analysis
CSA Framework Architecture
Monitored Network
Analyst
Alerts/Sensory Data
Cauldron Switchwall
Vulnerability Databases
NVD OSVDCVE
Stochastic Attack Models
GeneralizedDependency Graphs
Graph Processing
and Indexing
Dependency AnalysisNSDMine
r
Scenario Analysis & Visualization
Network Hardening
Unexplained Activities Model
Adversarial modeling
Heavy Iron
Reference• Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang, eds., Cyber
Situational Awareness: Issues and Research, ISBN: 98-1-4419-0139-2, Springer International Series on Advances in Information Security, 2009, 252 pages.
• Arun Natrajan, Peng Ning, Yao Liu, Sushil Jajodia, Steve E. Hutchinson, "NSDMine: Automated discovery of network service dependencies," Proc. 31st Annual Int'l. Conf. on Computer Communications (INFOCOM), Orlando, FL, March 25-30, 2012, pages 2507-2515.
• Massimiliano Albanese, Sushil Jajodia, Andrea Pugliese, V. S. Subrahmanian, "Scalable analysis of attack scenarios," Proc. 16th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6879, V. Atluri and C. Diaz, eds., Leuven, Belgium, September 12-14, 2011, pages 416-433.
