Strengthening the Defence Deception, Red Teams, AIsiva/talks/sDefence.pdf · 2019-08-18 · The Good The Bad The Ugly Strengthening the Defence Deception, Red Teams, AI िशवकुमारG

The Good The Bad The Ugly

Strengthening the DefenceDeception, Red Teams, AI

िशवकुमार G. Sivakumar சிவகுமார்

Computer Science and Engineeringभारतीय पौयोिगकी संथान म ुबंई (IIT Bombay)

[email protected]• The Good (The Dream: AI meets Web)• The Bad (The Nightmare: Computer & Network Security)• The Ugly? (Defence using Deception, Red Teams and AI)

िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय पौयोिगकी संथान म ुबंई (IIT Bombay) [email protected] the Defence Deception, Red Teams, AI


Why are we here?

Cyber Security Governance(www.itgovernance.co.uk/cyber-governance)An organisation’s board is responsible (and accountable toshareholders, regulators and customers) for the framework ofstandards, processes and activities that, together, secure theorganisation against cyber risk.

Consequences of Breach• Financial Loss• Regulatory Investigations• Loss of Reputation and Customer confidence• ...

What should be the Board’s role?



Takeaways from this Session

I will stretch following उपमा (Analogy) to breaking point...What does it take to stay healthy?

• Hygiene (sine qua non!)• Vaccination/Medicines (Deception)• Diet/Exercise (Red Team)• Meditation/Yoga (AI)

Hygiene is costliest (Clean Air, Clean Water) and requires CISO tobuy costly Firewalls, IDS/IPS, Anti-Virus, SIEM, DAM, PIM andmay other 3/4-letter tools and set up a SOC!I will focus on the other 3 more today!



Stone Age to Information Age

Technology (Wikipedia Definition)Technology is the usage and knowledge of tools, techniques, crafts, systems or methods of organization in order to

solve a problem or serve some purpose.

Zero, Wheel, Printing Press, Radio, Lasers, ... Any sufficiently advancedtechnology is indistinguishable from magic. [Arthur C. Clarke]Two books by Yuval Noah Harari

Sapiens

Who domesticated whom?

Homo Deus

Brain implants, DNA sequencing



Web 1.0, Web 2.0, Web 3.0

Web 1.0 [1990-2005] (Right to Information)• Internet: Info anytime, anywhere, any form

• Like drinking water from a fire hose

• Search Engines to the rescue

Web 2.0 [2005-2015] (Right to Assembly)• Social Networking (Twitter, Facebook, Kolaveri, Flash crowds)

• Producers, not only consumers (Wikipedia, blogs, ...)

• Proliferated unreliable, contradictory information?

• Facilitated malicious uses including loss of privacy, security.

Web 3.0 [current] (AI & ML meet Semantic Web)• Intelligent Agents that “understand”

• What do you want when you get up and put on computer?

• I have a dream!(MLK)



Open Enterprises of the Future

What the Future Holds?Modify a Google Calendar to allow a colleague to add a Faaso’s roll order to a meeting invite that can be picked up

by Ola and delivered by a drone to a client’s office five minutes before the scheduled meeting starts.

What this needs?• Everything connected

• Ubiquitous sensing & actuation

• High data volume

• Context-aware Analytics

• Identity Management

• GDPR compliant Distributed Ledger

• Smart Contracts for Payments

• Multi-Party Services Orchestration

• Transparent Information Flow

• Transparent Event Flow

• Semantic Consistency

• Network and Protocol Adaptability

• End-to-End Security

• Business Management

Web 3.0 meets AI, Big Data, 5g, IoT, Blockchain!Having humans in the loop will not scale!



Health Care (Dream or Nightmare?)

Slide from AnNet 2018 keynote by Prof. Wen-Tsuen Chen https://annet2018.loria.fr/

Eating for Doctor’s stomach!How to pay? (Smart Contracts on Blockchain/DLT)



Why Information Technology is different?Transistor, VLSI, Microprocessor, ...Danger: Computers are coming! Taking away our jobs!Construction, Farming, Banking, Surgery, Composing music,Teaching! Be very scared!

The Big Nine(Amy Webb) G-MAFIA + BATIt’s a small group of people working at a very few number ofcompanies who are making decisions about what to optimize usingavailable data…

CaveatBut regulation doesn’t make sense because we shift from having atiny group of people making decisions about optimization to a tinygroup of people who are lawmakers, who are very well read andvery smart people but overwhelmingly lack degrees in the hardsciences and technical experience.



Compromising the Supply Chain

Cisco more trustworthy thanHuawei?



Can this happen to you?



blackMail received at IIT Bombay

Dear All,There is a very ingenious blackmailing email circulatingaround asking for money in bitcoins. ... they all have afew similar features:

• They include a password thatyou probably have used

• Claim to have installedmalware, and record video ofyou through your webcam.

• Threaten to reveal your adultwebsite habits and send videos...

• Demand bitcoins...

Subject: [email protected] is hackedFrom: [email protected]: Thu, October 18, 2018 4:35 pmHello!My nickname in DARKNET is derrik82. I hacked thismailbox more than six months ago, through it I infectedyour operating system with a virus (trojan) created by meand have been monitoring you for a long time.So, your password from [email protected] is xxxxxxxxxEven if you changed the password after that - it does notmatter, my virus...I was most struck by the intimate content sites that youoccasionally visit. You have a very wild imagination, I tellyou!...Send the above amount on my BTC wallet (bitcoin):1EZS92K4xJbymDLwG4F7PNF5idPE62e9XYSince reading this letter you have 48 hours!



Insider Attacks

https://en.wikipedia.org/wiki/Insider_threat... 80% of the malicious acts were committed at work duringworking hours; 81% of the perpetrators planned their actionsbeforehand; 33% of the perpetrators were described as “difficult”and 17% as being “disgruntled.”The insider was identified in 74% of cases. Financial gain was amotive in 81% of cases, revenge in 23% of cases, and 27% of thepeople carrying out malicious acts were in financial difficulties atthe time.

• Quis custodiet ipsos custodes?• PNB LoUs?• Facebook• Zero-Trust Model (Software Defined Perimeter)• Security-Aware Applications!



Internet’s Nightmare

Match the following!Problems Attackers

Highly contagious viruses Unintended blundersDefacing web pages Disgruntled employees or customers

Credit card number theft Organized crimeOn-line scams Foreign espionage agents

Intellectual property theft Hackers driven by technical challengeWiping out data Petty criminalsDenial of service Organized terror groups

Spam E-mails Information warfareReading private files ...

Surveillance ...• Crackers vs. Hackers• Note how much resources available to attackers.



Internet Attacks Toolkits (Youtube)



Internet Attack TrendsFrom training material at http://www.cert-in.org.in/


The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Security Requirements

Informal statements (formal is much harder)• Confidentiality Protection from disclosure to unauthorized persons

• Integrity Assurance that information has not been modified unauthorizedly.

• Authentication Assurance of identity of originator of information.

• Non-Repudiation Originator cannot deny sending the message.

• Availability Not able to use system or communicate when desired.

• Anonymity/Pseudonomity For applications like voting, instructor evaluation.

• Traffic Analysis Should not even know who is communicating with whom. Why?

• Emerging Applications Online Voting, Auctions (more later)

And all this with postcards (IP datagrams)!



Asymmetry between Offence and Defence

• Attacker needs to find one hole .. Defender? (Black Swan)• Attacker can use CaaS (darkweb) .. Defender?• Attacker has immediate/considerable Return on Investment ..

Defender?• Attacker can choose the time .. (APT) .. Defender?• ...



Partial Landscape (from CISO/CTO perspective)



Defence (only) Using Cryptography

• sine qua non [without this nothing :-]• Historically who used first? (L & M)• Pure Defence only



Security Mechanisms

• System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...

• Network Security:• Authentication Mechanisms “you are who you say you are”• Access Control Firewalls, Proxies “who can do what”

• Data Security: “for your eyes only”• Encryption, Digests, Signatures, ...



Packet Switching in Internet



Exchanging Secrets

GoalA and B to agree on a secret number. But, C can listen to all theirconversation.

Solution?A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.



Exchanging Secrets

GoalA and B to agree on a secret number. But, C can listen to all theirconversation.

Solution?A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.



Mutual Authentication

GoalA and B to verify that both know the same secret number. Nothird party (intruder or umpire!)

Solution?A tells B: I’ll tell you first 2 digits, you tell me the last two...



Mutual Authentication

GoalA and B to verify that both know the same secret number. Nothird party (intruder or umpire!)

Solution?A tells B: I’ll tell you first 2 digits, you tell me the last two...



Network Security Mechanism Layers



Cyber Security Framework, NIST (April 2018) (CEOperspective)

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Common taxonomy and mechanism for• Describing current cybersecurity posture• Target state for cybersecurity• Identify and prioritize opportunities for

improvement within the context of a continuousand repeatable process

• Assess progress• Communicate with stakeholders about

cybersecurity riskAll this is just Hygiene.Not one size fits all!



Threat-Defence Matrix

2 types of organizations- those who have been compromised andthose who do not know that they have been compromised!

Threat Defence ExampleKnown Known Malware, DoS, SQL Injection ..

This is Hygiene, but what’s your score?VA-PT, IS-Audit

Known Unknown Zero-Day, APT,Risk Analysis and Mitigation

Sandbox (Evasion e.g. Macro on File-Close)Threat Hunting (Has it happened to us?)

Unknown Unknown ???? (Kill chain)Recon

Lateral ShiftExfiltration



Tackling the Known-Known

• Anti-Virus• Firewall• Patch Management• IDS/IPS• WAF• VA-PT• ..



Active Defense

Despite best hygiene it is safe to assume that some attacker willbreach the fortress.What then?Golden Hour (Wikipedia Definition)The golden hour, also known as golden time, refers to the periodof time following a traumatic injury during which there is thehighest likelihood that prompt medical and surgical treatment willprevent death.

Use the principle Offence is the best form of defence andproactively set traps that will reveal the attacker’s presence givingyou a chance to respond before any damage is done.



Indicators of Compromise



Deception Technologies

• Decoys (Story of the Prince and YamaDhootas)• Fake servers/services (ATM, Swift, ...)• Must blend and adapt (not stale)• ...

• Lures• Vulnerable Ports/Services• Mis-configuration

• Breadcrumbs• File with credentials• Mis-direction



Threat Hunting

Diagram borrowed from CERT-IN workshop (July 2018)



Intelligence Feeds: Atlas.arbor.net



Real-time Intelligence- atlas.arbor.net



Malicious Servers



Red Teams

Muscles that are not exercised will atrophy. (Kings going indisguise)

Red Teamingis a full-scope, multi-layered attack simulation designed to measurehow well a company’s people and networks, applications andphysical security controls can withstand an attack from a real-lifeadversary.

• Penetration Testing (network, application, mobile, device),• Social Engineering (onsite, telephone, email/text, chat• Physical Intrusion (lock picking, camera evasion, alarm bypass).

Leverage only the strategies that bad actors would most likelyactually use against you.Is this entrapment?



attack.mitre.org



attack.mitre.orgThink like a criminalAttackers Tactics (each has many techniques)

1 Initial Access2 Execution3 Persistence4 Privilege Escalation5 Defense Evasion6 Credential Access7 Discovery8 Lateral Movement9 Collection10 Exfiltration11 Command and Control

ATT&CK provides a common language and framework that redteams can use to emulate specific threats and plan their operations.



attack.mitre.org



Artificial Intelligence & Machine Learning• Can AI of computers match NS of humans?• Old Joke: Out of sight, out of mind• Consider chess, once the holy grail of AI.

Does not play the human way at all! Mostly parallelized search inhardware (200 million positions/second!)

• December 2017: AlphaGo Zero used reinforcement learning to teachitself chess in 4 hours! Beat world’s best program Stockfishcomprehensively!

• Not using any human data or expertise helped a lot!िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय पौयोिगकी संथान म ुबंई (IIT Bombay) [email protected] the Defence Deception, Red Teams, AI


Deep Patient

Are doctors practicing medicalscience?https://www.nature.com/articles/srep26094The machine was given noinformation about how the humanbody works or how diseases affectus. It found correlations that let itpredict the onset of some diseasesmore accurately than ever, and somediseases, such as schizophrenia, forthe first time at all. It does this bycreating a vast network of weightedconnections that is just too complexfor us to understand.



Tackling the UnKnown-UnKnown

User and Entity Behaviour Analysis• Try saying I love you 10 times everyday to your spouse!• All antennas will go up!• All defence mechanisms will be strengthened.

AI/Machine Learning to the resue.• Behaviour profiling (Baseline)• Watch for anamolies• Correlate with threats• Reduce false positives



Analytics ( भतूभय भवभःु )

॥ हिरः ॐ ॥िववं िवणवु र्षकारो भतू भय भवभःु।

• Past (What happened? Why? Reactive)Designed Batch/Static DataReports, Standards, Data Harmonization.Descriptive and Diagnostic

• Present (What is happening?)Organic Unstructured Streaming/Real-time DataStatistical Analysis, Anomalies, Alerts

• Future (What will happen? Pro-active)Predictive Forecast, Optimize

• Make it happen!Prescriptive (most difficult)

AI/Analytics can convert data to knowledge to wisdom.



What next?

िचतनीया िह िवपदां आदाववे पितिकयान कूपखननं यंुत पदीत े विहना गहृेThe effect of disasters should be thought of beforehand. It is notappropriate to start digging a well when the house is ablaze withfire.

आचाया र्त प्ादमादते पादं िशयः वमधेया ।सबमचािरयः पादं पादं कालकमणे च ॥one fourth from the teacher,one fourth from own intelligence,one fourth from classmates,and one fourth only with time.


Documents

Strengthening the Defence Deception, Red Teams, AIsiva/talks/sDefence.pdf · 2019-08-18 · The Good The Bad The Ugly Strengthening the Defence Deception, Red Teams, AI िशवकुमारG