the essence of
DESCRIPTION
The Essence of. Active Response. Sergio Caltagirone April 14, 2005. To Build A Castle…. Where We’re At…. Where We Want To Be…. Some Attempts…. Clifford Stoll vs. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM , vol 31, 1998, pp. 484-497. - PowerPoint PPT PresentationTRANSCRIPT
April 14, 2005 Sergio Caltagirone
The Essence of
Sergio Caltagirone
April 14, 2005
Active Response
April 14, 2005 Sergio Caltagirone
To Build A Castle…
April 14, 2005 Sergio Caltagirone
April 14, 2005 Sergio Caltagirone
April 14, 2005 Sergio Caltagirone
Where We’re At…
Design Protect Detect Forensics?
April 14, 2005 Sergio Caltagirone
Where We Want To Be…
Design Protect Detect Respond Forensics
April 14, 2005 Sergio Caltagirone
Some Attempts…
• Clifford Stoll vs. German Hackers (1986)C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497.
• DoD vs. Electronic Disturbance Theater (1998)http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/
• Conxion vs. E-Hippies (2000)http://www.nwfusion.com/research/2000/0529feat2.html
• FBI vs. Russian Hackers (2001) a.k.a. ‘Invita’ Casehttp://www.wired.com/news/politics/0,1283,47650,00.html
April 14, 2005 Sergio Caltagirone
Why Do We Want To Do That?
• Response is not a choice…• Insufficient Protection on Imperfect Systems• A Policy Is Necessary (even if not utilized)• Vulnerable Systems
– Air Traffic Control
– SCADA Systems
– Nuclear Power Safety
– Economic and Socially Critical Systems
April 14, 2005 Sergio Caltagirone
Problem Statement
Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response?
April 14, 2005 Sergio Caltagirone
Active Response
• Time bound• Automatically or not• Purposeful• Subjective timeline• Mitigation NOT Elimination
Any action sequence deliberately performed by an individual or organization between the time an
attack is detected and the time it is determined to be finished, in an automated or non-automated
fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set.
April 14, 2005 Sergio Caltagirone
Some Actions At Our Disposal
• Notify authorities
• Disconnect – Strategic Separation
• Control the borders
• Get ISP to do dirty work
• Use ping/finger/traceroute/honeypots
• Hack-back / Passive Strike-back
• First strike
April 14, 2005 Sergio Caltagirone
A Potential Taxonomy1. Internal Notification: Using the organizational structure to
notify the appropriate persons of an active defense situation2. Internal Response: Applying active defense actions within an
organization's boundaries 3. External Cooperative Response: Employing the assistance
of other entities outside of an organization to mitigate a threat4. Non-cooperative Intelligence Gathering: Using external
services (finger, nmap, netstat) to gather intelligence on the attacker
5. Non-cooperative ‘Cease and Desist’ : Shutting down harmful services that do not affect usability on a network or host.
6. Counter-strike: An offensive action designed to deny an attacker the ability to continue an attack.
7. Preemptive Defense: With knowledge of a forthcoming attack, execute active response actions to preempt (and disable) the upcoming attack
April 14, 2005 Sergio Caltagirone
Evaluating a Response• Legal
– Civil, Criminal, Domestic, International
• Ethical– Teleological, Deontological
• Technical– Traceback, Reliable IDS, Confidence Value, Real Time
• Risk Analysis– Measure ethical, legal risk effectively?
• Unintended Consequences– Attacker Action, Collateral Damage, Own Resources
April 14, 2005 Sergio Caltagirone
Process Model
April 14, 2005 Sergio Caltagirone
Formal Decision Model
Score(Action) −Score(Threat) −Success(Action)
AR PolicyEscalation
Ladder
AssetEvaluation
ActionEvaluation
AssetIdentification
ThreatIdentification
RiskIdentification
GoalIdentification
ActionIdentification
ActionClassification
RiskIdentification
UtilityModifier
SuccessOrdering
ContingencyPlan
{ }
April 14, 2005 Sergio Caltagirone
Conclusions
• Need for Response – Why we need it
• Definition – What it is
• Taxonomy – What it is comprised of
• Issues – What is wrong with it
• Process Model – What we do
• Decision Model – How we decide
April 14, 2005 Sergio Caltagirone
• http://www.activeresponse.org - [email protected]
• Sergio Caltagirone and Deborah Frincke, “The Response Continuum,” to appear in the 6th IEEE Information Assurance Workshop, West Point, NY. June 15-17, 2005.
• Sergio Caltagirone, "Criminal Law Perspectives of Contemporary Issues in Computer Security," University of Idaho, Moscow, ID, Technical Report CSDS-DF-TR-05-28, 2005.
• Sergio Caltagirone, "Evolving Active Defense Strategies," University of Idaho, Moscow, ID, Technical Report CSDS-DF-TR-05-27, 2005
• Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005.
•Sergio Caltagirone and Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311.
Resources – Questions ?