1 Incident Analysis. 2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©

The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

1 Telstra in Confidence Managing Security for our Mobile Technology.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

Handling Security Incidents

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Managing Public Issues and Stakeholder Relationships

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Lecture 11 Reliability and Security in IT infrastructure.

(Geneva, Switzerland, September 2014)

10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lecture 11 Intrusion Detection (cont)

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

APA of Isfahan University of Technology In the name of God.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Honeypot and Intrusion Detection System

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

23 July 2003 PM-ITTS TSMOTSMO Information Assessment Test Tool (IATT) for IO/IW Briefing by: Darrell L Quarles Program Director U.S. Army Threat Systems.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

DoS/DDoS attack and defense

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

SRS Kickoff Meeting, Arlington, VA, July 21, 2004

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

Intro to Network Security. Vocabulary Vulnerability Weakness that can be compromised Threat A method to exploit a vulnerability Attack Use of one or more.

DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.

1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

1. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. 2.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Forensics Week 12.

A survey of network anomaly detection techniques

Chapter 4: Protecting the Organization

Intrusion Detection system

Introduction to Internet Worm

Presentation transcript:

1 Incident Analysis

2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major cyber-attack would be significant Cascading effects a major concern Reactive response must give way to Proactive preparation

3 Analytic Approach The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet. Technical, Political, Economic, and Social triggers Attacks and defenses Vulnerabilities and corrections Victims and perpetrators Physical-world impacts

4 One Effort – Looking Inside the Noise Network Activity Example Overall Activity Several Gbytes/day Noise - Below the Radar

5 Traffic is business-dominated

6 A taxonomy of Attributes Backscatter: Few sources, scattered evenly across enterprise network, generally contains RST or ACK flags. Scans: Single source, usually strikes the same port on many machines, or different ports on the same machine DoS: Multiple sources, single target, usually homogenous (but no requirement). May be oddly sized Worms: Scanning from a steadily increasing number of hosts Major servers: Identifiable by IP addresses.

7 Let’s Play “Find The Scan”! Hmmmm

8 Example DDoS Attack

9 Example: SQLSlammer

10 Slammer: Precursor Detection Hour 1/24:00 1/25:04 Flows Series1

11 Fusion Efforts Small Packet Probes analyzed Patterns emerged Identified potential threat Analysis of CERT/CC Incident Data Identified possible link between state and hacker groups Hacker communications assessment Working on profiles, country studies, event analysis

12 Results of Fused Analysis What was determined? Data collected showed definite network indicators Methodology can be developed to provide possible warning indicators Based on limited dataset, network indicators suggest possible malicious probes by China Network Indicators suggest number of motivations Exploitation Site mapping Intelligence gathering for further activity

13 Incident data flow Organization 1 Organization 2 Organization 3 Organization n Observed EventsObserved Events Reported IncidentsReported Incidents Filter Prioritize PrioritIzedAttacksPrioritIzedAttacks Context

14 Why Share Incident Information? Help in dealing with current attack Improve future software Better baseline for next attacks Support non-technical solutions –Prosecution –Diplomacy –Legislation

15 Why not share Incident Information? Fear of publicity Fear of stimulating attacks Fear of educating attackers Forcing action ahead of decision-makers Fear of offending suppliers/customers

16 How well does current response work? For some incidents – great! –Viruses / slow worms –Narrow attacks For others – not so great –Very fast worms –Covert compromises (Rootkits) –Broad attacks –Mass attacks

17 Hybris Incidents

18 Rootkit Incidents

19 Fusion Framework Incidents I1 I2 … In Clustering and Extrapolation Extrapolated Incidents (X-Incidents) X1 X2 … Xm Correlation and Abduction X-Incident Chains C1 C2 … Cm Role-based Incident Severity Tier Assignment Incidents Excluded Other factors: Political, Social, Economic System Admin T1 T2 T3 T4 T5 Law Enfrcmnt T1 T2 T3 T4 T5 Coord. CSIRT T1 T2 T3 T4 T5 System Mission Criticality Databases: DoD/MAC, Project Matrix, Key Asset Initiative …

20 Clustering and Extrapolation –Clustering groups reports into meaningful classes –Similarity metric applied to common features Cohesion function calculates degree of similarity Clustering generates overlapping clusters (clumps) –Minimizes cohesion function betweens incident sets –Extrapolation fills in the reporting gaps Extrapolation criterion establishes when and how –Generates extrapolated incidents (x-incidents)

21 Correlation and Abduction –Identifies sequences that constitute staged attack Generates x-incident chains Starting context establishes understanding of initial system/network configuration –Causal relationships through pre-/post-condition chaining Precondition of first incident must satisfy starting context Postcondition of each incident must satisfy precondition of the subsequent incident –Techniques available (abduction) for filling in gaps Strings together x-incident chains using attack patterns Abduction criterion establishes when and how

22 Example SubSeven Trojan horse Leaves worm building “Bot Network” Denial-of- service attack Enables Launches Ongoing uses of “Bot Network” 1. Clustering and extrapolation based on intruder tool signature 3. Correlation based on Leaves’ scan for SubSeven signature 4. Abduction using distributed denial of service pattern 2. Clustering based target of attack and flooding approach

23 Challenges to Analysis Research Gathering sufficient datasets to make statistically valid judgments Developing automated technical analysis tools Developing a reliable methodology for cyber-analysis Overcoming organizational bias against sharing information

24 Limits of Analysis Inherently partial data Baseline in dynamic environment Correlation vs. Causation Implications –Need to be cautious in kinds of conclusions –Consider strategies for dealing with analysis gone wrong