© 2006 Carnegie Mellon University Strategy Michael Collins Or how everything I know about information security was done by the 4th century CE

2 Lecture Overview Discussion on Network security strategy Taking over networks, defending networks Your lecturer for this evening’s Symposium is Michael Collins Researcher for CERT/Network Situational Awareness The format of this lecture is going to be a series of commentaries and annotations on the Sun Tzu This Guy

3 OH ELVIS NO! Do we really need another pop-psychological overview of a long-since-worm-food Chinese general? Didn’t this kind of thing go out with hair gel, shoulderpads and other unfortunate relics of the 80’s? Can’t we just use Clausewitz? He’s got that politics line!

4 We’re not using it for this “If there are 1,000 four-horse attack chariots, 1,000 support chariots, 100,000 troops, and provisions are transported 1,000 li, then the domestic and external campaign expenditures…will be 100,000 pieces of gold per day.”

5 Why we use this guy The Art of War is a very primitive book. It’s basically a book about managing resources and conducting warfare without relying on particular tools. It is therefore, a framework for thinking about the problem of managing resources and conducting a mission in a hostile environment. There is stuff in the book that is irrelevant. Think when you read something like this.

6 Lesson #1 Warfare is the greatest affair of state, the basis of life and death, the Way to survival or extinction. It must be thoroughly pondered and analyzed. Casualties already exist Usenet Estonia

7 It’s always September now Created in 1979 Connected to AOL in 1993 AOL Disconnects in 2005 Major event hurting it: SPAM Canter & Siegel, First Spam Spam was originally a Usenet phenomenon, measured using Usenet metrics (Breidbart Index)

8 What does it mean to die? PDP-11’s are still actively used. Mentec Do people expand the technology? Do they replace it? Do they trust it? Usenet has been replaced with web-based boards and google groups. How many of you have ever used Usenet? How many spam defenses have you seen? Is this a good thing? It’s good if you’re google or yahoo

9 Spammers want to make a profit They will… Compromise machines and use them as bots Re-engineer the internet via BGP (Feamster, 2006) Happily accept a < 0.001% success rate while we all pay the bandwidth charges They will Send out legal, network and physical threats — Castlecops has been DDoSed extensively in 2007 — SpamHaus received an $11.7 million dollar judgement against it This is serious. This is a matter of network health. This must be studied.

10 The cornerstone All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

11 Deception in Information Warfare Deception in Attack Intent Extent Objects Success Deception in Defense Value Depth Methods

12 Source: External view of Nets

13 Internal View of Network

14 Tactics of Network Attack Reconnaissance Exploit Communication Command Effect Reserve

15 Examples of Attack Strategies Stepped attack Isolated attack Isolated follow-up Masked Attack Diversion Massed Attack

16 Deception in Attack - Spoofing Send from a fraudulent ID forged address — We used to send mail from Send traffic from a fake IP Can be used to hide extent (how many machines involved?) and intent (who hates us?)

17 People don’t really do that, do they? Backscatter: Send traffic from a forged address The response goes to the forged address Used for DDoS estimation Estimated 7x as much DDoS activity in 2004 as in For more info: “Inferring Internet Denial-of-Service Activity" ; D. Moore, C. Shannon, D. Brown, G. Voelker and S. Savage.

18 Deception of Intent Ports are partly contractual 80: HTTP, 53: DNS, 6881: BitTorrent Scan the network using port 53 Set your BitTorrent client on port 80 Or… Send voice traffic over DNS packets running on port 53 (

19 Authentication - Scamming Also known as social engineering Exploit trust relationships between people Exploit service climate Exploit business methods If at first you don’t succeed, try a supervisor!

20 Other deceptive methods Phishing Pretend to be an authority, steal private data Different types of phishing mails — Friendly (Check your network account) — Unfriendly (Why aren’t you sending me my purchase?) Captcha Fraud Have someone fill out a captcha for access to another item Equivalent to the Mechanical Turk

21 Deception of Objects Botnets Two stage attack — Stage 1: Take over 1,000+ machines using a common vulnerability (such as a not-so-bright owner) — Stage 2: Use 1,000+ machines to attack target (Mirkovic) Alternative: — Drop a credit card # on an IRC channel — Hire 10,000+ machines to attack target Life would be so much easier if we banned comcast

22 Deception of Success Classic attacker: Markus Hess (Stoll) Broke into systems to steal intelligence for the KGB New attacker: Disinterested Attacker Doesn’t care about the system except insofar as the system is vulnerable Instead of limited, crafted, high-success rate attacks, focuses on high-failure, mass-produced attacks — Spamming — Phishing — Keylogging Very low rate of success, but doesn’t care

23 Designing a Network How does the network look to valid users? How does the network look to casual scanners? How does the network look to dedicated attackers? How does the network look internally?

24 Deception in Defense - Facing the Enemy Hold out baits to entice the enemy. Create disorder and crush him. If he is secure at all points, be prepared for him. If he is in superior strength, avoid him. If your opponent is angry, irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. Attack him where he is unprepared, appear where you are not expected. These military devices, leading to victory, must not be divulged beforehand.

25 Critical Issues What must you defend? Mission of the organization Assets of the organization What can you defend? Personnel limitations Information limitations What is likely to be attacked?

26 Strategic Goals Sun Tzu said: Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle will arrive exhausted. Therefore the clever combatant imposes his will on the enemy, but does not allow the enemy's will to be imposed on him. By holding out advantages to him, he can cause the enemy to approach of his own accord; or, by inflicting damage, he can make it impossible for the enemy to draw near.

27 Defensive Strategy Deceive the attacker Frustrate the attacker Resist the attacker Recognize and Respond to the attacker

28 Arsonists Deceive by profiling arsonists and misdirect them on high value targets Frustrate by grounding all outlets, adding inter-floor barriers and fire doors Recognize with smoke detectors, alarm pulls Respond with fire- suppression systems

29 Deceive the Enemy That general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack. Don’t let your enemy know anything except what you decide to tell them. Hide the nature of your organization Use obvious targets as alarms, not servers Minimize the footprint of critical assets Honeyd/Tarpit – fake servers/services

30 Hide your organization What needs to be public besides your mailserver and webserver? Egress filter! Egress filter! Why are you using static IP addresses? DMZ! DMZ! Why is your mail server named “mail”?

31 The Hobbesian Internet IP is built around maximum open connectivity ALL security is an afterthought - RMS protested passwords Trivial to forge addresses, usenet headers, and so on. Lots of default open login. Password lists are very common and popular — many applications have default passwords (e.g., Oracle) — Many users have default passwords These weaknesses are happily exploited Sometimes, we get hidden advantages from other solutions Like Natting

32 Obvious Targets Most servers have obvious names: Mail.network ftp.network Attackers know this Why do you need to name the server that? Do you need a public DNS? What do you need public? This, incidentally, is the hidden advantage of NATting

33 Honeypots and Tarpits System that pretends to be a real machine Attacker can romp around without causing real damage We can find out how the attacker “romps around” Examples Honeyd Nepenthes Massive collaborative efforts in honeypots Analyze botnets Spam trapping

34 Resist the Enemy Structural Knowledge Assets identification and weighting Asset security Vulnerability Identification Architecture Layered Security Monitor and Response Process Auditing Security Restoration

35 Factors that Block Resistance Cost Personnel Pace of change Internal politics Optimism Security through Obscurity

36 Cost Security and system administration is not appreciated until you need it From a user perspective, security is an annoyance

37 Personnel Users tend to view constraints badly Don’t use this software Don’t administer this machine

38 Pace of Change Complex procedures will only increase user resistance Adding new security policy all the time is counterproductive

39 Internal Politics Security may be a separate division Security may not be IT Security may not be networks Different organizations have different priorities Router people want to deliver bandwidth Security people want to limit bad bandwidth Sometimes the CEO is going to insist that he can plug his laptop into the network

40 Optimism “We don’t use X” “We don’t need X”

41 Security Through Obscurity “The highest realization of warfare is to attack the enemy’s plans, then to attack their alliances, then to attack their army, the lowest is to attack their cities.” The problem with obscurity is that you can’t control it. Can’t control the secret once it’s broken Don’t know when the secret is broken Remember the lesson of Coventry

42 Recognize the Enemy Recognizing indications and warnings Investigating intrusions Applying fixes Monitoring users and applications Updating systems Scanning log and alert files Auditing system configurations

43 The Analyst’s Day

44 Factors that block Recognition Manpower Too few analysts Too much work per analyst Ignorance System structure Network architecture What’s normal on the internet Application structure Organizational goals Analysts are your last line of defense, how do you make sure they don’t do too much?

45 Visibility Now the Army likes heights and abhors low areas, esteems the sunny (yang) and disdains the shady (yin). It nourishes life and occupies the substantial. An army that avoids the hundred illnesses is said to be certain of victory. What is sun (yang) in a network world? What is shade (yin) in a network world? How do we exploit sun and shade? Why is visibility significant in a network world?

46 Sun: Openness I like Clear text Published port names Good managerial/worker relations Internal trust People who report unusual circumstances And a pony

47 Every day is a new experience in terror What you thought yesterday is wrong The network is continuously reconfigured And sometimes, it’s reconfigured for the most innocuous of reasons

48 Shade: Deception I don’t like Heavily encrypted traffic Services on weird ports Internal distrust and dissent People who hide things An exploding pony

49 Malicious Code Viruses Trojan Horses Worms Bots

50 Viruses and worms Many ways to attack the network Vulnerabilities User deception Many ways to propagate Topological ( address books) Scanning Which ways are the most popular? Why?

51 By propagation method Slight preference (in p2p systems) for the biggest networks

52 Love Letter Virus Check out this joke... Trusted Colleague IRC Exchange VBS JPG MP3 others Replace Corrupt data/script files Steal Passwords Clog

53 Ensuring Integrity Check code for its validity Most public releases of code include checksums of some kind (md5’s for example) Check source for validity Use signatures to match Ids Ask for validation Don’t open what you don’t trust

54 How vulnerable is the internet? Unauthorized project systematically mapping Internet systems for selected vulnerabilities 36 million hosts (85% of active addresses) surveyed over 3- week period (1-21 Dec 98) 5 scanning hosts using newly created (free) Bulk Auditing Security Scanner (BASS) Scanning hosts in 5 different nations 18 different vulnerabilities tested (from CERT advisories) 450,000 vulnerable hosts found Source: Securityfocus.com paper dated Aug 11, 1999

55 Life Life: Survival Defense Basis for attack What is survival in a network world? What is defense in a network world? How do we turn survival and defense into a basis for attack

56 Survival Tasks Rapid detection detecting unauthorized access to data and systems detecting unauthorized changes to data and systems recognizing suspicious overuse of resources Rapid response analyzing the incident disseminating information containing the damage recovering from the incident

57 Occupation Substance: Cartesian of strategy, terrain Which are the network nodes that key to victory? Which are the network nodes that key to survival? What does it mean to occupy networks? Who owns your network?

58 For example I run a control system (such as a power system) It gets infected with a worm which is DDoSsing other networks. Is it worth my time to take that control system down and repair it?

59 Moonlight Maze Sophisticated widespread attack on US military systems Goal seems to be intelligence gathering Compromised accounts Corrupted system programs Redirected information (not print, send overseas) ALL DoD publicly-connected accounts ordered to have new passwords as of August 16, 1999 Source: Sunday Times of London, July 25, 1999

60 Avoidance Illnesses: Outside factors that lessen attack How do we accommodate to other network attacks? How do we deal with real-world events? What contingencies must we plan for?

61 Layered Defenses Frustrate Deceive Recognize Respond Goal 1 Goal 2 Goal 3 Goal 4 Goal 5 Source: Shawn Butler, Security Attribute Evaluation Method Goal 6 Goal 7 Goal 8

62 Preparation: Exercises Designed to evaluate level of preparedness Run at intervals Red team -- attackers Blue team -- defenders White team -- exercise administrators For realism, needs to involve significant part of organization

63 Desirable Exercises Blue team has goal other than defense Red team has scenario limiting its exercise knowledge White team enforces rules of engagement Red team is visible and vulnerable to blue team Blue team is visible and vulnerable to red team White team is not visible nor vulnerable in context

64 Factors that Frustrate Exercises Exercise has goal other than assurance preparedness White team puts artificial limits on red team Red team has no scenario, nor knowledge limits Red team not representative of attackers Red team part of white team, not vulnerable Red team results are vulnerabilities of blue team, not operational impact of vulnerabilities