Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

The Military Challenge of Cyber AOC Talk on Cyber, EW and IO Dr Gary Waters, 17 April 2012.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

Introduction to Information Operations Attaché Corps- SEP 09

Honeypots Presented by Javier Garcia April 21, 2010.

Is There a Security Problem in Computing? Network Security / G. Steffen1.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Lecture 1: Overview modified from slides of Lawrie Brown.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Security Awareness: Applying Practical Security in Your World

Realizing intrinsically cyber secure large systems

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Lecture 11 Reliability and Security in IT infrastructure.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Computer Security: Principles and Practice

Introduction (Pendahuluan)  Information Security.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Lecture 11 Intrusion Detection (cont)

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Introduction to Network Defense

Introduction to Honeypot, Botnet, and Security Measurement

Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Architecting secure software systems

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

MCA-3 The Graduate Certificate of Africa Strategic Intelligence Studies Why CAS? This graduate certificate prepares students to critically identify, analyze.

Honeypot and Intrusion Detection System

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

STRATEGIC INTELLIGENCE MANAGEMENT Chapter by Paul de Souza Chapter 18 - National Cyber Defense Strategy, Pg. 224.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Evaluate the Merits of Using Honeypots to Defend against Distributed Denial- of-Service Attacks on Web Servers By Cheow Lip Goh.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

Security Vulnerabilities in A Virtual Environment

Cryptography and Network Security Sixth Edition by William Stallings.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

Describe the potential of IT to improve internal and external communications By Jim Green.

Computer threats, Attacks and Assets upasana pandit T.E comp.

C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP

1 Simulation Needs for Cyber Analytics October PNNL-SA

Forensic Computing: Tools, Techniques and Investigations Assignment 1 Seminar.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 4 Network Security Tools and Techniques.

UNDER THE GUIDENCE OF: Mr.M.JAYANTHI RAO,M.Tech HOD OF IT. BY: I.ADITHYA(09511A1212) HONEYPOTS.

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Some Great Open Source Intrusion Detection Systems (IDSs)

Proactive Incident Response

Firmware threat Dhaval Chauhan MIS 534.

Wenjing Lou Complex Networks and Security Research (CNSR) Lab

The University of Adelaide, School of Computer Science

12/6/2018 Honeypot ICT Infrastructure Sashan

Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.

Security Overview: Honeypots

Honeypots Visit for more Learning Resources 1.

Chapter 1 Key Security Terms.

Presentation transcript:

Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop October 12, 2005

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 2 In a nutshell … We're going to hold onto him by the nose, and we're going to kick him in the ass. General George S. Patton England, May We must remain in contact with those who threaten our cyber infrastructure if we hope to successfully defend it.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 3 Outline 1.Introduction 2.Information Operations 3.IO Counter-measures Tools Honeypots 4.Conclusion

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight Introduction The defence paradigm has been to Protect, Detect and React Protect Detect React It is important to gain information about those who threaten the infrastructure. It is not sufficient to React by cutting off access.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight Information Operations (IO) Manoeuvre FirepowerCommandProtection Sustainment Information Operations Information Operations are a key combat function. IO are defined as actions taken in support of political and military objectives which influence decision makers by affecting others’ information while exploiting, or fully utilizing, one’s own information.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 6 Defensive IO 1.Protection – 2.Defensive Counter-Information Operations (IO Counter- measures) - 3.Offensive Counter-Information Operations – Jamming the Radar Radar Absorbent Paint Chaff

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 7 Computer Network Operations (CNO) CNO represent all aspects of computer related operations, but they have three specific components –Defence (CND) –Attack (CNA) –Exploitation (CNE)

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 8 Operational Objectives 1.Holding Contact with the Adversary 2.Understanding the Adversary a)Who is attacking? b)What are they capable of? c)What are their current mission and objectives? d)What is the context of the current attack. 3.Preparing the Adversary

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 9 Network-based IO counter- measures Principles of Operations 1.Operational Objectives for Active Response 2.Combined Operations 3.Repeatable Operations a)Standing procedures b)Dedicated resources c)Computer Network Operations Order-of-Battle 4.Risk Management

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 10 Risk Management Access risks –Damage or alter information –Exfiltrate more sensitive information than expected –Push attack to other systems –Mount IO counter- counter-measure Denial implications –Inability to identify –Loss of knowledge on techniques and motivations –Loss of ability to influence –Encourage adversary to seek other ingress points

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight IO Counter-measures Tools Operational use with very high interaction The attacker must feel that he is in a real production environment –High fidelity environment –New tools Provide legitimate operational activity Capture attacker’s activity

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 12 Characteristics of IO Counter- measures Tools Components and mechanisms undetectable from user with root privileges. Behaviours and communication patterns appear legitimate from vantage point of other host on the network. Able to simulate normal human user at the interface level. Provide means of observing and collecting attacker activity Make de-conflicting attack traffic straightforward.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 13 Honeypots Stem from the difficulty in discriminating attacker activity A honeypot’s value lies in being probed, attacked and compromised. Honeypots have no production value, making discrimination of attacker activity trivial. Credited with many successes.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 14 Honeypot Classifications Spitzner suggests two main purposes –Production honeypots: Support operations by helping secure the environment. –Research honeypots: Gain information on attacker’s tools and techniques

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 15 Honeypot Levels of Interaction Level of Interaction Work to Install and Configure Work to Deploy and Maintain Information Gathering Potential Level of Risk LowEasy LimitedLow MediumInvolved VariableMedium HighDifficult ExtensiveHigh Spitzner’s proposes a taxonomy is based on the level of interaction afforded to the attacker.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 16 IO Counter-measure example IO Counter-measures tool installed as part of baseline

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 17 IO Counter-measure example Intrusion Detected.

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 18 IO Counter-measures example Machine is physically isolated IO Counter-measures tool is activated Attacker is monitored and prepared

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight Conclusion Reactive-oriented defence policy is insufficient. Defence must include an understanding of the adversary. –First response should not always be to break contact –IO Counter-measures to gain information Principles of Operations for Network-based IO counter-measures –Operational Objectives Key Research Areas include tools –Obfuscate attacker behaviour observation –Simulate normal human user behaviour

October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 20 ??? Questions ???