Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004 Carnegie Mellon UniversityIW-Strategy: 1 Strategy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2004 Carnegie Mellon UniversityIW-Strategy: 1 Strategy."— Presentation transcript:

1 © 2004 Carnegie Mellon UniversityIW-Strategy: 1 Strategy

2 © 2004 Carnegie Mellon UniversityIW-Strategy: 2 Deception “ All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

3 © 2004 Carnegie Mellon UniversityIW-Strategy: 3 Deception in Information Warfare Intent of attack Value in defense Extent of attack Depth of defense Methods of attack and defense Objects of attack Success of attack

4 © 2004 Carnegie Mellon UniversityIW-Strategy: 4 Facing the Enemy “Hold out baits to entice the enemy. Feign disorder and crush him. If he is secure at all points, be prepared for him. If he is in superior strength, avoid him. If you opponent is of choleric temper, seek to irritate him. Pretend to be weak, that he may grow arrogant. If he is taking his ease, give him no rest. If his forces are united, separate them. Attack him where he is unprepared, appear where you are not expected. These military devices, leading to victory, must not be divulged beforehand.”

5 © 2004 Carnegie Mellon UniversityIW-Strategy: 5 Planning of Your Network How does the network look to valid users? How does the network look to casual scanners? How does the network look dedicated attackers? How does the network look internally?

6 © 2004 Carnegie Mellon UniversityIW-Strategy: 6 Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html External view of Nets

7 © 2004 Carnegie Mellon UniversityIW-Strategy: 7 Internal View of Network

8 © 2004 Carnegie Mellon UniversityIW-Strategy: 8 Critical Issues What must you defend? –Mission of the organization –Assets of the organization What can you defend? –Personnel limitations –Information limitations What is likely to be attacked?

9 © 2004 Carnegie Mellon UniversityIW-Strategy: 9 Strategic Goals Sun Tzu said: Whoever is first in the field and awaits the coming of the enemy, will be fresh for the fight; whoever is second in the field and has to hasten to battle will arrive exhausted. Therefore the clever combatant imposes his will on the enemy, but does not allow the enemy's will to be imposed on him. By holding out advantages to him, he can cause the enemy to approach of his own accord; or, by inflicting damage, he can make it impossible for the enemy to draw near.

10 © 2004 Carnegie Mellon UniversityIW-Strategy: 10 Defensive Strategy Deceive the attacker Frustrate the attacker Resist the attacker Recognize and Respond to the attacker

11 © 2004 Carnegie Mellon UniversityIW-Strategy: 11 Analogous Example Arsonist profiling, misdirection = Deceive Grounded outlets, fire doors, inter-floor barriers = Frustrate/Resist Smoke detectors, alarm pulls = Recognize Fire-suppression systems = Respond

12 © 2004 Carnegie Mellon UniversityIW-Strategy: 12 Deceive the Enemy Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack. Hide the nature of your organization Use obvious targets as alarms, not servers Minimize the footprint of critical assets Honeyd/Tarpit – fake servers/services

13 © 2004 Carnegie Mellon UniversityIW-Strategy: 13 Frustrate the Enemy If we do not wish to fight, we can prevent the enemy from engaging us even though the lines of our encampment be merely traced out on the ground. All we need do is to throw something odd and unaccountable in his way. Common threat: Social engineering Undying vulnerability: Stack overflows

14 © 2004 Carnegie Mellon UniversityIW-Strategy: 14 Resist the Enemy Asset identification, critical to mission Security requirements for assets Restoration of security Vulnerability identification related to mission Layered security Monitor and respond to change Audit and reassess

15 © 2004 Carnegie Mellon UniversityIW-Strategy: 15 Factors that Block Resistance Cost Personnel Pace of change Organizational coalitions Assumed survival Security through obscurity

16 © 2004 Carnegie Mellon UniversityIW-Strategy: 16 Recognize the Enemy Recognizing indications and warnings Investigating intrusions Applying fixes Monitoring users and applications Updating systems Scanning log and alert files Auditing system configurations

17 © 2004 Carnegie Mellon UniversityIW-Strategy: 17 Factors that block Recognition Administrator shortage Administrator overload Administrator ignorance System structure Network architecture Application structure Organizational goals

18 © 2004 Carnegie Mellon UniversityIW-Strategy: 18 Offensive Strategy Positioning -- high and low Visibility -- sun and shadow Nourishment -- life Occupation -- substance Risk Avoidance -- illness

19 © 2004 Carnegie Mellon UniversityIW-Strategy: 19 Inspirational Quote Now the Army likes heights and abhors low areas, esteems the sunny (yang) and disdains the shady (yin). It nourishes life and occupies the substantial. An army that avoids the hundred illnesses is said to be certain of victory. Sun Tzu

20 © 2004 Carnegie Mellon UniversityIW-Strategy: 20 Positioning What is a network high point? What is a network low point? What does positioning mean in a network world?

21 © 2004 Carnegie Mellon UniversityIW-Strategy: 21 Authentication - Scamming Also known as social engineering Exploit trust relationships between people Exploit service climate Exploit business methods If at first you don’t succeed, try a supervisor!

22 © 2004 Carnegie Mellon UniversityIW-Strategy: 22 When a packet sniffer is present, a copy of all packets that pass by it on the network are covertly captured. Packet Sniffer Executing Router Packet Sniffing

23 © 2004 Carnegie Mellon UniversityIW-Strategy: 23 Visibility What is sun (yang) in a network world? What is shade (yin) in a network world? How do we exploit sun and shade? Why is visibility significant in a network world?

24 © 2004 Carnegie Mellon UniversityIW-Strategy: 24 Malicious Code Viruses Trojan Horses Worms Always verify the integrity and authenticity of downloaded content Always scan content for malicious code before opening

25 © 2004 Carnegie Mellon UniversityIW-Strategy: 25 Love Letter Virus VIP@XXX.GOV Check out this joke... Trusted Colleague IRC Exchange VBS JPG MP3 others Replace Corrupt data/script files Steal Passwords Clog email

26 © 2004 Carnegie Mellon UniversityIW-Strategy: 26 Internet Auditing Project Unauthorized project systematically mapping Internet systems for selected vulnerabilities 36 million hosts (85% of active addresses) surveyed over 3-week period (1-21 Dec 98) 5 scanning hosts using newly created (free) Bulk Auditing Security Scanner (BASS) Scanning hosts in 5 different nations 18 different vulnerabilities tested (from CERT advisories) 450,000 vulnerable hosts found Source: Securityfocus.com paper dated Aug 11, 1999

27 © 2004 Carnegie Mellon UniversityIW-Strategy: 27 Nourishment Life: Survival, Defense, Basis for attack What is survival in a network world? What is defense in a network world? How do we turn survival and defense into a basis for attack

28 © 2004 Carnegie Mellon UniversityIW-Strategy: 28 Tactics of Network Attack Reconnaissance Exploit Communication Command Effect Reserve

29 © 2004 Carnegie Mellon UniversityIW-Strategy: 29 Strategies of Network Attack Timing: immediate, follow-on, phased Targeting: real, ostensible, coincidental Form of preparation: presupposition, creation

30 © 2004 Carnegie Mellon UniversityIW-Strategy: 30 Examples of Attack Strategies Stepped attack Isolated attack Isolated follow-up Masked Attack Diversion Massed Attack

31 © 2004 Carnegie Mellon UniversityIW-Strategy: 31 Rapid Detection and Response Technology works for you Rapid Response Minimized Impact Rapid Detection Bounded Scope Mitigation Reduced Frequency

32 © 2004 Carnegie Mellon UniversityIW-Strategy: 32 Survival Tasks Rapid detection –detecting unauthorized access to data and systems –detecting unauthorized changes to data and systems –recognizing suspicious overuse of resources Rapid response –analyzing the incident –disseminating information –containing the damage –recovering from the incident

33 © 2004 Carnegie Mellon UniversityIW-Strategy: 33 Occupation Substance: Cross product of strategy, terrain Which are the network nodes that key to victory? Which are the network nodes that key to survival? What does it mean to occupy networks?

34 © 2004 Carnegie Mellon UniversityIW-Strategy: 34 Moonlight Maze Sophisticated widespread attack on US military systems Goal seems to be intelligence gathering Compromised accounts Corrupted system programs Redirected information (not print, send overseas) ALL DoD publicly-connected accounts ordered to have new passwords as of August 16, 1999 Source: Sunday Times of London, July 25, 1999

35 © 2004 Carnegie Mellon UniversityIW-Strategy: 35 Avoidance Illnesses: Outside factors that lessen attack How do we accommodate to other network attacks? How do we deal with real-world events? What contingencies must we plan for?

36 © 2004 Carnegie Mellon UniversityIW-Strategy: 36 Layered Defenses Frustrate Deceive Recognize Respond Goal 1 Goal 2 Goal 3 Goal 4 Goal 5 Source: Shawn Butler, Security Attribute Evaluation Method Goal 6 Goal 7 Goal 8

37 © 2004 Carnegie Mellon UniversityIW-Strategy: 37 Preparation: Exercises Designed to evaluate level of preparedness Run at intervals Red team -- attackers Blue team -- defenders White team -- exercise administrators For realism, needs to involve significant part of organization

38 © 2004 Carnegie Mellon UniversityIW-Strategy: 38 Desirable Exercises Blue team has goal other than defense Red team has scenario limiting its exercise knowledge White team enforces rules of engagement Red team is visible and vulnerable to blue team Blue team is visible and vulnerable to red team White team is not visible nor vulnerable in context

39 © 2004 Carnegie Mellon UniversityIW-Strategy: 39 Factors that Frustrate Exercises Exercise has goal other than assurance preparedness White team puts artificial limits on red team Red team has no scenario, nor knowledge limits Red team not representative of attackers Red team part of white team, not vulnerable Red team results are vulnerabilities of blue team, not operational impact of vulnerabilities

Download ppt "© 2004 Carnegie Mellon UniversityIW-Strategy: 1 Strategy."

Similar presentations

IS 376 NOVEMBER 5, 2013 2013 DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
In regards to Henry V by Shakespeare.  English troops marching toward Calais on the northern coast  French troops stop them in a field between the woods.

In regards to Henry V by Shakespeare.  English troops marching toward Calais on the northern coast  French troops stop them in a field between the woods.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Information Warfare - 11 Introduction and Preparing for Attacks.

Information Warfare - 11 Introduction and Preparing for Attacks.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Information Warfare - 11 Introduction and Preparing for Attacks.

Information Warfare - 11 Introduction and Preparing for Attacks.
Handling Security Incidents

Handling Security Incidents
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
© 2006 Carnegie Mellon University Strategy Michael Collins Or how everything I know about information security was done by the 4th century CE.

© 2006 Carnegie Mellon University Strategy Michael Collins Or how everything I know about information security was done by the 4th century CE.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google