Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop.

Published byLydia Cain Modified over 8 years ago

Similar presentations

Presentation on theme: "Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop."— Presentation transcript:

1 Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop October 12, 2005

2 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 2 In a nutshell … We're going to hold onto him by the nose, and we're going to kick him in the ass. General George S. Patton England, May 31 1944 We must remain in contact with those who threaten our cyber infrastructure if we hope to successfully defend it.

3 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 3 Outline 1.Introduction 2.Information Operations 3.IO Counter-measures Tools Honeypots 4.Conclusion

4 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 4 1 - Introduction The defence paradigm has been to Protect, Detect and React Protect Detect React It is important to gain information about those who threaten the infrastructure. It is not sufficient to React by cutting off access.

5 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 5 2 - Information Operations (IO) Manoeuvre FirepowerCommandProtection Sustainment Information Operations Information Operations are a key combat function. IO are defined as actions taken in support of political and military objectives which influence decision makers by affecting others’ information while exploiting, or fully utilizing, one’s own information.

6 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 6 Defensive IO 1.Protection – 2.Defensive Counter-Information Operations (IO Counter- measures) - 3.Offensive Counter-Information Operations – Jamming the Radar Radar Absorbent Paint Chaff

7 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 7 Computer Network Operations (CNO) CNO represent all aspects of computer related operations, but they have three specific components –Defence (CND) –Attack (CNA) –Exploitation (CNE)

8 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 8 Operational Objectives 1.Holding Contact with the Adversary 2.Understanding the Adversary a)Who is attacking? b)What are they capable of? c)What are their current mission and objectives? d)What is the context of the current attack. 3.Preparing the Adversary

9 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 9 Network-based IO counter- measures Principles of Operations 1.Operational Objectives for Active Response 2.Combined Operations 3.Repeatable Operations a)Standing procedures b)Dedicated resources c)Computer Network Operations Order-of-Battle 4.Risk Management

10 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 10 Risk Management Access risks –Damage or alter information –Exfiltrate more sensitive information than expected –Push attack to other systems –Mount IO counter- counter-measure Denial implications –Inability to identify –Loss of knowledge on techniques and motivations –Loss of ability to influence –Encourage adversary to seek other ingress points

11 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 11 3 - IO Counter-measures Tools Operational use with very high interaction The attacker must feel that he is in a real production environment –High fidelity environment –New tools Provide legitimate operational activity Capture attacker’s activity

12 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 12 Characteristics of IO Counter- measures Tools Components and mechanisms undetectable from user with root privileges. Behaviours and communication patterns appear legitimate from vantage point of other host on the network. Able to simulate normal human user at the interface level. Provide means of observing and collecting attacker activity Make de-conflicting attack traffic straightforward.

13 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 13 Honeypots Stem from the difficulty in discriminating attacker activity A honeypot’s value lies in being probed, attacked and compromised. Honeypots have no production value, making discrimination of attacker activity trivial. Credited with many successes.

14 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 14 Honeypot Classifications Spitzner suggests two main purposes –Production honeypots: Support operations by helping secure the environment. –Research honeypots: Gain information on attacker’s tools and techniques

15 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 15 Honeypot Levels of Interaction Level of Interaction Work to Install and Configure Work to Deploy and Maintain Information Gathering Potential Level of Risk LowEasy LimitedLow MediumInvolved VariableMedium HighDifficult ExtensiveHigh Spitzner’s proposes a taxonomy is based on the level of interaction afforded to the attacker.

16 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 16 IO Counter-measure example IO Counter-measures tool installed as part of baseline

17 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 17 IO Counter-measure example Intrusion Detected.

18 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 18 IO Counter-measures example Machine is physically isolated IO Counter-measures tool is activated Attacker is monitored and prepared

19 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 19 5 - Conclusion Reactive-oriented defence policy is insufficient. Defence must include an understanding of the adversary. –First response should not always be to break contact –IO Counter-measures to gain information Principles of Operations for Network-based IO counter-measures –Operational Objectives Key Research Areas include tools –Obfuscate attacker behaviour observation –Simulate normal human user behaviour

20 October 12, 2005PST 05 - St-Andrew's NB, Leblanc & Knight 20 ??? Questions ???

Download ppt "Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.

Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.
The Military Challenge of Cyber AOC Talk on Cyber, EW and IO Dr Gary Waters, 17 April 2012.

The Military Challenge of Cyber AOC Talk on Cyber, EW and IO Dr Gary Waters, 17 April 2012.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.

Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Introduction to Information Operations Attaché Corps- SEP 09

Introduction to Information Operations Attaché Corps- SEP 09
Honeypots Presented by Javier Garcia April 21, 2010.

Honeypots Presented by Javier Garcia April 21, 2010.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Realizing intrinsically cyber secure large systems

Realizing intrinsically cyber secure large systems
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Similar presentations

Ads by Google