1 / 17

The Essence of

The Essence of. Active Response. Sergio Caltagirone April 14, 2005. To Build A Castle…. Where We’re At…. Where We Want To Be…. Some Attempts…. Clifford Stoll vs. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM , vol 31, 1998, pp. 484-497.

armine
Download Presentation

The Essence of

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Essence of Active Response Sergio Caltagirone April 14, 2005 Sergio Caltagirone

  2. To Build A Castle… Sergio Caltagirone

  3. Sergio Caltagirone

  4. Sergio Caltagirone

  5. Where We’re At… Sergio Caltagirone

  6. Where We Want To Be… Sergio Caltagirone

  7. Some Attempts… • Clifford Stoll vs. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497. • DoD vs. Electronic Disturbance Theater (1998) http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/ • Conxion vs. E-Hippies (2000) http://www.nwfusion.com/research/2000/0529feat2.html • FBI vs. Russian Hackers (2001) a.k.a. ‘Invita’ Case http://www.wired.com/news/politics/0,1283,47650,00.html Sergio Caltagirone

  8. Why Do We Want To Do That? • Response is not a choice… • Insufficient Protection on Imperfect Systems • A Policy Is Necessary (even if not utilized) • Vulnerable Systems • Air Traffic Control • SCADA Systems • Nuclear Power Safety • Economic and Socially Critical Systems Sergio Caltagirone

  9. Problem Statement Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response? Sergio Caltagirone

  10. Active Response Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set. • Time bound • Automatically or not • Purposeful • Subjective timeline • Mitigation NOT Elimination Sergio Caltagirone

  11. Some Actions At Our Disposal • Notify authorities • Disconnect – Strategic Separation • Control the borders • Get ISP to do dirty work • Use ping/finger/traceroute/honeypots • Hack-back / Passive Strike-back • First strike Sergio Caltagirone

  12. A Potential Taxonomy • Internal Notification: Using the organizational structure to notify the appropriate persons of an active defense situation • Internal Response: Applying active defense actions within an organization's boundaries • External Cooperative Response: Employing the assistance of other entities outside of an organization to mitigate a threat • Non-cooperative Intelligence Gathering: Using external services (finger, nmap, netstat) to gather intelligence on the attacker • Non-cooperative ‘Cease and Desist’: Shutting down harmful services that do not affect usability on a network or host. • Counter-strike: An offensive action designed to deny an attacker the ability to continue an attack. • Preemptive Defense: With knowledge of a forthcoming attack, execute active response actions to preempt (and disable) the upcoming attack Sergio Caltagirone

  13. Evaluating a Response • Legal • Civil, Criminal, Domestic, International • Ethical • Teleological, Deontological • Technical • Traceback, Reliable IDS, Confidence Value, Real Time • Risk Analysis • Measure ethical, legal risk effectively? • Unintended Consequences • Attacker Action, Collateral Damage, Own Resources Sergio Caltagirone

  14. Process Model Sergio Caltagirone

  15. Formal Decision Model Escalation Ladder AR Policy Asset Evaluation Action Evaluation Score(Action) − Score(Threat) − Success(Action) Asset Identification Goal Identification Risk Identification { } Threat Identification Action Identification Utility Modifier Risk Identification Action Classification Success Ordering Contingency Plan Sergio Caltagirone

  16. Conclusions • Need for Response – Why we need it • Definition – What it is • Taxonomy – What it is comprised of • Issues – What is wrong with it • Process Model – What we do • Decision Model – How we decide Sergio Caltagirone

  17. Resources – Questions ? • http://www.activeresponse.org - serg@activeresponse.org • Sergio Caltagirone and Deborah Frincke, “The Response Continuum,” to appear in the 6th IEEE Information Assurance Workshop, West Point, NY. June 15-17, 2005. • Sergio Caltagirone, "Criminal Law Perspectives of Contemporary Issues in Computer Security," University of Idaho, Moscow, ID, Technical Report CSDS-DF-TR-05-28, 2005. • Sergio Caltagirone, "Evolving Active Defense Strategies," University of Idaho, Moscow, ID, Technical Report CSDS-DF-TR-05-27, 2005 • Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005. • Sergio Caltagirone and Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311. Sergio Caltagirone

More Related