1 / 47

Legal Informatics, Privacy  and Cyber Crime

Legal Informatics, Privacy  and Cyber Crime. Sandro Etalle. Part Four : IoT and Detection. 2018-2019. Background material: slides. 2014: bombs are ticking. 2016: bombs are exploding.

gram
Download Presentation

Legal Informatics, Privacy  and Cyber Crime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Legal Informatics, Privacy  and Cyber Crime Sandro Etalle Part Four: IoT and Detection 2018-2019

  2. Background material: slides / name of department

  3. 2014: bombs are ticking / name of department

  4. 2016: bombs are exploding After revealing the identity of two guys behind a DDoS service, he site Krebs on Security was subject to the most massive DDoS attack ever witnessed to that moment. Clocked at a staggering 620 gigabit per second, it was carried out by botnets consisting mainly of IoT devices, mostly security cameras and DVRs used in home or office settings

  5. Just a Week Later an even more massive DDoS attack that caused hours of unreachability for many popular websites including Twitter, Amazon, Reddit, Netflix. The reason: IoT devices / name of department

  6. Mirai brute-forces these device’s telnet service. Standard (and probably easy to guess) passwords are the key to accessing them. / name of department

  7. But it is not only about DoS… Besides using the unencrypted channel, SimpliSafe also installs a one-time programmable chip in its wireless home alarm, leaving no option for an over-the-air update. Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol," …. But, "this isn't an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. / name of department

  8. Liabilities / name of department

  9. Somewhere you do not want to be…. / name of department

  10. One thing why things will get worse The unstoppable (and – let’s be frank – right) move to IP-based IoT

  11. How can we stop/detect Cyber-Threats? • Type one: advanced attack (here are the phases) • Phishing? Watering hole? • Difficult to block/detect • Communication with the C&C? • Detectable only if the workstation in question does not usually connect to the internet • Detection of anomalies on Internal Network behavior?: should be detectable • Ukraine: upload of malicious firmware to the serial-to-ethernet devices • Havex: detection of OPC scan • Stuxnet: propagation in backoffice and reprogramming of PLC • Type two: Careless and disgruntled employee. Vendors and outsourcer. • For these threats there is no common pattern, and it is impossible to block all “unwanted” activities without • Is it possible to block these activities without putting at risk business continuity? NO. Prevention is not viable; detection/monitoring is

  12. The dream • Have “something” that blocks attacks or at least detects when we are being attacked • viruscanner • intrusion detection systems • firewalls • …. • They exist, but they are imperfect, • False Negatives (opposite of “detection rate” • False Positive rate / name of department

  13. How can you detect an attack. • REJECTION-BASED • (Negative model sometimes called “blacklisting”) • You are able to recognize an attack when you see • e.g. Anti-viruses, Blacklisting, signature-based systems, etc… • ACCEPTANCE-BASED • (Positive model) • You are able to recognize what is the normal behavior of the system. • what is not normal, is an attack, or in any case it is worth looking at • e.g. firewalls, whitelisting systems, • There is no third way, though combinations are possible

  14. 3 shades of acceptance-based systems malicious good well-known very specific whitelisting (deep protocol) generic whitelisting (e.g. WA firewalls) Note: • the size of circles is arbitrary • these are just examples anomaly detection

  15. 3 shades of Rejection-Based systems malicious good well-known very specific signatures less specific rules, emulation Note: • the size of circles is arbitrary • these are just examples generic experimental stuff

  16. Rejection-based systems / name of department

  17. Different facets of Blacklisting • Blacklisting means you recognize an attack. • You can do it in two ways: • the hard way: signatures: when you you know part of the payload of a known attack. Used for instances in virus-scanners • the softer way: systems based on heuristics • e.g. when you see a NOP sled in the code • when you detect the string “UNION” in a webapplication form • Notice that signature give almost no False Positives, while Heuristics may have some FPs / name of department

  18. Blacklisting & Signatures: Pro & Cons • CONS: we have a false negatives problem. • You have to know the attack! • No signatures possible for 0-day vulnerabilities • For non-mainstream systems (e.g. SCADA) it is impossible to have a good set of signatures (that is, a set of signatures that gives you a good coverage) • It takes a long time to devise and deploy a signature (weeks or months) • Signatures are relatively easy to evade (think of polymorphic viruses) • Heuristics are relatively easy to evade too. • PRO • very low false positives • so you can use them as blocking systems – Intrusion Prevention. VERY IMPORTANT • when they detect something, they tell you what it is! • you don’t have to reconfigure them when you reconfigure the system / name of department

  19. About the effectiveness of blacklisting Thehackernews.com / name of department

  20. Management of blacklisting Requires a whole process Detection e.g. via honeypot Examination of the malware Creation of signature Check for false positives/negatives Distribution / name of department

  21. The Alternatives to Blacklisting • There are two main ways of recognizing “good behavior” • Whitelisting • Firewalls • … • Anomaly Detection • can be based on “flows” (quantitative analysis) • or on analysis of the “payload” (qualitative analysis, e.g. with neural networks) • The main differences • configuration: • whitelisting: manual (usually) • anomaly detection: automatic • detection • whitelisting: yes/no (boolean) • anomaly detection: usually based on setting a threshold / name of department

  22. Different Facets of Whitelisting • Whitelisting can take very different shapes • In particular, whitelisting can happen with different accuracy level • Firewalls (look at IP/MAC/Ports) • Web-application Firewalls (look at • in ICS systems you have gateways that whitelist down to the specific elements of the L7 (application), for instance you can whitelist specific function codes (and block everything else). See e.g. • http://www.secmatters.com (our spin-off, now www.forescout.com) • http://www.tofinosecurity.com/ • More accuracy means that • you’ll be able to detect/block more attacks • you’ll spend more time configuring the system • or re-configuring it when needed. / name of department

  23. Data • Knownpatterns ? Protocol I • Specs compliant ? Parameter • Parameter seen before? Value • Value type correct? Range • Value within range? Examples of different level of accuracy Aspects Questions Fromnetworktoapplication level Protocol II • Manymalicious tokens ? / name of department

  24. Maintaining Whitelisting Systems System change … Whitelisting systems have to change with them People tend to forget to what the configuration was So it is easier to add new whitelists to the old ones It is a true pain in the neck / name of department

  25. Whitelisting: pro & con’s • PRO • you don’t have to know the attack to block it • low false positives if correctly configured – can be used for blocking purposes • CON’s • relatively easy to circumvent unless they are very accurate (but in this case they may cause more false positives…) • expensive to set up and maintain: the higher the accuracy, the higher the cost • when you reconfigure the system (or add a service), you need to reconfigure the whitelisting system (expensive) • they give you very little information about the attack, if they detect one • the only thing they can say is • “something is trying to connect to this port” • application XYZ is trying to connect to the internet • … / name of department

  26. Anomaly Detection • Typically, it is a bit like whitelisting, but with a lot of false positives  • they tell you something is going wrong, which is better than nothing. • There are two Flavors of it: • quantitative (flow based) anomaly detection • it tells you when e.g. there are too many communications • qualitative (payload based) • it tells you when a single / name of department

  27. Quantitative Anomaly Detection • Idea: when there are too many “things happening”, there is something fishy going on. • e,g, malware • Does not tell you what is going on, but it is a start • Important for situational awareness • Expect false positives. / name of department

  28. Qualitative anomaly detection • Purpose: detect when a single information unit (e.g. packet) is anomalous • Typical techniques: self-organizing maps, n-gram analysis, neural networks (We’ll talk about a different technique afterwards) • General techniques don’t work for security: too many false positives. See also http://eprints.eemcs.utwente.nl/22269/ • they don’t tell you why something is anomalous. • image from: http://www.bu.edu/iss/research-projects/anomaly-detection/ / name of department

  29. Anomaly Detection: pro & con’s • PRO • little/no setup costs, • may allow you to see a 0-day attack • quantitative: gives some situational awareness, interesting information • qualitative: when it works it is ideal. Too bad it doesn’t (usually). • CON’s • its applicability depends heavily on the particular instance of the target system • buckets of false positive • they give you even less information than whitelisting does about the attack, if they detect one / name of department

  30. One thing about acceptance-based • Environment matters! • If a system normally has an “unpredictable” behavior, • anomaly detection won’t work • whitelisting will be a pain in the neck • What is effective on system A, may not be effective on system B, even if they are “similar” (e.g. they are two banks) • But there is good hope for SCADA systems, for instance.

  31. Where can you detect things? • On the host: • sequences of system calls, pieces of code (blacklisted), processes (whitelisted), use of resources from processes (whitelisted), • Looking at the network • Incoming traffic to boundary (e.g. to the webapplication) • important, but it can be bypassed • Outgoing traffic • to catch the connection with c&c systems (if you know where they are, blacklisting) • blacklisting does not work well (communication is encrypted) • whitelisting doesn’t work either (the outgoing traffic of our systems is “too messy” by default). • Traffic in-between. / name of department

  32. Questions? / name of department

  33. About this part of the course Topic: principles of defense techniques Underlying Material: This part is covered by the slides, there is no book/article to study

  34. How can we stop/detect Cyber-Threats? • Type one: advanced attack (here are the phases) • Phishing? Watering hole? • Difficult to block/detect • Communication with the C&C? • Detectable only if the workstation in question does not usually connect to the internet • Detection of anomalies on Internal Network behavior?: should be detectable • Ukraine: upload of malicious firmware to the serial-to-ethernet devices • Havex: detection of OPC scan • Stuxnet: propagation in backoffice and reprogramming of PLC • Type two: Careless and disgruntled employee. Vendors and outsourcer. • For these threats there is no common pattern, and it is impossible to block all “unwanted” activities without • Is it possible to block these activities without putting at risk business continuity? NO. • Prevention is not viable; detection/monitoring is

  35. MONITORING and detection mechanisms

  36. Monitoring approaches • Look for the “bad” (a.k.a. blacklisting) • Block undesired behavior, allow all the rest • Threat detection based on previous knowledge and content matching • Detectiontecnologies: signature-based IDS/IPS, anti-virus, sandboxing • Accept the “good” (a.k.a. whitelisting) • Allow desired behaviour, block the rest (or alert) • A threat is anything that your network and devices are not support to do • Detection technologies: flow-, rule-, anomaly-based, application whitelisting www.secmatters.com

  37. 3 shades of acceptance-based systems malicious good well-known very specific whitelisting (deep protocol) generic whitelisting (e.g. WA firewalls) Note: • the size of circles is arbitrary • these are just examples anomaly detection

  38. 3 shades of Rejection-Based systems malicious good well-known very specific signatures less specific rules, emulation Note: • the size of circles is arbitrary • these are just examples generic experimental stuff

  39. Signature-based IDS/IPS and anti-virus • Host- (anti-virus) or network-based (most IDS/IPS) blacklisting • Several renowned open-source projects • Snort • Suricata • Simple idea, easy to use: use a database of well-known attacks and bad inputs • Highly effective against mainstream attacks • Requiresignaturesand frequent updates • Cannotcopewithunknownandemergingthreats • There are notmanyknown ICS threats www.secmatters.com

  40. Sandboxing technologies • Network-based • Simulate real environments to monitor file and process behavior (e.g. e-mail attachments) • Does the process write/set “weird” memory areas • Does the file make “unusual” system calls • Open-source projects • Cuckoo Sandbox + Suricata • Can detect both known and unknown threats • Effectivealsoagainst “dormant” malware • Effectiveonlyfor Windows files andattachments, notfor ICS www.secmatters.com

  41. Flow-based systems • Extract network flows meta-information • Quantitative analysis • # connections per minute • # bytes • # IPs • Fast analysis, can handle Gbps of data simultaneously • Candetectknownandunknownthreats • Canonlydetectthreatsthat have quantitativeeffects (e.g. DoS / bandwidth peaks, horizontal / vertical scans, bruteforce attacks • Do not look at content (protocol messages) and context • Missing: actionability, accuracy www.secmatters.com

  42. Rule-based detection (manual whitelisting) • Mostlynetwork-based (e.g. Firewalls) • Rules specifyallowed (or disallowed) behavior • “Read operations are allowed” • “Write operations are disallowed from Windows workstations” • Typically allow for more context information • Candetectbothknownandunknownthreats • Require (lots of) manual work • Manual configuration = error-prone www.secmatters.com

  43. Anomaly-based detection • Detect uncommon/ abnormal/ anomalous activity • Different ways of detecting an “anomaly” • Machine-learning techniques • Content-based (payload) analysis • Specifications of good behavior • Configuration (semi-)automatic: reduce configuration effort • Can detect both known and unknown threats • Might be difficult to fine-tune • Might lead to (many) false alarms • Works only on specific systems www.secmatters.com

  44. Different environment, different technology • ICS have limited power and resources • Host-based solutions (anti-virus) and agents are not an option • Network monitoring is the way to go • Anomaly-detection is not the best choice for a very dynamic environment • …but it could work in a more predictable environment such as ICS networks • There are not many known threats for ICS networks • Blacklisting is less effective • Whitelisting approaches fit better • (and security is only part of the problem) www.secmatters.com

  45. Coming back to ICS Here “anomaly detection” Is impossible Here is where “anomaly detection” And “whitelisting” are possible (still not easy) There is no “silver bullet” Several approaches are required at the same time (defense in depth) www.secmatters.com

  46. In practice, systems look often like… www.tue.nl - www.secmatters.com

  47. Define threat model and security strategy • Many organizations do not perform a risk assessment before choosing the right technology(ies) • What are the most valuable assets? • What are the biggest threats? www.secmatters.com

More Related