TOTEM: Threat Observation, Tracking, and Evaluation Model. National Laboratories Information Technology Summit Oak Ridge, TN June 1, 2009. TOTEM: Threat Observation, Tracking, and Evaluation Model.
National Laboratories Information Technology Summit
Oak Ridge, TN
June 1, 2009
“A totem is any supposed entity that watches over or assists a group of people, such as a family, clan, or tribe.”
John J. Gerber
CISSP, GCFA, GCIH, GISP, GSNA
Mark A Floyd
Who Are You Guys?
Why Should Anyone Care?
How the ANL Federated IDS Data Sharing Model Can Help.
Blended to Create TOTEM.
TOTEM at ORNL.
“Totemism : system of belief in which humans are said to have kinship or a mystical relationship with a spirit-being, such as an animal or plant. The entity, or totem, is thought to interact with a given kin group or an individual and to serve as their emblem or symbol.”
The idea behind TOTEM is simple:
Pick up where the ANL model stops.
Compare threat information from sources such as the federated model and other watchlists (DShield, Emerging Threats, SenderBase, etc.).
As new threat information and activity sources are added, a better evaluation can be rendered.
Use components from the individual site for evaluating risk.
Information is gathered and visualization provided.
We are like dwarfs standing upon the shoulders of giants, and so able to see more and see farther than the ancients.
– Bernard of Chartres
Setting an example is not the main means of influencing another, it is the only means.
– Albert Einstein
According to a May 6th Wall Street Journal article, the Pentagon confirmed that it detected 360 million attempts to penetrate its networks in 2008, which is up from six million in 2006.
The Department of Defense also disclosed that it had spent $100 million in the past six months repairing damage from these cyber attacks.
(05/09/2009)FAA's Web Security Audit: 3,857 Vulnerabilities security audit of the Web applications found 763 high risk, 504 medium risk, and 2,590 low risk vulnerabilities.
(04/09/2009)Electricity Grid in U.S. Penetrated By Spies reported in The Wall Street Journal. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks.
(04/21/2009) Computer Spies Breach Fighter-Jet Projectreported in The Wall Street Journal.
Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighter project.
(05/2009) Inspector General report sent to the FAA - Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network.
(05/20/2009) NARA suffers data breach reported in Federal Computer Week - the missing drive contains 1T of data with "more than 100,000 Social Security numbers (including Al Gore’s daughter), contact information (including addresses) for various Clinton administration officials, Secret Service and White House operating procedures, event logs, social gathering logs, political records and other highly sensitive information.
"The worldwide wireless LAN (WLAN) intrusion prevention system (IPS) market is on pace to reach $168 million in 2008, a 41 percentincrease from 2007 revenue of $119 million, according to Gartner, Inc." -- Gartner Press Release, 09/18/2008
“IDSs have failed to provide value relative to its costs and will be obsolete by 2005.”
-- Richard Stiennon, Gartner Analyst, 06/03
ANL Federated IDS Data Sharing Model (4) system (IPS) market is on pace to reach $168 million in 2008, a
"Federated Defenses and Watching Each Others' Backs" by system (IPS) market is on pace to reach $168 million in 2008, a Scott Pinkerton, ANL. Tuesday, 11:00-11:45am.
A majority (56%) of violent felons had a prior conviction record. Thirty-eight percent had a prior felony conviction and 15% had a previous conviction for a violent felony.
Define, integrate, deploy and operate sensors to collect high quality, information rich network data
Data analysis targeted at cyber adversaries and their activities against DOE
Detect and deter hostile activities directed at the Department’s information assets
Generate summary and alert information about boundary-crossing Internet traffic at DOE sites
System developed by Martin Rehak. system (IPS) market is on pace to reach $168 million in 2008, a
NIST publication system (IPS) market is on pace to reach $168 million in 2008, a SP 800-30: Risk Management Guide for Information Technology Systems. In the text we read:
"Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.“
"Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy."
Steven Noel, Matthew Elder, Sushil Jajodia, Pramod Kalapa, Scott O'Hare, Kenneth Prole
Basic idea: analyze and visualize vulnerability dependencies and attack paths for understanding overall security posture.
Populate through automated network discovery, asset management, and vulnerability reporting technology.
Seeing the forest through the trees. Scott O'Hare, Kenneth Prole
How does one effectively distinguish false positives from actual threats?
The answer may only be visible by looking at multiple sources with different levels of trust and doing a little aggregation and anomaly detection. Our goal is to create attack road maps with weights/prioritizations in order to manage the possible risks.
# watchlist.security.org.my, contact [email protected] actual threats?# ip/net, source, comment, name, last update (GMT+8)18.104.22.168, http://www.dshield.org/ipsascii.html, Dshield: Top IPs, dshield-top-ips, 2009/05/13
22.214.171.124/22, www.spamhaus.org/drop/drop.lasso, Spamhaus Block List, spamhaus, 2009/05/13
126.96.36.199, www.emergingthreats.net/rules/bleeding-rbn.rules, ET RBN, rbn, 2009/05/13
188.8.131.52, www.emergingthreats.net/rules/bleeding-compromised.rules, ET, compromised,
# domain type original_reference-why_it_was_listed note--pound sign=comment# notice notice duplication is not permitted
00.devoid.us malware www.cyber-ta.org/malware-analysis/DNS.Cumulative.Summary 20090321
scan4lux.info fake_antivirus www.malwaredomainlist.com/update.php 20090505
junglemix.in phishing isc.sans.org/diary.html?storyid=6328 20090505
Wed May 13 07:59:03 CDT 2009184.108.40.206220.127.116.1118.104.22.16822.214.171.124
Top 10 Blacklist Providers actual threats?Using 266 IPs from malware.Using 235 IPs from rbn.Using 172 IPs from coolwebsearch and spamhaus.Using 55 IPs from rogue.Using 23 IPs from malspam.Using 20 IPs from dshield-top-blocks.Using 15 IPs from exploit and sql_injection.Using 13 IPs from spyware and trojan.Using 11 IPs from rogue_antivirus.Using 10 IPs from botnet.Total Blacklisted IPs Downloaded: 1214Blacklisted IPs Added Today: 39
In respect to Snort, we have been looking at trend information for awhile.
There is a great deal of work yet to be done. Some key areas to develop will be: