Cyber disaster avoidance protecting the internal network
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Cyber Disaster Avoidance: Protecting the Internal Network PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

Cyber Disaster Avoidance: Protecting the Internal Network. Introduction. Background on Cyber Disasters Characteristics Internal Threats Explained Threat Sources Threat Detection Cyber Disaster Prevention Active Deception Delaying Attack Deflection. Characteristics of a Cyber Disaster.

Download Presentation

Cyber Disaster Avoidance: Protecting the Internal Network

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cyber disaster avoidance protecting the internal network

Cyber Disaster Avoidance: Protecting the Internal Network


Introduction

Introduction

  • Background on Cyber Disasters

    • Characteristics

    • Internal Threats Explained

    • Threat Sources

    • Threat Detection

  • Cyber Disaster Prevention

    • Active Deception

    • Delaying

    • Attack Deflection


Characteristics of a cyber disaster

Characteristics of a Cyber Disaster

  • Computers and networks fail to perform as expected or designed due to an external (usually software) influence (worms and viruses are often the cause)

  • Critical network services are slow or unavailable

  • System failures may be widespread or even pandemic

  • Failures occur very quickly


Cyber disaster real world example

Cyber Disaster – Real World Example

SQL Slammer

  • First encountered Jan 25th, 2003

  • Self-replicating worm, transmitted as a single packet of data

  • Caused SQL Servers to stop functioning

  • Flooded networks with infection packets

  • Affected over 200,000 computers

  • Required < 15 minutes to infect every vulnerable computer on the Internet


Sql slammer impact

SQL Slammer Impact

Infected database servers became unusable, as did their data

Computer networks were clogged with infection attempts (DoS)

  • Most of South Korea’s ISPs were “down” for several hours

  • 13,000 Bank of America ATMs failed


Traditional security coverage

Traditional Security Coverage

Perimeter Security

HIDS & AV

“Micro-Perimeter” Security


Where traditional security fails

HIDS & AV

Infected Laptop

…are targets for rapidly propagating threats…

Security exposures that bypass perimeter defenses…

…bringing your network to a halt and creating costly cleanup.

…that take over your network in minutes…

Where Traditional Security Fails


Solution characteristics

Solution Characteristics

  • Defenses are added to the unprotected interior network, not hosts or the network perimeter

  • These defenses operate properly even against attacks that have never been seen before

  • Threats are “compartmentalized” to the single infected computer – surgical mitigation

  • The solution does not require a network rearchitecture – not an “in-line” product

  • The system does not impact network performance and cannot cause a network failure


Common types of threats

Common Types of Threats

  • Worms - malicious code designed to reprogram some aspect of a computer. Worms are self-propagating.

  • Viruses – malicious code designed to reprogram some aspect of you, the user. Viruses are not self-propagating – they require user interaction to execute.


Damage potential

Damage Potential

  • Denial of Service – usually through self-replication, but can be programmed.

  • Deletion of Data – Either overt or subtle.

  • Transmission of Data – random or targeted emailing of selected files.

  • Installation of Backdoors – these allow covert access to your computer from a remote location.


Network entry

Network Entry

  • Mobile Computers – infected laptops or PDAs that bypass perimeter security.

  • VPN Connections – remote computers are often not as secure outside corporate security systems.

  • Wireless LANs – drive-by hacking or unintentional connections to corporate access points due to coverage issues.


Detection two primary methods

Detection – Two Primary Methods

Signature-based Systems – Usually requires prior knowledge of the exploit. Matches network packets against a library of known threats. Not ideally suited to detecting previously unknown threats because of the delay in acquiring and deploying new signatures.

Behavioral/Anomaly-based Systems – Detects threats based on their network behavior. Better suited to detecting previously unknown threats due to lack of dependence on signatures.


Unique solutions

Unique Solutions

“Activate” unused IP address space

Very effective Day-zero threat identification

Active Deception

Use protocol methods to slow or stop an attack

Attack Deflection

Forcibly redirect attack packet to harmless location


Unused ip space network radar

Unused IP Space – “Network Radar”

Leverage unused IP address space to create an early warning system of threat activity


Active deception

Active Deception

Create “Virtual Decoy Devices” with real IP and OS personas to camouflage valuable network resources


Delaying technique

Delaying Technique

1.Bad Guy sends synchronization packet to a virtual decoy

2.Security device sends acknowledgment with Window = 0 and MSS = 10 Limits

3.Bad Guy receives acknowledgement and conforms to limits

Use legitimate protocol parameters to slow or stop an attack

4.Response is ignored, forcing Bad Guy to wait 4 minutes with no response

5.Bad Guy sends TCP Window Probe to see if we’re still there

6.Security device sends acknowledgement (with same limit) and forces another 4 minute wait…


Attack deflection

1.Infected Laptop communicates with computer on the network

2.Security device detects behavior and changes MAC address on infected PC

3. All traffic from infected laptop is sent to the security device and examined.

4. The infected laptop is determined to be a malicious threat and is blocked (compartmentalized) from the network

Attack Deflection

This strategy “compartmentalizes” infected devices, preventing them from communicating on the network.


Summary

Summary

There are numerous ways for threats to bypass traditional security mechanisms to reach your LAN

Worms and viruses usually meet little resistance once inside a network

The damage potential from these attacks can be very serious

Detecting day-0 RPTs on LANs is best performed using behavioral detection techniques.

There are several ways to defend against these threats, including active deception, protocol-based delay tactics, and attack deflection.


Cyber disaster avoidance protecting the internal network

Thank YouIf you would like more information about these technologies, you may download a white paper about this subject from:www.miragenetworks.com


  • Login