Enterprise-wide Threat Characterization

1. Enterprise-wide Threat Characterization Bill Nickless Pacific Northwest National Laboratory ESCC / Internet2 Joint Techs Workshop Albuquerque, NM Feb 5-8, 2006

2. The Art of War by Sun-tzu500 B.C. "The supreme art of war is to subdue the enemy without fighting... “The means by which enlightened rulers and sagacious generals moved and conquered others, that their achievements surpassed the masses, was advanced knowledge. Advanced knowledge cannot be gained from ghosts and spirits, inferred from phenomena, or projected from the measures of heaven, but must be gained from men... for it is the knowledge of the enemy’s true situation.” Pacific Northwest National Laboratory 2

3. System Requirements The System Must Defend: • A large, diverse enterprise that engages in • cutting edge R&D in multiple sensitive and critical technologies by • thousands of scientists from all over the world at • multiple sites with • diverse cultures and capabilities for defense Against • Multiple, dynamic, and increasing threats from outside and inside Pacific Northwest National Laboratory 3

4. Collection: Instrumented Sites • Large Enterprises • Dozens to hundreds of dispersed sites • Each site with multiple ISPs • Private connections to suppliers, contractors, etc. • Enterprise Data at Risk • Foreign adversaries • Cyber-terrorists • Insider threats • Competitors using open source research Pacific Northwest National Laboratory 4

5. Collection: Sensor Pacific Northwest National Laboratory 5

6. Traffic From Linux Bonding Kernel Module libpcap Match Flow (or) Create New Flow Frame Decode Frame Sanity Check Select and Format Flows Flow Time-outs And Signals Flows In Memory Write and Manage Output Files .dat and .sem Files V3 Sensor Flo Daemon • libpcap API • Portable and standard • Compatible with high performance capture cards • Allows for off-line file playback testing • Efficient data structures • Only save what is needed • Fast access to support high performance Runs as a daemon • “Always on” rather than batch mode • Continuous stream of records • Syslog reporting for data quality mgmt Pacific Northwest National Laboratory 6

7. AnalyticalSystems Accomplishments • Cost Effective • Scalable - 500M records/day - 150 GB/day - 1 year retention • Data Summarization Central Analysis ORG A1 ORG A2 ORG A… ORG B1 ORG B2 ORG B… ORG X1 ORG X2 Pacific Northwest National Laboratory 7 ORG X…

8. Monthly Record Counts Massive record volumes drove requirement to better understand the traffic Pacific Northwest National Laboratory 8

9. Traffic Characterization: Anomaly Identification Characterizing each flow as it occurs enables immediate attack detection Interesting anomalies in SSH and FTP that can now be observed after the OOB traffic has been removed 9 Pacific Northwest National Laboratory

10. Enterprise-wide collection and analysis capability enables correlation of activity across multiple organizational elements The collection, data management, and analysis challenges of building and operating an enterprise-wide centralized analysis capability are significant but solvable Automation can enable analysts to identify both security threats and information exfiltration attempts from within or without Summary Pacific Northwest National Laboratory 10