1 / 20

Engaging the Adversary as a Viable Response to Network Intrusion

Engaging the Adversary as a Viable Response to Network Intrusion. Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop October 12, 2005. We're going to hold onto him by the nose, and we're going to kick him in the ass. General George S. Patton

quintessa-haley
Download Presentation

Engaging the Adversary as a Viable Response to Network Intrusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Engaging the Adversary as a Viable Response to Network Intrusion Sylvain P. Leblanc & G. Scott Knight Royal Military College of Canada PST 05 Workshop October 12, 2005

  2. We're going to hold onto him by the nose, and we're going to kick him in the ass. General George S. Patton England, May 31 1944 In a nutshell … We must remain in contact with those who threaten our cyber infrastructure if we hope to successfully defend it. PST 05 - St-Andrew's NB, Leblanc & Knight

  3. Outline • Introduction • Information Operations • IO Counter-measures Tools • Honeypots • Conclusion PST 05 - St-Andrew's NB, Leblanc & Knight

  4. The defence paradigm has been to Protect, Detect and React Protect React Detect 1 - Introduction It is not sufficient to React by cutting off access. It is important to gain information about those who threaten the infrastructure. PST 05 - St-Andrew's NB, Leblanc & Knight

  5. Information Operations are a key combat function. Manoeuvre Firepower Command Protection Information Operations Sustainment 2 - Information Operations (IO) IO are defined as actions taken in support of political and military objectives which influence decision makers by affecting others’ information while exploiting, or fully utilizing, one’s own information. PST 05 - St-Andrew's NB, Leblanc & Knight

  6. Radar Absorbent Paint Chaff Jamming the Radar Defensive IO • Protection – • Defensive Counter-Information Operations (IO Counter-measures) - • Offensive Counter-Information Operations – PST 05 - St-Andrew's NB, Leblanc & Knight

  7. Computer Network Operations (CNO) • CNO represent all aspects of computer related operations, but they have three specific components • Defence (CND) • Attack (CNA) • Exploitation (CNE) PST 05 - St-Andrew's NB, Leblanc & Knight

  8. Operational Objectives • Holding Contact with the Adversary • Understanding the Adversary • Who is attacking? • What are they capable of? • What are their current mission and objectives? • What is the context of the current attack. • Preparing the Adversary PST 05 - St-Andrew's NB, Leblanc & Knight

  9. Network-based IO counter-measures Principles of Operations • Operational Objectives for Active Response • Combined Operations • Repeatable Operations • Standing procedures • Dedicated resources • Computer Network Operations Order-of-Battle • Risk Management PST 05 - St-Andrew's NB, Leblanc & Knight

  10. Access risks Damage or alter information Exfiltrate more sensitive information than expected Push attack to other systems Mount IO counter-counter-measure Denial implications Inability to identify Loss of knowledge on techniques and motivations Loss of ability to influence Encourage adversary to seek other ingress points Risk Management PST 05 - St-Andrew's NB, Leblanc & Knight

  11. 3 - IO Counter-measures Tools • Operational use with very high interaction • The attacker must feel that he is in a real production environment • High fidelity environment • New tools • Provide legitimate operational activity • Capture attacker’s activity PST 05 - St-Andrew's NB, Leblanc & Knight

  12. Characteristics of IO Counter-measures Tools • Components and mechanisms undetectable from user with root privileges. • Behaviours and communication patterns appear legitimate from vantage point of other host on the network. • Able to simulate normal human user at the interface level. • Provide means of observing and collecting attacker activity • Make de-conflicting attack traffic straightforward. PST 05 - St-Andrew's NB, Leblanc & Knight

  13. Honeypots • Stem from the difficulty in discriminating attacker activity • A honeypot’s value lies in being probed, attacked and compromised. • Honeypots have no production value, making discrimination of attacker activity trivial. • Credited with many successes. PST 05 - St-Andrew's NB, Leblanc & Knight

  14. Honeypot Classifications • Spitzner suggests two main purposes • Production honeypots: Support operations by helping secure the environment. • Research honeypots: Gain information on attacker’s tools and techniques PST 05 - St-Andrew's NB, Leblanc & Knight

  15. Honeypot Levels of Interaction Spitzner’s proposes a taxonomy is based on the level of interaction afforded to the attacker. PST 05 - St-Andrew's NB, Leblanc & Knight

  16. IO Counter-measure example • IO Counter-measures tool installed as part of baseline PST 05 - St-Andrew's NB, Leblanc & Knight

  17. IO Counter-measure example • Intrusion Detected. PST 05 - St-Andrew's NB, Leblanc & Knight

  18. IO Counter-measures example • Machine is physically isolated • IO Counter-measures tool is activated • Attacker is monitored and prepared PST 05 - St-Andrew's NB, Leblanc & Knight

  19. 5 - Conclusion • Reactive-oriented defence policy is insufficient. • Defence must include an understanding of the adversary. • First response should not always be to break contact • IO Counter-measures to gain information • Principles of Operations for Network-based IO counter-measures • Operational Objectives • Key Research Areas include tools • Obfuscate attacker behaviour observation • Simulate normal human user behaviour PST 05 - St-Andrew's NB, Leblanc & Knight

  20. ??? Questions ??? PST 05 - St-Andrew's NB, Leblanc & Knight

More Related