Cyber disaster avoidance protecting the internal network
1 / 19

Cyber Disaster Avoidance: Protecting the Internal Network - PowerPoint PPT Presentation

  • Uploaded on

Cyber Disaster Avoidance: Protecting the Internal Network. Introduction. Background on Cyber Disasters Characteristics Internal Threats Explained Threat Sources Threat Detection Cyber Disaster Prevention Active Deception Delaying Attack Deflection. Characteristics of a Cyber Disaster.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Cyber Disaster Avoidance: Protecting the Internal Network' - noah

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cyber disaster avoidance protecting the internal network

Cyber Disaster Avoidance: Protecting the Internal Network


  • Background on Cyber Disasters

    • Characteristics

    • Internal Threats Explained

    • Threat Sources

    • Threat Detection

  • Cyber Disaster Prevention

    • Active Deception

    • Delaying

    • Attack Deflection

Characteristics of a cyber disaster
Characteristics of a Cyber Disaster

  • Computers and networks fail to perform as expected or designed due to an external (usually software) influence (worms and viruses are often the cause)

  • Critical network services are slow or unavailable

  • System failures may be widespread or even pandemic

  • Failures occur very quickly

Cyber disaster real world example
Cyber Disaster – Real World Example

SQL Slammer

  • First encountered Jan 25th, 2003

  • Self-replicating worm, transmitted as a single packet of data

  • Caused SQL Servers to stop functioning

  • Flooded networks with infection packets

  • Affected over 200,000 computers

  • Required < 15 minutes to infect every vulnerable computer on the Internet

Sql slammer impact
SQL Slammer Impact

Infected database servers became unusable, as did their data

Computer networks were clogged with infection attempts (DoS)

  • Most of South Korea’s ISPs were “down” for several hours

  • 13,000 Bank of America ATMs failed

Traditional security coverage
Traditional Security Coverage

Perimeter Security


“Micro-Perimeter” Security

Where traditional security fails


Infected Laptop

…are targets for rapidly propagating threats…

Security exposures that bypass perimeter defenses…

…bringing your network to a halt and creating costly cleanup.

…that take over your network in minutes…

Where Traditional Security Fails

Solution characteristics
Solution Characteristics

  • Defenses are added to the unprotected interior network, not hosts or the network perimeter

  • These defenses operate properly even against attacks that have never been seen before

  • Threats are “compartmentalized” to the single infected computer – surgical mitigation

  • The solution does not require a network rearchitecture – not an “in-line” product

  • The system does not impact network performance and cannot cause a network failure

Common types of threats
Common Types of Threats

  • Worms - malicious code designed to reprogram some aspect of a computer. Worms are self-propagating.

  • Viruses – malicious code designed to reprogram some aspect of you, the user. Viruses are not self-propagating – they require user interaction to execute.

Damage potential
Damage Potential

  • Denial of Service – usually through self-replication, but can be programmed.

  • Deletion of Data – Either overt or subtle.

  • Transmission of Data – random or targeted emailing of selected files.

  • Installation of Backdoors – these allow covert access to your computer from a remote location.

Network entry
Network Entry

  • Mobile Computers – infected laptops or PDAs that bypass perimeter security.

  • VPN Connections – remote computers are often not as secure outside corporate security systems.

  • Wireless LANs – drive-by hacking or unintentional connections to corporate access points due to coverage issues.

Detection two primary methods
Detection – Two Primary Methods

Signature-based Systems – Usually requires prior knowledge of the exploit. Matches network packets against a library of known threats. Not ideally suited to detecting previously unknown threats because of the delay in acquiring and deploying new signatures.

Behavioral/Anomaly-based Systems – Detects threats based on their network behavior. Better suited to detecting previously unknown threats due to lack of dependence on signatures.

Unique solutions
Unique Solutions

“Activate” unused IP address space

Very effective Day-zero threat identification

Active Deception

Use protocol methods to slow or stop an attack

Attack Deflection

Forcibly redirect attack packet to harmless location

Unused ip space network radar
Unused IP Space – “Network Radar”

Leverage unused IP address space to create an early warning system of threat activity

Active deception
Active Deception

Create “Virtual Decoy Devices” with real IP and OS personas to camouflage valuable network resources

Delaying technique
Delaying Technique

1. Bad Guy sends synchronization packet to a virtual decoy

2. Security device sends acknowledgment with Window = 0 and MSS = 10 Limits

3. Bad Guy receives acknowledgement and conforms to limits

Use legitimate protocol parameters to slow or stop an attack

4. Response is ignored, forcing Bad Guy to wait 4 minutes with no response

5. Bad Guy sends TCP Window Probe to see if we’re still there

6. Security device sends acknowledgement (with same limit) and forces another 4 minute wait…

Attack deflection

1. Infected Laptop communicates with computer on the network

2. Security device detects behavior and changes MAC address on infected PC

3. All traffic from infected laptop is sent to the security device and examined.

4. The infected laptop is determined to be a malicious threat and is blocked (compartmentalized) from the network

Attack Deflection

This strategy “compartmentalizes” infected devices, preventing them from communicating on the network.


There are numerous ways for threats to bypass traditional security mechanisms to reach your LAN

Worms and viruses usually meet little resistance once inside a network

The damage potential from these attacks can be very serious

Detecting day-0 RPTs on LANs is best performed using behavioral detection techniques.

There are several ways to defend against these threats, including active deception, protocol-based delay tactics, and attack deflection.

Cyber disaster avoidance protecting the internal network

Thank YouIf you would like more information about these technologies, you may download a white paper about this subject