Title: Active Response
1Active Response
- Sergio Caltagirone
- Masters Thesis Defense
- May 9, 2005
- Major Professor Deb Frincke
2A Little Background
- Clifford Stoll v. German Hackers (1986)
- C. Stoll, Stalking the Wiley Hacker in
Communications of the ACM, vol 31, 1998, pp.
484-497. - DoD v. Electronic Disturbance Theater (1998)
- http//archives.cnn.com/2000/TECH/computing/04/07
/self-defense.idg/ - Conxion v. E-Hippies (2000)
- http//www.nwfusion.com/research/2000/0529feat2.h
tml - FBI v. Russian Hackers (2001) a.k.a. Invita
Case - http//www.wired.com/news/politics/0,1283,47650,0
0.htm
3Where Were At
4Where We Want To Be
5Why?
- Response is not a choice
- Insufficient Protection on Imperfect Systems
- A Policy Is Necessary (even if not utilized)
- Vulnerable Systems
- Air Traffic Control
- http//www.cnn.com/TECH/computing/9803/18/juvenile
.hacker/ - SCADA Systems
- http//www.securityfocus.com/news/6767
6Research Question
Since any action or inaction is a response, what
is an appropriate set of actions to take during a
security event in order to mitigate the threat
given the immense social and technical
considerations of response?
7Research Goals
- Framework for Discussion
- Definition
- Taxonomy
- Summary of Challenges
- ADAM
- Response Model
- Decision Model
- Algorithm
- Example
- Evolutionary Implementation
8Elements of a Definition
- Time Bound
- Before an attack is not active response, after an
attack is forensics - Self-defense
- Necessity/Imminent, Proportionality
- Technologically Independent
- Humans and Computers can respond
- Purposeful
- Not for retribution or revenge, but to return to
a previous secure state
9Definition of Active Response
- Any action sequence deliberately performed by an
individual or organization between the time an
attack is detected and the time it is determined
to be finished, in an automated or non-automated
fashion, in order to mitigate the identified
threats negative effects upon a particular asset
set. - Active does not modify response, but rather
describes the state of the attack
10Taxonomy of Actions
- 8 Types
- No Action
- Internal Notification
- Internal Response
- External Cooperative Response
- Non-cooperative Intelligence Gathering
- Non-cooperative Cease and Desist
- Counter-Strike
- Preemptive Defense
11No Action
- Under attack, conscious decision to take no action
12Internal Notification
- Contact Administrators
- Contact CTO, CEO, CISO
- Contact Users
13Internal Response
- Write Firewall Rules (firewall signaling)
- Block IP, range of IPs, block specific ports
- Strategic Segmentation/Disconnection
- Nat, change subnets, re-address, remove port
- Drop Connections
- TCP RST packet to client AND server
- Use ICMP (port, host, network unreachable) UDP
- Unreliable, must come in sequence
14External Cooperative Response
- Contact CERT, FBI, Secret Service, Local Police,
upstream ISPs - Dshield
- Symantec
15Non-Cooperative Intelligence Gathering
- Direct attacker to honeynet/honeypot
- Use tools to determine identity of attacker
- Ping, finger, traceroute, lsrr packets
16Non-Cooperative Cease and Desist
- Use tools to disable harmful services without
affecting usability - University scenario
- Zombie Zapper by BindView
17Counter-Strike
- Active Counter-Strike (direct action)
- Worm focusing only on attacker IP or to trace
back the attack and report - Straight hack-back
- Passive Counter-Strike (cyber aikido)
- Footprinting Strike-Back (DNS)
- Send endless data, send bad data for illegitimate
names (brute force) (e.g. defense networks), send
SQL or bad data for illegitimate requests - Network Recon Strike Back
- Traceroute packets (ICMP TTL Expired) receive
spoofed random addresses (creating any network we
want)
18Preemptive Defense
- Conexion vs. E-Hippies
- Traffic Redirection
- DoD vs. Electronic Disturbance Theater
- Killer applet
19Challenges of Active Response
- Legal
- Civil, Criminal, Domestic, International
- Ethical
- Teleological, Deontological
- Technical
- Traceback, Reliable IDS, Confidence Value, Real
Time - Risk Analysis
- Measure ethical, legal risk effectively?
- Unintended Consequences
- Attacker Action, Collateral Damage, Own Resources
20Research Goals
- Framework for Discussion
- Definition
- Taxonomy
- Summary of Challenges
- ADAM
- Response Model
- Decision Model
- Algorithm
- Example
- Evolutionary Implementation
21Goals of ADAM
- Provide a generalizable, extendable model for any
organization - Completely model the risk of the threat and AD
actions - Find appropriate active defense solution for the
threat maximize benefit, minimize risk - Allow for automation
- Provide legal (and ethical) due diligence
22Response Process Model
23Decision Model
Escalation Ladder
AR Policy
Asset Evaluation
Action Evaluation
Decision Set
Scoring Chart
Asset Identification
Goal Identification
Threat Identification
Action Identification
Utility Modifier
Risk Identification
Risk Identification
Success Ordering
24Algorithm
- A pragmatic and implementable description of the
process and decision model - Illustrates the use of the decision model within
the process of response
25Solutions Provided by ADAM
- Ethicalness
- Incorporates Teleological and Deontological
ethical concerns - Legal
- No precedent minimal force, proportional force,
immediate threat - Unintended Consequences
- Statistical measure of confidence in action
performing as expected (if confidence values
provided by IDS) - Risk Valuation
- Provides statistical bounds for potential risk
(if confidence values provided by IDS)
26Research Goals
- Framework for Discussion
- Definition
- Taxonomy
- Summary of Challenges
- ADAM
- Response Model
- Decision Model
- Algorithm
- Example
- Evolutionary Implementation
27Evolutionary Model
- Competitive Co-Evolution
- Genetic Algorithm
- Uses biologically equivalent operators
(crossover, mutation, gene, chromosome,
populations) - Determines global maxima or minima
- Fitness Function / Value
- Two competing populations, co-evolving
- Attackers / Defenders
- Game Based
- Fitness risk assumed by defenders
28Evolutionary Model
29Evolutionary Model (Defender)
DEFENSE ACTION
DEFENSE POSITION
0 1 2 3 4 5 6 7 Null
Action 58 58 57 48
57 53 50 52 Contact Administrator
8 2 5 6 6 10 5 5
Contact Chief Technology Officer 3 2 2
6 9 5 7 9 Shutdown port at
firewall 0 0 0 0 0 0 0
0 Filter IP at firewall 0
1 1 2 2 1 0 2 Shutdown
Server 0 0 0 0 0
0 0 0 Send TCP RST Packet
3 4 6 5 6 5 7 5 Ask
ISP to Shut-off Attack 7 15 7 10
9 7 18 11 Contact FBI
4 2 5 4 1 5 3 7
Use Traceback 17 16 17
19 10 14 10 9 Send Virus Against IP
0 0 0 0 0 0 0 0
Initiate DoS Against IP 0 0 0
0 0 0 0 0 Attempt to Hack
Attacker 0 0 0 0 0 0
0 0
30Evolutionary Model (Attacker)
ATTACK ACTION
ATTACK POSITION
0 1 2 3 4 5 6 7 Null
Action 54 51 56 48
56 43 46 49 Spoof IP Address
39 24 19 7 4 2 0 3
Port Scan the Server 0 4 6
7 6 5 6 1 Ping the Server
0 1 0 2 3 2 5 1
DoS the Server 0 0 0
0 0 2 2 4 DDoS the Server w/
Zombies 0 1 0 2 2 6 6
5 Poison DNS 7 12
8 17 10 12 8 11 Hack Server,
Install Backdoor 0 1 2 2 1 7
4 3 Hack Server, Download Records 0
0 1 0 2 4 2 4 Hack
Server, Change Records 0 2 7 8
10 10 13 12 Send Virus Against Server
0 4 1 7 6 7 8 7
31(No Transcript)
32(No Transcript)
33Results of Evolutionary Model
- Population finesses show that model was correct
W.R.T evolutionary techniques - IT IS POSSIBLE!
- Proof-Of-Concept that reasonable active response
strategies can be developed using the rational
behind ADAM - Competitive Co-Evolution is a potential model for
computer security relationships - First implementation applying concept to a
computer security scenario
34Conclusions Contributions
- The First Definition of Active Response
- Taxonomy of Actions
- Illustrates active response is more than
strike-back methodology - Summary of Challenges
- Ethical, Legal, Risk Analysis, Technical,
Unintended Consq. - Response Process Model
- Decision Model
- Max Benefit, Min Risk, Incorporates Legal
Ethical - Active Defense Algorithm
- Implementable version of process and decision
model - Evolutionary Active Response Model
- Provides proof-of-concept
35Future Work
- Simulate and Validate Model (Currently Ongoing
Medical/Univ/Financial) R. Blue - Further define taxonomy
- More work on applying evolutionary techniques
R. Blue, S. Gotshall - Clearly define legal risks A. Hubbard
- Generate More Discussion / Educate
36Publications
- Sergio Caltagirone, Deborah Frincke, "The
Response Continuum," presented at 6th IEEE
Information Assurance Workshop, West Point, NY,
USA, June 2005. - Sergio Caltagirone, Deborah Frincke, "ADAM
Active Defense Algorithm and Model," in
Aggressive Network Self-Defense, N.R. Wyler and
G. Byrne, Eds. Rockland, MD, USA Syngress
Publishing, 2005, pp. 287-311. - Sergio Caltagirone, "Questions About Active
Response," 4th Workshop on the Active Response
Continuum to Cyber Attacks. George Mason
University, Fairfax, VA, USA, March 2005. - Sergio Caltagirone, "Active Defense Decision and
Escalation Model," 20th Annual Computer Security
Applications Conference, Works In Progress.
Tucson, AZ, USA, December 2004. - Sergio Caltagirone, "An Active Defense Decision
Model," presented at the Agora Workshop,
University of Seattle, Seattle, WA. December,
2003.
37Thank You
http//www.activeresponse.org