Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes David Dittrich The...
-
date post
21-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes David Dittrich The...
Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes
David DittrichThe Information School/C&CThe University of Washington
POLCYB Keynote, 1 November 2003
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
Attack sophistication vsIntruder Technical Knowledge
Increasing Attack SophisticationIncreasing Attack Sophistication
1998
Not your typical crime scene
Systems must remain runningMore “DC Sniper” than “O.J. Simpson”
Not enough yellow “CRIME SCENE” tape to circle the planet
There is no “Hogan’s Alley” for cyberspace
Implications for LE
More economic crimes involving computers
More multi-jurisdictional crimes (intranational/international)
More complex tools
More loss of private information
Concept of Honeypots
First popularized in “The Cuckoo’s Egg” by Cliff Stoll
Redefined by the Honeynet ProjectA security resource who’s value lies in being probed, attacked or compromised
Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise
Used for monitoring, detecting and analyzing attacks
The Role Of Honeypots In The Enterprise
Augments Firewalls and IDS
Research
Incident Response / Forensics
Deception / Deterrence
Advantages
Fidelity – Information of high value
Reduced false positives
Reduced false negatives
Simple concept
Not resource intensive
Return on Investment
Disadvantages
Labor/skill intensive
Limited field of view
Does not directly protect vulnerable systems
Risk (more on this later…)
Data Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
Entrapment
Applies only to law enforcement
Useful only as defence in criminal prosecution
Still, most legal authorities consider honeypots non-entrapment
LiabilityAn organization may be liable if their honeypot is used to attack or damage third parties
Example: T.J. Hooper v. Northern Barge Corp. (No weather radios)Civil issue, not criminalDecided at state level, not federal
This is why the Honeynet Project focuses so much attention on Data Control.
PrivacyNo single US federal statute concerning privacy
Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968)
Title I: Wiretap Act (18 USC § 2510-22)
Title II: Stored Communications Act(18 USC § 2701-11)
Title III: Pen/Trap Act (18 USC § 3121-27)
US Senate Debate"If we can find some way to do this without destroying their machines, we'd be interested in hearing about that. If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize [the seriousness of their actions.] There's no excuse for anyone violating copyright laws.”
Utah Senator Orrin Hatch
Attacks (Strategic level)
Denial of ServiceTheft/alteration of data
Web page defacementIndustrial espionage
Theft of services/resources“Stepping stones”/anonymityCaching data/malware
Violation of copyright (“warez”)
Attacks (Tactical level)Remote service exploitationLog alteration"root kits"SniffersCovert channel/encrypted commsStepping stonesBinary encryptionAddress forgery/hijackingDistributed attacksReflected attacks
Defenses (Strategic level)
FirewallsIDSLogging/monitoring
Host (e.g., accounts, processes, services)Network (flows, connections, data)
Honeypots/HoneynetsAugment FW/IDSDeception
Defenses (Tactical level)Traffic analysis
Topological/Access control changes
Sniffing/keystroke logging
Traffic redirection
Honeypots/Honeynets
Service enumeration, banner grabbing, info collection
Remote exploitation
Denial of Service
Small loss over time
0
50
100
150
200
250
Day 1 Day 2 Day 3 Day 4
Losses (* $1)
Individual selling used books on Amazon
Big loss over time
0
100
200
300
400
500
600
700
800
1sthour
2ndhour
3rdhour
4thhour
Losses (*$1000)
Example.com’s lost revenues
Stages of Response
0 - Unconscious
1 - Involved
2 - Interactive
3 - Cooperative Response
4 - Non-cooperative (AD) Response
“Unconscious”Stage 0: “Right out-of-the-box”
“The firm/system owner/operator takes no active role, either directly or through proxy, to modify, improve, enhance, or alter defensive capabilities inherent in the hardware, firmware, and/or software as delivered from the manufacturer or installer.”
“Involved”Stage 1: “Doing Business”
“The firm/system owner/operator establishes (either directly or via proxy) a baseline, tailored, day-to-day defensive posture involving only resources directly owned or operated by that owner/operator. The posture is maintained / kept current.”
“Interactive”Stage 2: “We’ve Got a Problem”“The firm/system owner/operator applies measures, in response to warning or evidence of malfeasance, to resources directly owned or operated by them. The measures are beyond the baseline because they cause some loss of flexibility, capability, or ease of use and the owner/operator does not want/intend them to become routine business practice.”
“Cooperative Response”Stage 3: “Reach out …”
“The firm/system owner/operator engages other organizations/firms/systems to take measures intended to attribute, mitigate, or eliminate the threat through cooperative efforts beyond the ability of the owner/operator to effect but within the lawful authority of the cooperating other party or parties.”
“Non-cooperative Response”Stage 4: “... and Touch Someone.”
“The firm/system owner/operator takes measures, with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”
Active Defense
Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4Stage 4 has levels, though
Less intrusive to more intrusiveLess risky to more riskyLess disruptive to more disruptive
Justification for your actions depends on how well you progress through all 4 stages
Levels of Active Defense4.1 - Non-cooperative ‘intelligence’ collection
External services Back doors/remote exploit to access internal services
4.2 - Non-cooperative ‘cease & desist’“Interdiction” ala Berman-Coble billDisabling malware
4.3 - Retribution or counter-strike4.4 - Preemptive defense
What must you know?What are your personal and organizational risks?
Who can help?
Who are you going to call if you do this?
Who/what is the target? How do you know?
Who defines what active defense is for you?
Was there another way? Or “Creative Response versus Active Defense”
Best Practice: Plan Ahead
Risk Mitigation Strategy: Early, early, early
Pre-arrange services w/your ISP
Business interruption insurance
Before-the-fact discussions with LE
Pre-arranged responses within org
Range of response options for the CEO
Who provides the oversight of this decision?
Private Intrusion Response
Stevan D. Mitchell and Elizabeth A. Banker (11 Harv. J. Law & Tec 699)
They cite many of the same issuesDifficulties in detection
Limited reporting
Jurisdictional complexity
Resource constraints
Issues (cont.)
CFAA limits private response
LE capabilities vs. private sector
Options few between criminal remedies and doing nothing
Authors call for balanced public/private approach
Benefits from oversight mechanism
Industry getsStandards
Defined liability
Marketing advantage from license
Benefits…
LE gets Cadre of trained professionals
“Ready made” cases
Better info about complex computer crime
Issues to be resolved
Under what authority? (Fed or State?)
Who should be covered?
Mandatory or permissive?
Required changes in the law
Possible model: 10 CFR 1046.1
Department of Energy Physical Protection of Security Interests
Required of all contractor employees at govt. owned facilities, whether or not privately run
Defines personnel
Defines knowledge, skills, abilities
Defines (re)training requirements
Closing thoughts…How do we fill the gap between private first responders and LE/military?How do we build victim’s trust so they involve LE?How do we improve the evidence delivered to LE?How do we empower private industry to act w/o breaking the law?