Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects...
Transcript of Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects...
![Page 1: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/1.jpg)
1
Smart Attacks require Smart DefenceMoving Target Defence
Prof. Dr. Gabi Dreo Rodosek
Executive Director of the Research Institute CODE
![Page 2: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/2.jpg)
2
Virtual, Connected, Smart World
What needs to be done to prevent them in the future?
Real World– Billions of connected
devices– 163 Zettabyte of data until
2025– Systems are getting
“smarter” (with AI)and autonomous
![Page 3: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/3.jpg)
3
Paradigm Shift
Smart Grid, Connected Car / Connected Plane, Financial Sector, e-Health, Industry 4.0, Military (connected) operations, ...
ICT is the key technology of the digital society!Cyber security is fundamental for digital society!
![Page 4: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/4.jpg)
4
ICT is developing with tremendeous speed
![Page 5: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/5.jpg)
5
targetedvictim
goal
novel
complex
Several attackvectors
Several vulnerabilities
adaptable
Backdoor, C&C
crafted
persistent
difficult todetect
immune
SmartAttack
Smart Attacks:Advanced Persistent Threats (APT)
![Page 6: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/6.jpg)
6
Attackers have natural advantage – “Static“ attack surface– Near-unlimited time for reconnaissance / preparation– Access to 0-day vulnerabilities– Attacker only needs to find a single vulnerable entry point– Adversaries have an asymmetric advantage in that they have the time to
study a system, identify its vulnerabilities, and choose the time and place of attack to gain the maximum benefit
Current State of Cyber Defence
![Page 7: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/7.jpg)
7
Attack Surface
Attack Surface
![Page 8: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/8.jpg)
8
Cyber Kill Chain
1. Reconnaissance: The attacker collects useful information about the target
2. Access: The attacker tries to connect or communicate with the target to identify its properties (versions, vulnerabilities, configurations, etc.)
3. Exploit Development: The attacker develops an exploit for a vulnerability in the system in order to gain a foothold or escalate his privilege
4. Attack Launch: The attacker delivers the exploit to the target. This can be through a network connection, using phishing-like attacks, or using a more sophisticated supply chain or gap jumping attack (e.g., infected USB drive)
5. Persistence: The attacker installs additional backdoors or access channels to keep his persistence access to the system
![Page 9: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/9.jpg)
9
Changing the Paradigm: – Aim to substantially increase the cost of attacks by deploying and operating
networks/systems to makes them less deterministic, less homogeneous, and less static
– Continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency
– Dynamically altered in ways that are manageable by the defender yet make the attack space appear unpredictable to the attacker
– Introduce asymmetric uncertainty that favors defender over attacker– Attackers do not have adequate time to find vulnerabilities / create exploits
Towards Moving Target Defence
![Page 10: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/10.jpg)
10
MTD Categories
Very diverse, specialized against specific attack vectors, yet mostly isolated
System-based MTD– Software-based
• Application, OS, Data – Hardware-based: processor, FPGA
Network-based MTD– MAC layer: changing MAC address– IP layer: IP randomization– TCP (Traffic) layer: changing network protocol– Session layer
![Page 11: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/11.jpg)
11
Software-based MTD
Goals Prevent unwanted modification, protect software against analysis
Types Dynamic Runtime Environment: Address Space Layout
Randomization (ASLR), Instruction Set Randomization Dynamic software: In-place code randomization, Compiler-based
Software DiversitySoftware Monoculture Software Diversity
![Page 12: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/12.jpg)
12
Network-based MTD
Network reconnaissance is the first step for attackers to collect network and host information and prepare for future targeted attacks
Goal: make the scanning results expire soon or give the attacker a different view of the target system– IP address randomization, Port randomization
![Page 13: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/13.jpg)
13
Threat Model
Data leakage attacks, e.g., steal crypto keys from memoryDenial of Service attacks, i.e., exhaust or manipulate
resources in the systems Injection attacks
– Code injection: buffer overflow, ROP, SQL injection– Control injection: return-oriented programming (ROP)
Spoofing attack, e.g., man-in-the-middleAuthentication exploitation: cross-cite scripting (XSS)Scanning, e.g., port scanning, IP scanning for targeted attackPhysical attack: malicious processor
![Page 14: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/14.jpg)
14
Dynamic Virtualized Network Topology
Virtual Host Farm> 10K Decoys
Protected HostHW/OS/VM Platform
Dynamically MutableVirtual Network
Attacker’sView at T1
Attacker’sView at T2
![Page 15: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/15.jpg)
15
Two Challenges in Network-based MTD
1. Service availability– Authenticated clients should always know the new IP address/port number – When the IP and port changes, the connection still maintained, minimizing
service downtime2. Service security
– Only the authenticated users can access the service– How to mitigate insider attacks?
3. Service Quality1. Meeting Service Level Agreements
![Page 16: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/16.jpg)
16
Three layer protection: Decoys in each layer
![Page 17: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/17.jpg)
17
Seamless TCP Connection Migration
Keep end-to-end transport connection alive through separating transport endpoint identification from network endpoint identification.
Three components– Connection virtualization– Connection translation– Connection migration
![Page 18: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/18.jpg)
18
Connection Virtualization
Internal address for applications– IP address and Ports– never changes for one connection
External address for communications– IP addresses and Ports– may change according to MTD requirements
A map to translate between Internal address and External address
![Page 19: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/19.jpg)
19
Connection Translation
At beginning, internal address = external addresses Server changes its IP address
![Page 20: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/20.jpg)
20
Network Migration
After the server changes its IP address and port, it will inform the client to update the internal-external address mapping
Migration Steps: protected by a shared secret key– Suspend a connection
• Keep connection alive– Resume a connection
• Update internal-external endpoints mappings• Server sends UPDATE packet• Client sends UPDATE_ACK packet
Both endpoints need to know the same internal address pair
![Page 21: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/21.jpg)
21
We need more flexibility on the network layer
HOW?
Software-Defined Networking (SDN)
![Page 22: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/22.jpg)
22
Software Defined Networking
Situation today: closed „boxes“
– Closed, vertically integrated– Many complex functions baked into infrastructure (OSPF, firewalls, NAT, ...)
Operating System
Specialized PacketForwarding Hardware
App
App
App
Closed boxRouting, management, access control,
VPNs, VLANs, monitoring, ....
Million of lines of source code
Billion of gates
thousands of RFCs
complex
![Page 23: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/23.jpg)
23
The idea: Separate “Control“ from „Switching“Serveral NetOS virtualized centralized Layer
Simple PacketForwarding Hardware
Simple PacketForwarding Hardware
Virtualization or “Slicing” Layer
App App App AppApp App
Simple PacketForwarding Hardware
Simple PacketForwarding Hardware
Simple PacketForwarding Hardware
Open interface to hardware (southbound)
NetOS 1 NetOS 2 NetOS 3 NetOS n
AppApp
![Page 24: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/24.jpg)
24
Logical Forwarding Plane as part of / view on Logical Network Plane
SDN Controller vs SDN Switch
Physical Plane
Packets traversing the network = Moving in logical + Physical Plane
![Page 25: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/25.jpg)
25
Port Obfuscation (MTD) with SDN Controller
![Page 26: Smart Attacks require Smart Defence8 Cyber Kill Chain 1. Reconnaissance: The attacker collects useful information about the target 2. Access: The attacker tries to connect or communicate](https://reader033.fdocuments.us/reader033/viewer/2022041801/5e5131a6e72e4f727f79bf88/html5/thumbnails/26.jpg)
26
A promising approach with several techniques and open questions– Definition of the attack surface and the possible transformations– Redundancy– Actuality
• What part (critical) should be changed at a specific time? What are the most important transformations at a time? What happend if a transformation is not successful?
– Functional equivalency– Cooperation between different MTD techniques– Integration with existing tools, like
Intrusion Detection / Prevention Tools, Firewalls, ...)
– ...
MTD: a Game Changer