Active Response

1
Active Response

• Sergio Caltagirone
• Masters Thesis Defense
• May 9, 2005
• Major Professor Deb Frincke

2
A Little Background

• Clifford Stoll v. German Hackers (1986)
• C. Stoll, Stalking the Wiley Hacker in
  Communications of the ACM, vol 31, 1998, pp.
  484-497.
• DoD v. Electronic Disturbance Theater (1998)
• http//archives.cnn.com/2000/TECH/computing/04/07
  /self-defense.idg/
• Conxion v. E-Hippies (2000)
• http//www.nwfusion.com/research/2000/0529feat2.h
  tml
• FBI v. Russian Hackers (2001) a.k.a. Invita
  Case
• http//www.wired.com/news/politics/0,1283,47650,0
  0.htm

3
Where Were At
4
Where We Want To Be
5
Why?

• Response is not a choice
• Insufficient Protection on Imperfect Systems
• A Policy Is Necessary (even if not utilized)
• Vulnerable Systems
• Air Traffic Control
• http//www.cnn.com/TECH/computing/9803/18/juvenile
  .hacker/
• SCADA Systems
• http//www.securityfocus.com/news/6767

6
Research Question
Since any action or inaction is a response, what
is an appropriate set of actions to take during a
security event in order to mitigate the threat
given the immense social and technical
considerations of response?
7
Research Goals

• Framework for Discussion
• Definition
• Taxonomy
• Summary of Challenges
• ADAM
• Response Model
• Decision Model
• Algorithm
• Example
• Evolutionary Implementation

8
Elements of a Definition

• Time Bound
• Before an attack is not active response, after an
  attack is forensics
• Self-defense
• Necessity/Imminent, Proportionality
• Technologically Independent
• Humans and Computers can respond
• Purposeful
• Not for retribution or revenge, but to return to
  a previous secure state

9
Definition of Active Response

• Any action sequence deliberately performed by an
  individual or organization between the time an
  attack is detected and the time it is determined
  to be finished, in an automated or non-automated
  fashion, in order to mitigate the identified
  threats negative effects upon a particular asset
  set.
• Active does not modify response, but rather
  describes the state of the attack

10
Taxonomy of Actions

• 8 Types
• No Action
• Internal Notification
• Internal Response
• External Cooperative Response
• Non-cooperative Intelligence Gathering
• Non-cooperative Cease and Desist
• Counter-Strike
• Preemptive Defense

11
No Action

• Under attack, conscious decision to take no action

12
Internal Notification

• Contact Administrators
• Contact CTO, CEO, CISO
• Contact Users

13
Internal Response

• Write Firewall Rules (firewall signaling)
• Block IP, range of IPs, block specific ports
• Strategic Segmentation/Disconnection
• Nat, change subnets, re-address, remove port
• Drop Connections
• TCP RST packet to client AND server
• Use ICMP (port, host, network unreachable) UDP
• Unreliable, must come in sequence

14
External Cooperative Response

• Contact CERT, FBI, Secret Service, Local Police,
  upstream ISPs
• Dshield
• Symantec

15
Non-Cooperative Intelligence Gathering

• Direct attacker to honeynet/honeypot
• Use tools to determine identity of attacker
• Ping, finger, traceroute, lsrr packets

16
Non-Cooperative Cease and Desist

• Use tools to disable harmful services without
  affecting usability
• University scenario
• Zombie Zapper by BindView

17
Counter-Strike

• Active Counter-Strike (direct action)
• Worm focusing only on attacker IP or to trace
  back the attack and report
• Straight hack-back
• Passive Counter-Strike (cyber aikido)
• Footprinting Strike-Back (DNS)
• Send endless data, send bad data for illegitimate
  names (brute force) (e.g. defense networks), send
  SQL or bad data for illegitimate requests
• Network Recon Strike Back
• Traceroute packets (ICMP TTL Expired) receive
  spoofed random addresses (creating any network we
  want)

18
Preemptive Defense

• Conexion vs. E-Hippies
• Traffic Redirection
• DoD vs. Electronic Disturbance Theater
• Killer applet

19
Challenges of Active Response

• Legal
• Civil, Criminal, Domestic, International
• Ethical
• Teleological, Deontological
• Technical
• Traceback, Reliable IDS, Confidence Value, Real
  Time
• Risk Analysis
• Measure ethical, legal risk effectively?
• Unintended Consequences
• Attacker Action, Collateral Damage, Own Resources

20
Research Goals

• Framework for Discussion
• Definition
• Taxonomy
• Summary of Challenges
• ADAM
• Response Model
• Decision Model
• Algorithm
• Example
• Evolutionary Implementation

21
Goals of ADAM

• Provide a generalizable, extendable model for any
  organization
• Completely model the risk of the threat and AD
  actions
• Find appropriate active defense solution for the
  threat maximize benefit, minimize risk
• Allow for automation
• Provide legal (and ethical) due diligence

22
Response Process Model
23
Decision Model
Escalation Ladder
AR Policy
Asset Evaluation
Action Evaluation
Decision Set
Scoring Chart
Asset Identification
Goal Identification
Threat Identification
Action Identification
Utility Modifier
Risk Identification
Risk Identification
Success Ordering
24
Algorithm

• A pragmatic and implementable description of the
  process and decision model
• Illustrates the use of the decision model within
  the process of response

25
Solutions Provided by ADAM

• Ethicalness
• Incorporates Teleological and Deontological
  ethical concerns
• Legal
• No precedent minimal force, proportional force,
  immediate threat
• Unintended Consequences
• Statistical measure of confidence in action
  performing as expected (if confidence values
  provided by IDS)
• Risk Valuation
• Provides statistical bounds for potential risk
  (if confidence values provided by IDS)

26
Research Goals

• Framework for Discussion
• Definition
• Taxonomy
• Summary of Challenges
• ADAM
• Response Model
• Decision Model
• Algorithm
• Example
• Evolutionary Implementation

27
Evolutionary Model

• Competitive Co-Evolution
• Genetic Algorithm
• Uses biologically equivalent operators
  (crossover, mutation, gene, chromosome,
  populations)
• Determines global maxima or minima
• Fitness Function / Value
• Two competing populations, co-evolving
• Attackers / Defenders
• Game Based
• Fitness risk assumed by defenders

28
Evolutionary Model
29
Evolutionary Model (Defender)
DEFENSE ACTION
DEFENSE POSITION
0 1 2 3 4 5 6 7   Null
Action 58 58 57 48
57 53 50 52 Contact Administrator
8 2 5 6 6 10 5 5
Contact Chief Technology Officer 3 2 2
6 9 5 7 9 Shutdown port at
firewall 0 0 0 0 0 0 0
0 Filter IP at firewall 0
1 1 2 2 1 0 2 Shutdown
Server 0 0 0 0 0
0 0 0 Send TCP RST Packet
3 4 6 5 6 5 7 5 Ask
ISP to Shut-off Attack 7 15 7 10
9 7 18 11 Contact FBI
4 2 5 4 1 5 3 7
Use Traceback 17 16 17
19 10 14 10 9 Send Virus Against IP
0 0 0 0 0 0 0 0
Initiate DoS Against IP 0 0 0
0 0 0 0 0 Attempt to Hack
Attacker 0 0 0 0 0 0
0 0
30
Evolutionary Model (Attacker)
ATTACK ACTION
ATTACK POSITION
0 1 2 3 4 5 6 7   Null
Action 54 51 56 48
56 43 46 49 Spoof IP Address
39 24 19 7 4 2 0 3
Port Scan the Server 0 4 6
7 6 5 6 1 Ping the Server
0 1 0 2 3 2 5 1
DoS the Server 0 0 0
0 0 2 2 4 DDoS the Server w/
Zombies 0 1 0 2 2 6 6
5 Poison DNS 7 12
8 17 10 12 8 11 Hack Server,
Install Backdoor 0 1 2 2 1 7
4 3 Hack Server, Download Records 0
0 1 0 2 4 2 4 Hack
Server, Change Records 0 2 7 8
10 10 13 12 Send Virus Against Server
0 4 1 7 6 7 8 7
31
(No Transcript)
32
(No Transcript)
33
Results of Evolutionary Model

• Population finesses show that model was correct
  W.R.T evolutionary techniques
• IT IS POSSIBLE!
• Proof-Of-Concept that reasonable active response
  strategies can be developed using the rational
  behind ADAM
• Competitive Co-Evolution is a potential model for
  computer security relationships
• First implementation applying concept to a
  computer security scenario

34
Conclusions Contributions

• The First Definition of Active Response
• Taxonomy of Actions
• Illustrates active response is more than
  strike-back methodology
• Summary of Challenges
• Ethical, Legal, Risk Analysis, Technical,
  Unintended Consq.
• Response Process Model
• Decision Model
• Max Benefit, Min Risk, Incorporates Legal
  Ethical
• Active Defense Algorithm
• Implementable version of process and decision
  model
• Evolutionary Active Response Model
• Provides proof-of-concept

35
Future Work

• Simulate and Validate Model (Currently Ongoing
  Medical/Univ/Financial) R. Blue
• Further define taxonomy
• More work on applying evolutionary techniques
  R. Blue, S. Gotshall
• Clearly define legal risks A. Hubbard
• Generate More Discussion / Educate

36
Publications

• Sergio Caltagirone, Deborah Frincke, "The
  Response Continuum," presented at 6th IEEE
  Information Assurance Workshop, West Point, NY,
  USA, June 2005.
• Sergio Caltagirone, Deborah Frincke, "ADAM
  Active Defense Algorithm and Model," in
  Aggressive Network Self-Defense, N.R. Wyler and
  G. Byrne, Eds. Rockland, MD, USA Syngress
  Publishing, 2005, pp. 287-311.
• Sergio Caltagirone, "Questions About Active
  Response," 4th Workshop on the Active Response
  Continuum to Cyber Attacks. George Mason
  University, Fairfax, VA, USA, March 2005.
• Sergio Caltagirone, "Active Defense Decision and
  Escalation Model," 20th Annual Computer Security
  Applications Conference, Works In Progress.
  Tucson, AZ, USA, December 2004.
• Sergio Caltagirone, "An Active Defense Decision
  Model," presented at the Agora Workshop,
  University of Seattle, Seattle, WA. December,
  2003.

37
Thank You
http//www.activeresponse.org