Title: IntrusionDetection During IncidentResponse, using a military battlefieldintelligence process
1Intrusion-DetectionDuringIncident-Response,usi
ng a military battlefield-intelligence process
- Jim Yuill, PhD Candidate
- Computer Science Dept.
- North Carolina State University
- (advisor Dr. Annie Anton)
- 919-696-9523
- jimyuill_at_pobox.com
- http//www.pobox.com/jimyuill
- project http//www4.ncsu.edu/jjyuill/SC/c-ipb.h
tml
2Sponsors
- Dr. Felix Wu, UC Davis
- Funded by DARPA/ISO as part of the Information
Assurance and Survivability programs, under
federal contract F30602-96-C-0325. Dr. Feming
Gong, PI.
3The problem intrusion-detection during
incident-response
- A compromised device is discovered
- Has the attacker compromised other devices on the
network- in the past, present and future? - Investigating devices for compromise is expensive.
4The opportunity
- During an attack, the attacker reveals
information about - his capabilities and intentions
- network vulnerabilities
5Very Similar to the Battlefield-Intelligence
Problem
- Using bits and pieces of info about the enemy,
figure out - his capabilities, intentions, and current
disposition - his courses of action possible, likely, most
dangerous - Understand the battlefield, from a tactical
perspective
6IPB Intelligence Preparation of the Battlespace
- US Army and USMC's method for battlefield
analysis - A systematic and continuous process,
- for analyzing the threat and environment.
- Designed to support the commander's planning and
decision making - Extensively documented in unclassified manuals,
available on the Internet
7Cyber IPB (C-IPB)
- An adaptation of IPB for network security
- Objective Cyber-IPB seeks to locate
- Likely Compromised Devices (LCDs)
- Means build models of
- the battlespace (network) and threat
- A systematic process for a complex problem
- akin to design methods in software engineering
- For use by incident responders
- especially apprentices to journeymen
8Cyber IPB
9Collaborators
- Paper published in Computer Networks, 10/2000
- Elsevier Science http//www.elsevier.com
- Military and Intelligence
- USMC Master Gunnery Sgt. John Asbery, ret.,
former president of Marine Corps Intelligence
Association - USMC Colonel G.I. Wilson
- USMC Gunnery Sgt. Woody Biggs
- Fred Feer, CIA, Army, and RAND intelligence, ret.
- Incident Response
- Jim Settle, FBI computer-crime chief, ret.
- Rick Forno, former Director of Security, Network
Solutions
10- Preliminary step establish C-IPB requirements
- C-IPB is a subordinate part of incident-response
(IR) - ARNC attack repair, neutralization, containment
- IR requirements for C-IPB
- risk management
- tactics
11- Defining the network battlespace
- Areas of Operations (AO)
- Areas of Interest (AOI)
- Areas of Influence
- Collection plan for intelligence-data
- identify intelligence resources
12- Building a model of the battlespace
- Network provides opportunities and constraints
for battle - Standard network components
- Network topology
- Compromised devices and known vulnerabilities
- System administration
- Network users
- Tactical aspects of the topology
13Tactical Aspects of the Topology, similar to
IPB's Military Aspects of the Terrain
- Observation
- Opportunities for stealth
- Zones-of-attack
- Cover
- Network-path obstacles
- Mobility corridors
- Avenues of approach
- The attacker's capabilities for collecting
intelligence - Key network tactical-assets
14- Building a model of the threat
- Based on knowledge of what the attacker has
done, - Determine
- Capabilities
- Personality traits
- Intentions
- Working with multiple attackers
15- The attackers capabilities
- Abilities
- computer skill
- attack skill
- tenacity
- discipline
- Method of operation
- Knowledge of the network
- Possessions (i.e., occupied territory)
- Exploitable vulnerabilities
16- Courses of Action (COAs)
- possible, likely, and most-dangerous
- Use knowledge of COAs to identify
- Likely-Compromised-Devices
17- Principles for predicting COAs
- Simple predictions based on battlespace effects
and attackers capabilities and intentions - The Economics of Crime
- attackers valuation of network assets
- his costs for exploitation of vulnerabilities
- his resources for attacks
- Opportunistic Attacks
- due to attackers limited and unfolding
knowledge, both of means and ends
18Cyber IPB
19The Nature of C-IPB
- C-IPB is a continuous process
- steps are performed roughly in order
- Revision and feedback is normal, due to
- dynamic environment (an active threat)
- C-IPB responders continual increase in
understanding - correction of erroneous info
- uncertain and deceptive info
- developing interdependent models
- battlespace and threat
20The Nature of C-IPB
- Uncertainty-- an environmental constraint
- speculative vs. deterministic analysis
- Clausewitz
- in war everything is uncertain
- Ludwig von Mises (economist)
- uncertainty of the future is already implied by
the very notion of human action - military combat and entrepreneurial ventures
require wise speculation about future human
behavior
21The Nature of C-IPB
- The need for human judgement
- cyber battle is unpredictable, due to variation
in - attackers, networks, resources-available
- C-IPB provides
- a systematic and orderly process
- useful principles and techniques
- understanding of salient characteristics of
battlespace and threat - Ultimately, the C-IPB analyst must use his own
judgement, insight and cunning
22The Nature of C-IPB
- USMC text, Tactical Fundamentals
"The tactics involved in warfare are not an exact
science. When faced with a tactical problem on
the battlefield, you. . . cannot apply a set of
rules or a mathematical formula to obtain the
ideal solution. . .
23The Nature of C-IPB
. . .You must consider the principles of war and
fundamentals of combat that apply to the
situation. . .
US Navy photo https//infosec.navy.mil
24The Nature of C-IPB
. . .If you fail to recognize and analyze all the
influencing factors in an intelligent and orderly
manner, you can bring disaster to your own
forces."
USAF photo http/web1.ssg.gunter.af.mil/support/
default.htm
25Cyber-IPB and the Intel Cycle
26Cyber-IPB and the Intel Cycle
27On-going Research
- Developing a model for the investigation process
- How do we manage all this data we're collecting?
- Testing Cyber-IPB on real incidents
28Investigation for Cyber-IPB
- We're adopting a model of fact-investigation for
judicial proof - military intelligence concerned with the present
and future - judicial proof concerned with the past
- Investigation an on-going process of
hypothesis, inquiry, insight
29Data Management for Cyber-IPB
- Lots of data collected, processed, managed
- The state-of-the-art pencil and paper!
- Requirements for a data management system
- uncertainty poses big problems!
- the organization of the data influences the
effectiveness of the investigation
30Data Management for Cyber-IPB
- Adopting techniques and theory from
- legal investigation
- military intelligence
- database theory
31Cross-Discipline Research
32Overview
- Cyber-IPB used to locate likely-compromised
devices - paper Intrusion-Detection During
Incident-Response using a military
battlefield-intelligence process - Computer Networks, 10/2000, http//www.elsevier.c
om - Seeking collaboration
- Have incident-response process, will travel!
- Testing Cyber-IPB on actual incidents
- Data-management system for incident-response