lariat lincoln adaptable real time information assurance
play

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed - PowerPoint PPT Presentation

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed Lee M. Rossey Jesse C. Rabek, Robert K. Cunningham, David J. Fried, Rich P. Lippmann, Marc A. Zissman RAID 2001 October 10, 2001 This work was sponsored by the United States


  1. LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed Lee M. Rossey Jesse C. Rabek, Robert K. Cunningham, David J. Fried, Rich P. Lippmann, Marc A. Zissman RAID 2001 October 10, 2001 This work was sponsored by the United States Air Force under contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Government. RAID 2001 - 1 LMR 10/26/2001

  2. Overview • Introduction – Motivation – Background – Goals • LARIAT Description • Attacks and Scenarios • Deployments & Uses • Current Efforts • Summary MIT Lincoln Laboratory RAID 2001 - 2 LMR 10/26/2001

  3. Motivation • Provide an environment to develop new information assurance (IA) systems • Provide tools to assist evaluation and configuration of IA technologies – Intrusion detection systems – Firewall settings and proxies – Access control lists MIT Lincoln Laboratory RAID 2001 - 3 LMR 10/26/2001

  4. Background DARPA 1998 1998 IDS Evaluations DARPA 1999 IDS 1999 Evaluations DARPA DoD: LARIAT Real-time, deployable 2000 IDS 2000 Full-automation Attack scenario DoD: LARIAT DARPA: CyberPanel High throughput, Large networks 2001 Attack scenarios Simulated Traffic Windows traffic time MIT Lincoln Laboratory RAID 2001 - 4 LMR 10/26/2001

  5. What does it do ? User Groups and attackers External Users Real or Internal Users Emulated Internet Background External traffic Enterprise Internal attacks Enterprise Network IDS • Emulates the network traffic from a small organization connected to the Host Internet IDS MIT Lincoln Laboratory RAID 2001 - 5 LMR 10/26/2001

  6. Goals • Extend the previous work to provide additional capabilities – Deployable – Simple to use – Full automation – Real-time – High throughput – Attack scenarios MIT Lincoln Laboratory RAID 2001 - 6 LMR 10/26/2001

  7. Overview • Introduction – Motivation – Background – Goals • LARIAT Description • Attacks and Scenarios • Deployments & Uses • Current Efforts • Summary MIT Lincoln Laboratory RAID 2001 - 7 LMR 10/26/2001

  8. Central Research Tasks • Background traffic for estimating IA tool false alarms – Realistic user models (administrators, secretaries, managers, developers) – Modernized traffic (MIME encoded mail w/ attachments, ftp downloads from Internets sites) – Multiple configurable user groups (collection of users) – Windows traffic (in development) – New operating systems and services • Attacks for estimating IA tool detection rates – Collection of attack components – New components – Attack models using scenarios – Framework to automate and manage attacks MIT Lincoln Laboratory RAID 2001 - 8 LMR 10/26/2001

  9. LARIAT Test Flow Select Profile - select & edit traffic profile - select attacks & strike time Network Discovery Verify accessibility of hosts and services Initialize Network Clean Up - reset user accounts - reinstate corrupted files - remove old traffic Distribute Configurations - remove pre-conditions - clear logs - archive traffic scripts - distribute profiles to hosts - clear process table - clear process table Pre-conditions Verify / Score - setup network conditions required - examine attack logs for the test (eg. Anonymous ftp) - verify attack success - generate traffic & attack scripts - examine IDS output (future) - schedule attack + traffic scripts - score IDS (future) - start loggers Run Traffic -view progress in “real-time” - attacks, IDS output MIT Lincoln Laboratory RAID 2001 - 9 LMR 10/26/2001

  10. LARIAT – Profile Selection Select time interval Select time interval Select Background Select Background Traffic Profile Traffic Profile Select Attack profile Select Attack profile MIT Lincoln Laboratory RAID 2001 - 10 LMR 10/26/2001

  11. LARIAT – User Models • Configure aggregate • Configure aggregate traffic generation times traffic generation times and amount of traffic and amount of traffic • Specify time interval, • Specify time interval, traffic distribution, and traffic distribution, and amount of traffic to be amount of traffic to be generated for each user generated for each user model (ftp, telnet, …) model (ftp, telnet, …) • Modify the service traffic • Modify the service traffic distribution & rate distribution & rate MIT Lincoln Laboratory RAID 2001 - 11 LMR 10/26/2001

  12. User Groups Real or External Emulated Engineering User Group Internet User Group ~60 hosts ~2600 sites ~30 hosts DMZ External Enterprise Operations Internal User Group Enterprise ~30 hosts • Groups interact using Background defined service models traffic – http, https, smtp, ftp, telnet, – ssh, icmp, irc, pop, imap, sql, finger HR User Group – Active directory , exchange , file-sharing, ~50 hosts – Protocol interdependencies: arp, dns, nfs, direct-hosting (SMB over TCP), LDAP, … • Traffic volume scales from 0-100Mbps MIT Lincoln Laboratory RAID 2001 - 12 LMR 10/26/2001

  13. Overview • Introduction – Motivation – Background – Goals • LARIAT Description • Attacks and Scenarios • Deployments & Uses • Current Efforts • Summary MIT Lincoln Laboratory RAID 2001 - 13 LMR 10/26/2001

  14. Attack Components Solaris (sparc) Solaris (x86) Windows Linux NT/2000 Surveillance/ IP Sweep Smurf IP Sweep Smurf IP Sweep Smurf IP Sweep Smurf Nmap Dig Nmap Dig Nmap Dig Nmap Dig Probing Portsweep Satan Portsweep Satan Portsweep Satan Portsweep Satan Dsniff Siphon Dsniff Siphon Dsniff Siphon Denial of Mailbomb Apache2 Syslogd Streaming Zeros Apache2 Teardrop Service UDP Storm Neptune Jolt2 Back Neptune Neptune Mailbomb Back mStream Mailbomb UDP Storm Process Table Process Table Stream2 Process Table named-xfer named-xfer Remote to Dictionary Dictionary Phf Telnet2000 Dictionary Xlock Phf Local Ftp-write Guest Ftp-write IIS Unicode Ftp-write Xsnoop Imap Xsnoop Xlock Guest lprNG Sadmind Sadmind Named Sendmail Udirectory guestbook User to Eject SCM- Eject catman Perl Imwheel Impersonation Ffbconfig Xterm Pamslam Ffbconfig Superuser Fdformat Tmpwatch Epcs2 Fdformat Ps Dump-exp Man dump Ps Tools on ssh trojan ssh trojan Adore ssh trojan Victim host Transport Xfer, rwwwshell, netcat, cryptocat • 50 attacks against 9 operating systems • Need a way to manage, reuse and automate attack components MIT Lincoln Laboratory RAID 2001 - 14 LMR 10/26/2001

  15. Attack Component Description (XML) Attack component UID UID Parameters Parameters Multiple Variations: •Victim IPs Multiple Variations: •Victim IPs • Different skill levels •Victim Ports • Different skill levels •Victim Ports • Visibility • Visibility 1. Simplifies deployment • Speed of execution 1. Simplifies deployment • Speed of execution 2. Component reuse 2. Component reuse Attack scenario Scripts Scripts • Attack • Attack • Verify • Verify • Cleanup • Cleanup Preconditions: Preconditions: what does the what does the attack require attack require … MIT Lincoln Laboratory RAID 2001 - 15 LMR 10/26/2001

  16. Attacker Knowledge Base • Repository for runtime attack information – Attack parameters: launch time, source IP, target IP, user … – Attack launch, execution and verification status – Acquired results for scenario • Simple API – Store and retrieve information – Coordinates attack components MIT Lincoln Laboratory RAID 2001 - 16 LMR 10/26/2001

  17. Attack Scenario Model Time 1 4 5 6 7 8 1 4 5 6 7 8 External Internal Identify Remote- Download User-to- External Internal Identify Remote- Download User-to- Network Network IIS to-User User-to- Super Network Network IIS to-User User-to- Super Scan Scan Server exploit SuperUser User Scan Scan Server exploit SuperUser User code exploit code exploit 2 2 Identify 3 Identify 3 IDS Blind IDS Agent IDS Blind IDS Agent Agent Agent • Requires: Started Attack components don’t start until Requires: Completed requirements are satisfied Until: Completed MIT Lincoln Laboratory RAID 2001 - 17 LMR 10/26/2001

  18. Network Data from IIS Server Attack HTTP Named pipe banner grabber impersonation Setup IIS UNICODE FTP client backdoor on web server traversal download payload Win2K server • Network traffic recorded on the inside of the firewall MIT Lincoln Laboratory RAID 2001 - 18 LMR 10/26/2001

  19. Overview • Introduction – Motivation – Background – Goals • LARIAT Description • Attacks and Scenarios • Deployments & Uses • Current Efforts • Summary MIT Lincoln Laboratory RAID 2001 - 19 LMR 10/26/2001

  20. First Use Cases • MIT Lincoln Laboratory – Development laboratory • First remote installation – Standalone network configuration running attack scenarios • Second remote installation – Integrated into an existing network environment MIT Lincoln Laboratory RAID 2001 - 20 LMR 10/26/2001

Recommend


More recommend