Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU München, September 2012 Informatik-Kolloquium, TU München
Outline 2 Informatik-Kolloquium, TU München
Outline Today’s Threats. Deep Packet Inspection at High Speed. Collective Intelligence. 2 Informatik-Kolloquium, TU München
The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections 600M 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München
The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections Successful connections 600M Attempted connections 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München
The Old Days ... 1300M Border Traffic Conficker.B Lawrence Berkeley National Lab (Today) Conficker.A 10GE upstream, 4,000 user, 12,000 hosts Santy 1000M Mydoom.O Sasser #connections/month 800M Total connections Sobig.F Successful connections Welchia 600M Attempted connections Blaster 400M Slapper Nimda 200M CodeRed2 CodeRed 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München
Trend 1: Commercialization of Attacks 4 Informatik-Kolloquium, TU München
Trend 1: Commercialization of Attacks Attacks aimed at making a profit. Selling (illegal) goods and services. Exfiltrating information. Thriving underground economy. Empowered by virtually endless supply of “bots”. Everything is on sale (“crime-as-a-service”). 4 Informatik-Kolloquium, TU München
“Pay Per Install” Services 5 Informatik-Kolloquium, TU München
“Pay Per Install” Services 5 Informatik-Kolloquium, TU München
Crime Economics 6 Informatik-Kolloquium, TU München
Crime Economics Accelerated arms race. Innovative, fast moving attackers. 6 Informatik-Kolloquium, TU München
Crime Economics Accelerated arms race. Bear race. Innovative, fast moving attackers. If attack pays, it’s good enough. 6 Informatik-Kolloquium, TU München
Trend 2: Highly Targeted Attacks 7 Informatik-Kolloquium, TU München
Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. 7 Informatik-Kolloquium, TU München
Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. “Advanced Persistent Threats”. 7 Informatik-Kolloquium, TU München
Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. Advanced Persistent Threat (APT). MANDIANT defines “Advanced Persistent Threats”. the APT as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of Source: MANDIANT 7 Informatik-Kolloquium, TU München
Targeted Attacks: APTs EXPLOITATION LIFE CYCLE STEP 1 Reconnaissance STEP 2 Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network STEP 4 Obtain User Credentials STEP 5 Install Various Utilities STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München
Targeted Attacks: APTs EXPLOITATION LIFE CYCLE APT MALWARE COMMUNICATION STEP 1 100% of APT backdoors made only outbound connections Reconnaissance Used another STEP 2 port 17% Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network Used TCP port 80 or 443 83% STEP 4 Obtain User Credentials STEP 5 Install Various Utilities In no instance was any APT malware written or configured to listen for STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration inbound connections. STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München
Challenges for Defenders 9 Informatik-Kolloquium, TU München
Challenges for Defenders Varying threat models. No ring rules them all. 9 Informatik-Kolloquium, TU München
Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. 9 Informatik-Kolloquium, TU München
Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. Semantic complexity. The action is really at the application-layer. 9 Informatik-Kolloquium, TU München
Analyzing Semantics 10 Informatik-Kolloquium, TU München
Analyzing Semantics Internal Tap Internet Network IDS 10 Informatik-Kolloquium, TU München
Analyzing Semantics Internal Tap Internet Network IDS Example: Finding downloads of known malware. 1. Find and parse all Web traffic. 2. Find and extract binaries. 3. Compute hash and compare with database. 4. Report, and potentially kill, if found. 10 Informatik-Kolloquium, TU München
Deep Packet Inspection at High Speed 11 Informatik-Kolloquium, TU München
Back in 2005 ... 12 Informatik-Kolloquium, TU München
Back in 2005 ... Munich Scientific Network (Today) Total bytes 80 3 major universities, 2x10GE upstream Incoming bytes ~100,000 Users ~65,000 Hosts 60 Total upstream bytes Incoming bytes TBytes/month 40 20 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 Data: Leibniz-Rechenzentrum, München 12 Informatik-Kolloquium, TU München
Today ... 13 Informatik-Kolloquium, TU München
Today ... Munich Scientific Network (Today) Total bytes 3 major universities, 2x10GE upstream Incoming bytes 800 ~100,000 Users ~65,000 Hosts Total upstream bytes 600 Incoming bytes TBytes/month 400 200 Oct 2005 0 1996 1998 2000 2002 2004 2006 2008 2010 Data: Leibniz-Rechenzentrum, München 13 Informatik-Kolloquium, TU München
Traditional Gap: Research vs. Operations 14 Informatik-Kolloquium, TU München
Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. 14 Informatik-Kolloquium, TU München
Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. We focus on working with operations. Close collaborations with several large sites. Extremely fruitful for both sides. 14 Informatik-Kolloquium, TU München
Research Platform: Bro 15 Informatik-Kolloquium, TU München
Research Platform: Bro Originally developed by Vern Paxson in 1996. Open-source, BSD-license, maintained at ICSI. In operational use since the beginning. Conceptually very different from other IDS. http://www.bro-ids.org 15 Informatik-Kolloquium, TU München
Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 16 Informatik-Kolloquium, TU München
Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 16 Informatik-Kolloquium, TU München
“Who’s Using It?” Installations across the US Universities Research Labs Supercomputer Centers Industry Examples Lawrence Berkeley National Lab Indiana University National Center for Supercomputing Applications National Center for Atmospheric Research ... and many more sites Recent User Meetings Bro Workshop 2011 at NCSA Fully integrated into Security Onion Bro Exchange 2012 at NCAR Popular security-oriented Linux distribution Each attended by about 50 operators from from 30-35 organizations 17 Informatik-Kolloquium, TU München
Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Vern writes 1st line of code 18 Informatik-Kolloquium, TU München
Recommend
More recommend