network security today finding complex attacks at 100gb s
play

Network Security Today: Finding Complex Attacks at 100Gb/s Robin - PowerPoint PPT Presentation

Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU Mnchen, September 2012


  1. Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU München, September 2012 Informatik-Kolloquium, TU München

  2. Outline 2 Informatik-Kolloquium, TU München

  3. Outline Today’s Threats. Deep Packet Inspection at High Speed. Collective Intelligence. 2 Informatik-Kolloquium, TU München

  4. The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections 600M 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  5. The Old Days ... 1300M Border Traffic Lawrence Berkeley National Lab (Today) 10GE upstream, 4,000 user, 12,000 hosts 1000M #connections/month 800M Total connections Successful connections 600M Attempted connections 400M 200M 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  6. The Old Days ... 1300M Border Traffic Conficker.B Lawrence Berkeley National Lab (Today) Conficker.A 10GE upstream, 4,000 user, 12,000 hosts Santy 1000M Mydoom.O Sasser #connections/month 800M Total connections Sobig.F Successful connections Welchia 600M Attempted connections Blaster 400M Slapper Nimda 200M CodeRed2 CodeRed 0M 1994 1996 1998 2000 2002 2004 2006 2008 Data: Lawrence Berkeley National Lab 3 Informatik-Kolloquium, TU München

  7. Trend 1: Commercialization of Attacks 4 Informatik-Kolloquium, TU München

  8. Trend 1: Commercialization of Attacks Attacks aimed at making a profit. Selling (illegal) goods and services. Exfiltrating information. Thriving underground economy. Empowered by virtually endless supply of “bots”. Everything is on sale (“crime-as-a-service”). 4 Informatik-Kolloquium, TU München

  9. “Pay Per Install” Services 5 Informatik-Kolloquium, TU München

  10. “Pay Per Install” Services 5 Informatik-Kolloquium, TU München

  11. Crime Economics 6 Informatik-Kolloquium, TU München

  12. Crime Economics Accelerated arms race. Innovative, fast moving attackers. 6 Informatik-Kolloquium, TU München

  13. Crime Economics Accelerated arms race. Bear race. Innovative, fast moving attackers. If attack pays, it’s good enough. 6 Informatik-Kolloquium, TU München

  14. Trend 2: Highly Targeted Attacks 7 Informatik-Kolloquium, TU München

  15. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. 7 Informatik-Kolloquium, TU München

  16. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. “Advanced Persistent Threats”. 7 Informatik-Kolloquium, TU München

  17. Trend 2: Highly Targeted Attacks High-skill / high-resource attacks. Targeting you. Extremely hard to defend against. Typical Instances Activist hacking. Advanced Persistent Threat (APT). MANDIANT defines “Advanced Persistent Threats”. the APT as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of Source: MANDIANT 7 Informatik-Kolloquium, TU München

  18. Targeted Attacks: APTs EXPLOITATION LIFE CYCLE STEP 1 Reconnaissance STEP 2 Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network STEP 4 Obtain User Credentials STEP 5 Install Various Utilities STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München

  19. Targeted Attacks: APTs EXPLOITATION LIFE CYCLE APT MALWARE COMMUNICATION STEP 1 100% of APT backdoors made only outbound connections Reconnaissance Used another STEP 2 port 17% Initial Intrusion into the Network STEP 3 Establish a Backdoor into the Network Used TCP port 80 or 443 83% STEP 4 Obtain User Credentials STEP 5 Install Various Utilities In no instance was any APT malware written or configured to listen for STEP 6 Privilege Escalation / Lateral Movement / Data Exfiltration inbound connections. STEP 7 Maintain Persistence Source: MANDIANT 8 Informatik-Kolloquium, TU München

  20. Challenges for Defenders 9 Informatik-Kolloquium, TU München

  21. Challenges for Defenders Varying threat models. No ring rules them all. 9 Informatik-Kolloquium, TU München

  22. Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. 9 Informatik-Kolloquium, TU München

  23. Challenges for Defenders Varying threat models. No ring rules them all. Volume and variability. Network traffic is an enormous haystack. Semantic complexity. The action is really at the application-layer. 9 Informatik-Kolloquium, TU München

  24. Analyzing Semantics 10 Informatik-Kolloquium, TU München

  25. Analyzing Semantics Internal Tap Internet Network IDS 10 Informatik-Kolloquium, TU München

  26. Analyzing Semantics Internal Tap Internet Network IDS Example: Finding downloads of known malware. 1. Find and parse all Web traffic. 2. Find and extract binaries. 3. Compute hash and compare with database. 4. Report, and potentially kill, if found. 10 Informatik-Kolloquium, TU München

  27. Deep Packet Inspection at High Speed 11 Informatik-Kolloquium, TU München

  28. Back in 2005 ... 12 Informatik-Kolloquium, TU München

  29. Back in 2005 ... Munich Scientific Network (Today) Total bytes 80 3 major universities, 2x10GE upstream Incoming bytes ~100,000 Users ~65,000 Hosts 60 Total upstream bytes Incoming bytes TBytes/month 40 20 0 1997 1998 1999 2000 2001 2002 2003 2004 2005 Data: Leibniz-Rechenzentrum, München 12 Informatik-Kolloquium, TU München

  30. Today ... 13 Informatik-Kolloquium, TU München

  31. Today ... Munich Scientific Network (Today) Total bytes 3 major universities, 2x10GE upstream Incoming bytes 800 ~100,000 Users ~65,000 Hosts Total upstream bytes 600 Incoming bytes TBytes/month 400 200 Oct 2005 0 1996 1998 2000 2002 2004 2006 2008 2010 Data: Leibniz-Rechenzentrum, München 13 Informatik-Kolloquium, TU München

  32. Traditional Gap: Research vs. Operations 14 Informatik-Kolloquium, TU München

  33. Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. 14 Informatik-Kolloquium, TU München

  34. Traditional Gap: Research vs. Operations Conceptually simple tasks can be hard in practice. Academic research often neglects operational constraints. Operations cannot leverage academic results. We focus on working with operations. Close collaborations with several large sites. Extremely fruitful for both sides. 14 Informatik-Kolloquium, TU München

  35. Research Platform: Bro 15 Informatik-Kolloquium, TU München

  36. Research Platform: Bro Originally developed by Vern Paxson in 1996. Open-source, BSD-license, maintained at ICSI. In operational use since the beginning. Conceptually very different from other IDS. http://www.bro-ids.org 15 Informatik-Kolloquium, TU München

  37. Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. 16 Informatik-Kolloquium, TU München

  38. Bro Script Example: Matching URLs Task: Report all Web requests for files called “ passwd”. event http_request (c: connection, # Connection. method: string, # HTTP method. original_URI: string, # Requested URL. unescaped_URI: string, # Decoded URL. version: string) # HTTP version. { if ( method == "GET" && unescaped_URI == /.*passwd/ ) NOTICE(...); # Alarm. } 16 Informatik-Kolloquium, TU München

  39. “Who’s Using It?” Installations across the US Universities Research Labs Supercomputer Centers Industry Examples Lawrence Berkeley National Lab Indiana University National Center for Supercomputing Applications National Center for Atmospheric Research ... and many more sites Recent User Meetings Bro Workshop 2011 at NCSA Fully integrated into Security Onion Bro Exchange 2012 at NCAR Popular security-oriented Linux distribution Each attended by about 50 operators from from 30-35 organizations 17 Informatik-Kolloquium, TU München

  40. Bro History 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Vern writes 1st line of code 18 Informatik-Kolloquium, TU München

Recommend


More recommend