Download Network Flow Analysis in Information Security Strategy

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Document related concepts

Cyber-security regulation wikipedia , lookup

Disaster recovery plan wikipedia , lookup

Unix security wikipedia , lookup

Wireless security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Denial-of-service attack wikipedia , lookup

Mobile security wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Network Flow Analysis in
Information Security
Strategy
Timothy J. Shimeall, Ph.D.
Situational Awareness Team
January, 2015
© 2015 Carnegie Mellon University
Copyright 2014 Carnegie Mellon University
This material is based upon work funded and supported by FloCon cost recovery Department of Homeland
Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the
Software Engineering Institute, a federally funded research and development center sponsored by the
United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY
MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER
INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.
CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT
TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted below.
This material may be reproduced in its entirety, without modification, and freely distributed in written or
electronic form without requesting formal permission. Permission is required for any other use. Requests for
permission should be directed to the Software Engineering Institute at [email protected].
DM-0001942
2
Outline
Security strategies against malefactors
Analytics supporting
•
Deception
•
Frustration
•
Resistance
•
Recognition/Recovery
Recapitulation
3
Security Strategies
Author (with J. Spring) of a
Information Security textbook built
around security strategies
•
Deception
•
Frustration
•
Resistance
•
Recognition/Recovery
This book is the primary reference
for this presentation, although flow
analysis is profiled only in the
recognition/recovery section
4
Analytics Supporting Deception
Make deceptive hosts act like production hosts
Traffic baselines
(Jones/Whisnant 2012 tutorial)
Contact sets
•
Build IP sets
incoming/outgoing over
time per interesting host
•
Profile / graph
Contact patterns
•
Identify interesting contact
sequences
•
Count over time per
interesting host
5
Contact Set Generation
rwfilter Selection --type=in,inweb \
--dipset=my-net.set \
--not-sipset=ignore.set --pass=stdout \
| rwstats --fields=dip --values=records \
--count=threshold --top \
| tail -n +4 | cut -f1 -d\| \
| rwsetbuild - active.set
for day in list; do
rwfilter selection($day) --type=out,outweb \
--sipset=active.set \
--not-dipset=ignore.set \
--pass=stdout \
| rwset dip=stdout \
| rwsetcat - --integer-ips >contact-$day.txt
done
6
Analytics Supporting Frustration
Block initial intrusion into network
Attack surface estimation
• Extract common services accessed externally and provisioned
internally by the network
• Identify rate of service and commonly-accessing hosts
• Identify network blocks serving as communication partners
• Profile time-based patterns of activity
Vulnerability estimation
• Extract common services accessed externally and provisioned
internally
• Identify traffic signatures for relevant vulnerabilities on these
services
• Profile activity for hosts involved in traffic matching these signatures
Attack surface: http://www.cs.cmu.edu/~pratyus/as.html
Vulnerability estimation:Igor Kotenko and Mikhail Stepashkin. “Attack Graph Based Evaluation of Network
Security”. 10th IFIP TC-6,TC-11 International Conference, CMS 2006. Heraklion, Crete, Greece. October
2006. pp. 216-227.
7
Attack Surface Estimation
rwfilter Selection --type=in,inweb\
Partition --pass=stdout \
| rwfilter stdin \
--python-exp="rec.sport>rec.dport" \
--pass=stdout \
| rwstats --fields=dport,protocol \
--values=records --top --count=Threshold1 \
| tail -n +3 | cut -f1,2 -d\| >tmp-itpl.txt
rwfilter --type=in,inweb Selection \
Partition --tuple-file=tmp-itpl.txt \
--pass=stdout \
| rwbag --dip-flows=tm-in.bag
rwbagtool --mincount=Threshold2 tmp-in.bag \
--coverset --out=surf-in.set
8
Attack Surface: Existence Plots
Applications:
Incoming and
Outgoing
External
Addresses:
Incoming and
Outgoing
9
Analytics Supporting Resistance
Support controls to prevent or slow propagation or escalation
Flow signatures (Jones/Shimeall, FloCon 2014)
• DNS responses without prior requests
• DNS responses from non-authoritative source
• Email or Web contacts to addresses associated with DNS source
Anomaly analysis
• Residuals on stripplot graphics
• Departures from normal volumes on
known services
Beacon detection
DNS responses without
requests plotted by source
10
Analytics Supporting
Recognition/Recovery
Find malicious activity quickly, prioritize recovery efforts
(Covered well by many previous FloCon presentations)
Host monitoring
Service monitoring
Attack profiling
Beacon detection
Data exfiltration
11
Combined Analytics
Analytics may be shared across strategies
• Network profiling supports both deception and recognition/recovery
• Many recognition/recovery analytics may support frustration and
resistance
• Some analytics may support frustration (focused externally,
configuration) and resistance (focused internally, active hardening)
Analytics may support other analytics
• Network profiling supports attack surface estimation
• Attack surface estimation support vulnerability estimation
• Service monitoring supports beacon and exfiltration recognition
Well-planned defense uses multiple strategies
12
Layered Defenses
Source: Shawn Butler,
Security Attribute
Evaluation Method
Goal 8
Goal 1
Deceive
Frustrate
Resist
Goal 2
Goal 7
Recognize
Recover
Goal 3
Goal 6
Goal 5
Goal 4
13
Recapitulation
Network Flow Analysis has historically been associated with
either network engineering or incident response
Many other applications are productive
Analytics are not difficult, but need to be focused and tuned
New analytics are being formulated
14
Questions?
Tim Shimeall, Ph.D.
[email protected]
4500 Fifth Ave
Pittsburgh PA 15213
15
Related documents
BIG DATA ANALYTICS
BIG DATA ANALYTICS
Special Issue on Big Data in Education Internet users worldwide are
Special Issue on Big Data in Education Internet users worldwide are
Business Intelligence Lead (m|f)
Business Intelligence Lead (m|f)
Marketing Trends for Today: New Media to Reach Customers Better
Marketing Trends for Today: New Media to Reach Customers Better
New IBM Predictive Analytics Software
New IBM Predictive Analytics Software
BIG DATA AND THE FINANCIAL SECTOR April, 2015
BIG DATA AND THE FINANCIAL SECTOR April, 2015
MARKETING CAMPAIGN ANALYST BCF, the leading
MARKETING CAMPAIGN ANALYST BCF, the leading
Digital Marketing Expert
Digital Marketing Expert
DATA8004: Data Mining and Knowledge Discovery
DATA8004: Data Mining and Knowledge Discovery
Integrated Solutions to Solve Your Biggest
Integrated Solutions to Solve Your Biggest
Business Analytics 12 Hours Program Description
Business Analytics 12 Hours Program Description
DATA SCIENCE MIS0855 | Fall 2015 More on Predictive Analytics Laurel Miller
DATA SCIENCE MIS0855 | Fall 2015 More on Predictive Analytics Laurel Miller