Download Establish bounds on the total rate of data exfiltration

UNCLASSIFIED
Controlling Risk of Data Exfiltration
in Cyber Networks Due to Stealthy
Propagating Malware
Brian Thompson1,2, James Morris-King1,2, and Hasan Cam1
1
UNCLASSIFIED
2
MILCOM 2016
1
UNCLASSIFIED
Motivation
• In 2015, Kaspersky Lab discovered malware (Duqu 2.0) that had been
hiding in its network for months, spying on new technologies being
developed at the lab
• Also in 2015, Bitdefender customers’ data was leaked after an attack
that hijacked several servers in Amazon’s Elastic Compute Cloud
• These and other recent cyber attacks demonstrate that even the best
contemporary security systems can not prevent well-resourced
adversaries from infiltrating the computer networks of governments,
companies, and organizations
• Once inside a network, self-propagating malware can spread
throughout the network, causing damage, disrupting services, or
exfiltrating sensitive information
• Stealthy malware can remain undetected by using zero-day exploits
to spread and hiding malicious behavior in normal activity
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
2
UNCLASSIFIED
Defender Model
• An intrusion detection system (IDS) monitors activity on a computer or
network and sets off an alert when suspected malicious activity occurs,
prompting human analysts to investigate and take defensive action as
deemed necessary
• Alternatively, an intrusion prevention system (IPS) takes automated
actions to block or purge a potential intrusion when an alert goes off
• We consider a defensive maneuver in which devices are taken offline
while an automated recovery or reset operation is performed and then
come back online clean of any malware
– Device could then get reinfected
– Implementation depends on the context and type of device
• Due to service availability needs, monetary constraints, or other
operational requirements, there is often a limit to the number of devices
that can be resetting at any one time
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
3
UNCLASSIFIED
Network Model
• Each node in the network communicates with other nodes, and also
uploads some information externally, e.g. to respond to user queries,
report sensor readings, or send an email
• The Attacker unleashes self-propagating
malware, which spreads from infected nodes
to clean nodes when they communicate
• Infected nodes additionally exfiltrate sensitive
data at a rate pre-determined by the Attacker
• Each node has a detector that generates
alerts when the total outgoing data rate is
higher than expected, which prompts the
recovery or reset operation
• The Defender controls the detection sensitivity, which along with the
outgoing data rate determines the alert rate and therefore the reset rate
• Aside from their observed outgoing data rate (uploads + exfiltration),
the detector can not distinguish between clean and infected nodes
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
4
UNCLASSIFIED
Problem Statement
The Game:
• Attacker chooses the exfiltration rate, which is hard-coded into the
malware (and therefore the same for all infected nodes)
• Defender chooses the detection sensitivity, with the constraint that the
number of resetting nodes does not violate the operational requirement
• The higher the exfiltration rate, the faster data will be exfiltrated from
each infected node, but the easier it will be to detect them, resulting in
fewer infected nodes
Objective:
• Attacker: Maximize total rate of data exfiltration from all infected nodes
• Defender: Minimize total rate of data exfiltration from all infected nodes
Our goal:
• Establish bounds on the total rate of data exfiltration by an optimal
attacker, expressed in terms of network parameters
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
5
UNCLASSIFIED
Related Work
• Kephart & White (1991) apply compartmental (SIR-type) models from
epidemiology to study malware spread
• Okhravi and Nicol (2008) evaluate the tradeoff between the time spent
on pre-deployment testing and the timely deployment of patches for
software vulnerabilities
• Khouzani et al. (2012) explore how to allocate resources to prevent
malware spread in mobile wireless networks
• Eshghi et al. (2016) propose patching strategies for countering
propagating malware in both a replicative context (patches can be
transmitted by other patched devices) and a non-replicative context
(patches are only disseminated by designated sources)
• These approaches rely on patching known vulnerabilities or knowing
which nodes are infected, so aren’t applicable to stealthy attacks
• Proactive defense mechanisms have also been proposed, but typically
for a single system rather than a coordinated effort over networked
devices, thus are not sensitive to the needs of the network as a whole
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
6
UNCLASSIFIED
Our Approach
• We take a mean-field approach, using a compartmental Markov model
to describe the fraction of nodes in each possible state (Clean, Infected,
or Resetting) and the transition rates between them, which are captured
by a set of differential equations:
𝑑𝜋𝐶 𝑡
𝑑𝑡
= 𝛼 𝜋𝑅 𝑡 − 𝛽 𝑡 + 𝜌𝐶 𝜋𝐶 𝑡
𝑑𝜋𝐼 𝑡
𝑑𝑡
𝑑𝜋𝑅 𝑡
𝑑𝑡
Model Parameter
𝛼
𝛽 𝑡
𝜌𝐶
𝜌𝐼
𝜋𝐶 𝑡
𝜋𝐼 𝑡
𝜋𝑅 𝑡
UNCLASSIFIED
= 𝛽 𝑡 𝜋𝐶 𝑡 − 𝜌𝐼 𝜋𝐼 𝑡
= 𝜌𝐶 𝜋𝐶 𝑡 + 𝜌𝐼 𝜋𝐼 𝑡 − 𝛼 𝜋𝑅 𝑡
Description
activation rate for each node
infection rate for each clean node at time 𝑡
reset rate for each clean node
reset rate for each infected node
fraction of nodes that are Clean at time 𝑡
fraction of nodes that are Infected at time 𝑡
fraction of nodes that are Resetting at time 𝑡
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
7
UNCLASSIFIED
Theoretical Analysis
• We express the transition rates in terms of several network parameters:
𝛼 = 1𝑟
𝜋𝐼 𝑡
𝐶 𝑡 +𝜋𝐼 𝑡
𝛽 𝑡 =𝜆⋅𝜋
𝜌𝐶 = 𝜎 ⋅ 𝜐
𝜌𝐼 = 𝜎 ⋅ 𝜐 + 𝜉
Param
𝑟
𝜆
𝜎
𝜐
𝜉
𝜃
Description
time to perform the reset operation
communication rate for each node
detection sensitivity
normal upload rate for each node
exfiltration rate for each infected node
operational threshold for the network
𝐶 𝑡 = 𝑑𝜋𝐼 𝑡 = 𝑑𝜋𝑅 𝑡 = 0 and 𝜋
• Solving for 𝑑𝜋𝑑𝑡
𝐶 𝑡 + 𝜋𝐼 𝑡 + 𝜋𝑅 𝑡 = 1
𝑑𝑡
𝑑𝑡
yields the equilibrium distribution 𝜋𝐶 , 𝜋𝐼 , 𝜋𝑅 over node states:
𝜎 𝜐+𝜉
𝜋𝐶 =
𝜆 + 𝑟𝜎 𝜐 + 𝜉 𝜆 − 𝜎𝜉
𝜋𝐼 =
𝜆−𝜎 𝜐+𝜉
𝜆 + 𝑟𝜎 𝜐 + 𝜉 𝜆 − 𝜎𝜉
𝜆
𝜋𝑅 = 1 −
𝜆 + 𝑟𝜎 𝜐 + 𝜉 𝜆 − 𝜎𝜉
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
8
UNCLASSIFIED
Theoretical Analysis
• The optimal detection sensitivity for the Defender is the maximum value
of 𝜎 that respects the operational threshold, i.e. the solution to
𝜆
𝜋𝑅 𝜎 = 1 − 𝜆+𝑟𝜎 𝜐+𝜉
=1−𝜃
𝜆−𝜎𝜉
which is
4𝜉 1−𝜃
𝜆
𝜎 = 2𝜉
⋅ 1 − 1 − 𝑟𝜆𝜃
𝜐+𝜉
• The Attacker wants to maximize the total data exfiltration rate:
max𝜉 𝑓 𝜉
where 𝑓 𝜉 = 𝜉 ⋅ 𝜋𝐼 𝜉
which occurs when
𝜉=𝜐⋅
1−𝜃
𝑟𝜆𝜃
1−𝜃
2
−1
𝑟𝜆𝜃
1−
yielding a total data exfiltration rate of
𝑓 𝜉 = 12 𝜐 ⋅ 𝜃 ⋅
UNCLASSIFIED
1−𝜃
𝑟𝜆𝜃
−
1−𝜃
2
−1
𝑟𝜆𝜃
2−3
2
1−𝜃
𝑟𝜆𝜃
−1
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
9
UNCLASSIFIED
Results
• Examining the boundary cases, we find that:
1−𝜃
4
1−𝜃
1
– If 𝑟𝜆𝜃 ≥ 9, the Defender will purge the malware from the network,
regardless of the data exfiltration rate
– If 𝑟𝜆𝜃 ≤ 4, the Defender can not keep up with the spread of the
malware, so the Attacker can exfiltrate data at an arbitrarily high rate
without being purged from the network
1
1−𝜃
4
– For ≤
≤ , the optimal total rate of data exfiltration that the
4
𝑟𝜆𝜃
9
Attacker can achieve is
𝑓 𝜉 = 12 𝜐 ⋅ 𝜃 ⋅
1−𝜃
𝑟𝜆𝜃
−
1−𝜃
2
−1
𝑟𝜆𝜃
2−3
2
1−𝜃
𝑟𝜆𝜃
−1
• Note that these are dependent on 𝑟 (reset time), 𝜆 (communication rate),
𝜐 (normal upload rate), and 𝜃 (operational threshold)
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
10
UNCLASSIFIED
Conclusions
• Our model represents a worst-case scenario, where:
– Malware spreads instantaneously every time that an infected node
communicates with a clean node
– Any node can communicate with any other node
– Detectors can not distinguish between clean and infected nodes
• Without modifying normal network behavior (node communication and
upload rate) or knowing anything about the Attacker’s strategy, the
Defender can control the maximum total rate of data exfiltration by:
– reducing the time required to perform the reset or recovery operation
– reducing the operational threshold, e.g. by acquiring additional nodes
• Our results allow cybersecurity decision-makers to
– assess the maximal risk to their network
– estimate the benefit of investing additional resources in
improving the robustness of their network
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
11
UNCLASSIFIED
Questions?
Brian Thompson
[email protected]
UNCLASSIFIED
Controlling Data Exfiltration in Cyber Networks Due to Stealthy Malware
12