Title: Engaging the Adversary as a Viable Response to Network Intrusion
1Engaging the Adversary as a Viable Response to
Network Intrusion
- Sylvain P. Leblanc G. Scott Knight
- Workshop on Cyber Infrastructure and Emergency
Preparedness
2Another title
We're going to hold onto him by the nose, and
we're going to kick him in the ass.
General George S. Patton England, May 31 1944
31 - Introduction
The standard response predicated on Protect,
Detect and React is no longer sufficient.
It is important to gain information about those
who threaten the infrastructure.
4Outline
- Information Operations
- Honeypots
- Honeypots as IO Counter-measures Tools
- Conclusion
52 - Information Operations (IO)
- IO are defined as actions taken in support of
political and military objectives which influence
decision makers by affecting others information
while exploiting, or fully utilizing, ones own
information
6Offensive IO
Actions taken to influence adversary
decision- makers, with the aim of preventing
adversary decision-making processes from
achieving their desired result.
7Defensive IO
Actions taken to protect ones own information,
so that friendly decision-makers can have timely
access to necessary, relevant, and accurate
information.
- Protection
- Defensive Counter-Information Operations (IO
Counter-measures) - Offensive Counter-Information Operations
8Signals Intelligence (SigInt)
- Intelligence derived from electromagnetic
communications and communications systems, by
other than the intended recipients or users.
9Computer Network Operations (CNO)
- CNO represent all aspects of computer related
operations, but they have three specific
components - Defence (CND)
- Attack (CNA)
- Exploitation (CNE)
10 Network-based IO counter-measures response to
Attack
Within the context of CNE and CNE operations,
the protection of the cyber infrastructure could
be enhanced by developing an effective
network-based IO counter- measures response to
attacks.
11Operational Objectives
- Holding Contact with the Adversary
- Understanding the Adversary
- Who is attacking?
- What are they capable of?
- What are their current mission and objectives?
- What is the context of the current attack.
- Preparing the Adversary
12 Network-based IO counter-measures Principles of
Operations
- Operational Objectives for Active Response
- Combined Operations
- Repeatable Operations
- Risk Management
13Risk Management
- Access risks
- Damage or alter information
- Exfiltrate more sensitive information than
expected - Push attack to other systems
- Mount IO counter-counter-measure
- Denial implications
- Inability to identify
- Loss of knowledge on techniques and motivations
- Loss of ability to influence
- Encourage adversary to seek other ingress points
143 - Honeypots
- Stem from the difficulty in discriminating
attacker activity - A honeypots value lies in being probed, attacked
and compromised. - Honeypots have no production value, making
discrimination of attacker activity trivial. - Credited with many successes.
15Honeypot Classifications
- Spitzner suggests two main purposes
- Production honeypots
- Research honeypots
- Taxonomie
- Brenton - classified by the tools used
- Spitzner - classified by level of interaction the
attacker is permitted.
16Brentons Taxonomy
- Deception Services
- Weakened Systems
- Hardened Systems
- User Mode Servers
17Honeypot Levels of Interaction
Spitzners Taxonomy is based on the level of
interaction afforded to the attacker.
18 4 - Honeypots as IO Counter-measures Tools
- Operational use with very high interaction
- The attacker must feel that he is in a real
production environment - High fidelity environment
- New tools
- Provide legitimate operational activity
- Capture attackers activity
19 Characteristics of Honeypot based IO
Counter-measures Tools
- Components and mechanisms undetectable from user
with root privileges. - Behaviours and communication patterns appear
legitimate from vantage point of other host on
the network. - Able to simulate normal human user at the
interface level. - Provide means of observing and collecting
attacker activity - Make de-conflicting attack traffic
straightforward.
205 - Conclusion
- Reactive-oriented defence policy is insufficient.
- Defence must include an understanding of the
adversary. - First response should not always be to break
contact - IO Counter-measures to gain information
- Principles of Operations for Network-based IO
counter-measures - Operational Objectives
- Key Research Areas include honeypot based tools.
215 - Conclusions