Engaging the Adversary as a Viable Response to Network Intrusion

About This Presentation

Title:

Engaging the Adversary as a Viable Response to Network Intrusion

Description:

PST 05 - St-Andrew's NB, Leblanc & Knight. 9 ... PST 05 - St-Andrew's NB, Leblanc & Knight. 12. Characteristics of IO Counter-measures Tools ... – PowerPoint PPT presentation

Number of Views:42

Avg rating:3.0/5.0

Slides: 21

Provided by: Sylvain66

Category:

more less

Transcript and Presenter's Notes

Title: Engaging the Adversary as a Viable Response to Network Intrusion

1
Engaging the Adversary as a Viable Response to
Network Intrusion

Sylvain P. Leblanc G. Scott Knight
Royal Military College of Canada
PST 05 Workshop October 12, 2005

2
In a nutshell
We must remain in contact with those who
threaten our cyber infrastructure if we hope to
successfully defend it.
3
Outline

Introduction
Information Operations
IO Counter-measures Tools
Honeypots
Conclusion

4
1 - Introduction
It is not sufficient to React by cutting off
access.
It is important to gain information about those
who threaten the infrastructure.
5
2 - Information Operations (IO)
IO are defined as actions taken in support of
political and military objectives which
influence decision makers by affecting others
information while exploiting, or fully
utilizing, ones own information.
6
Defensive IO

Protection
Defensive Counter-Information Operations (IO
Counter-measures) -
Offensive Counter-Information Operations

7
Computer Network Operations (CNO)

CNO represent all aspects of computer related
operations, but they have three specific
components
Defence (CND)
Attack (CNA)
Exploitation (CNE)

8
Operational Objectives

Holding Contact with the Adversary
Understanding the Adversary
Who is attacking?
What are they capable of?
What are their current mission and objectives?
What is the context of the current attack.
Preparing the Adversary

9
Network-based IO counter-measures Principles of
Operations

Operational Objectives for Active Response
Combined Operations
Repeatable Operations
Standing procedures
Dedicated resources
Computer Network Operations Order-of-Battle
Risk Management

10
Risk Management

Access risks
Damage or alter information
Exfiltrate more sensitive information than
expected
Push attack to other systems
Mount IO counter-counter-measure

Denial implications
Inability to identify
Loss of knowledge on techniques and motivations
Loss of ability to influence
Encourage adversary to seek other ingress points

11
3 - IO Counter-measures Tools

Operational use with very high interaction
The attacker must feel that he is in a real
production environment
High fidelity environment
New tools
Provide legitimate operational activity
Capture attackers activity

12
Characteristics of IO Counter-measures Tools

Components and mechanisms undetectable from user
with root privileges.
Behaviours and communication patterns appear
legitimate from vantage point of other host on
the network.
Able to simulate normal human user at the
interface level.
Provide means of observing and collecting
attacker activity
Make de-conflicting attack traffic
straightforward.

13
Honeypots

Stem from the difficulty in discriminating
attacker activity
A honeypots value lies in being probed, attacked
and compromised.
Honeypots have no production value, making
discrimination of attacker activity trivial.
Credited with many successes.

14
Honeypot Classifications

Spitzner suggests two main purposes
Production honeypots Support operations by
helping secure the environment.
Research honeypots Gain information on
attackers tools and techniques

15
Honeypot Levels of Interaction
Spitzners proposes a taxonomy is based on the
level of interaction afforded to the attacker.
16
IO Counter-measure example