Title: Engaging the Adversary as a Viable Response to Network Intrusion
1Engaging the Adversary as a Viable Response to
Network Intrusion
- Sylvain P. Leblanc G. Scott Knight
- Royal Military College of Canada
- PST 05 Workshop October 12, 2005
2In a nutshell
We must remain in contact with those who
threaten our cyber infrastructure if we hope to
successfully defend it.
3Outline
- Introduction
- Information Operations
- IO Counter-measures Tools
- Honeypots
- Conclusion
41 - Introduction
It is not sufficient to React by cutting off
access.
It is important to gain information about those
who threaten the infrastructure.
52 - Information Operations (IO)
IO are defined as actions taken in support of
political and military objectives which
influence decision makers by affecting others
information while exploiting, or fully
utilizing, ones own information.
6Defensive IO
- Protection
- Defensive Counter-Information Operations (IO
Counter-measures) - - Offensive Counter-Information Operations
7Computer Network Operations (CNO)
- CNO represent all aspects of computer related
operations, but they have three specific
components - Defence (CND)
- Attack (CNA)
- Exploitation (CNE)
8Operational Objectives
- Holding Contact with the Adversary
- Understanding the Adversary
- Who is attacking?
- What are they capable of?
- What are their current mission and objectives?
- What is the context of the current attack.
- Preparing the Adversary
9 Network-based IO counter-measures Principles of
Operations
- Operational Objectives for Active Response
- Combined Operations
- Repeatable Operations
- Standing procedures
- Dedicated resources
- Computer Network Operations Order-of-Battle
- Risk Management
10Risk Management
- Access risks
- Damage or alter information
- Exfiltrate more sensitive information than
expected - Push attack to other systems
- Mount IO counter-counter-measure
- Denial implications
- Inability to identify
- Loss of knowledge on techniques and motivations
- Loss of ability to influence
- Encourage adversary to seek other ingress points
11 3 - IO Counter-measures Tools
- Operational use with very high interaction
- The attacker must feel that he is in a real
production environment - High fidelity environment
- New tools
- Provide legitimate operational activity
- Capture attackers activity
12 Characteristics of IO Counter-measures Tools
- Components and mechanisms undetectable from user
with root privileges. - Behaviours and communication patterns appear
legitimate from vantage point of other host on
the network. - Able to simulate normal human user at the
interface level. - Provide means of observing and collecting
attacker activity - Make de-conflicting attack traffic
straightforward.
13Honeypots
- Stem from the difficulty in discriminating
attacker activity - A honeypots value lies in being probed, attacked
and compromised. - Honeypots have no production value, making
discrimination of attacker activity trivial. - Credited with many successes.
14Honeypot Classifications
- Spitzner suggests two main purposes
- Production honeypots Support operations by
helping secure the environment. - Research honeypots Gain information on
attackers tools and techniques
15Honeypot Levels of Interaction
Spitzners proposes a taxonomy is based on the
level of interaction afforded to the attacker.
16IO Counter-measure example
- IO Counter-measures tool installed as part of
baseline
17IO Counter-measure example
18IO Counter-measures example
- Machine is physically isolated
- IO Counter-measures tool is activated
- Attacker is monitored and prepared
195 - Conclusion
- Reactive-oriented defence policy is insufficient.
- Defence must include an understanding of the
adversary. - First response should not always be to break
contact - IO Counter-measures to gain information
- Principles of Operations for Network-based IO
counter-measures - Operational Objectives
- Key Research Areas include tools
- Obfuscate attacker behaviour observation
- Simulate normal human user behaviour
20??? Questions ???