IntrusionDetection During IncidentResponse, using a military battlefieldintelligence process

1
Intrusion-DetectionDuringIncident-Response,usi
ng a military battlefield-intelligence process

• Jim Yuill, PhD Candidate
• Computer Science Dept.
• North Carolina State University
• (advisor Dr. Annie Anton)
• 919-696-9523
• jimyuill_at_pobox.com
• http//www.pobox.com/jimyuill
• project http//www4.ncsu.edu/jjyuill/SC/c-ipb.h
  tml

2
Sponsors

• Dr. Felix Wu, UC Davis
• Funded by DARPA/ISO as part of the Information
  Assurance and Survivability programs, under
  federal contract F30602-96-C-0325. Dr. Feming
  Gong, PI.

3
The problem intrusion-detection during
incident-response

• A compromised device is discovered
• Has the attacker compromised other devices on the
  network- in the past, present and future?
• Investigating devices for compromise is expensive.

4
The opportunity

• During an attack, the attacker reveals
  information about
• his capabilities and intentions
• network vulnerabilities

5
Very Similar to the Battlefield-Intelligence
Problem

• Using bits and pieces of info about the enemy,
  figure out
• his capabilities, intentions, and current
  disposition
• his courses of action possible, likely, most
  dangerous
• Understand the battlefield, from a tactical
  perspective

6
IPB Intelligence Preparation of the Battlespace

• US Army and USMC's method for battlefield
  analysis
• A systematic and continuous process,
• for analyzing the threat and environment.
• Designed to support the commander's planning and
  decision making
• Extensively documented in unclassified manuals,
  available on the Internet

7
Cyber IPB (C-IPB)

• An adaptation of IPB for network security
• Objective Cyber-IPB seeks to locate
• Likely Compromised Devices (LCDs)
• Means build models of
• the battlespace (network) and threat
• A systematic process for a complex problem
• akin to design methods in software engineering
• For use by incident responders
• especially apprentices to journeymen

8
Cyber IPB
9
Collaborators

• Paper published in Computer Networks, 10/2000
• Elsevier Science http//www.elsevier.com
• Military and Intelligence
• USMC Master Gunnery Sgt. John Asbery, ret.,
  former president of Marine Corps Intelligence
  Association
• USMC Colonel G.I. Wilson
• USMC Gunnery Sgt. Woody Biggs
• Fred Feer, CIA, Army, and RAND intelligence, ret.
• Incident Response
• Jim Settle, FBI computer-crime chief, ret.
• Rick Forno, former Director of Security, Network
  Solutions

10

• Preliminary step establish C-IPB requirements
• C-IPB is a subordinate part of incident-response
  (IR)
• ARNC attack repair, neutralization, containment
• IR requirements for C-IPB
• risk management
• tactics

11

• Defining the network battlespace
• Areas of Operations (AO)
• Areas of Interest (AOI)
• Areas of Influence
• Collection plan for intelligence-data
• identify intelligence resources

12

• Building a model of the battlespace
• Network provides opportunities and constraints
  for battle
• Standard network components
• Network topology
• Compromised devices and known vulnerabilities
• System administration
• Network users
• Tactical aspects of the topology

13
Tactical Aspects of the Topology, similar to
IPB's Military Aspects of the Terrain

• Observation
• Opportunities for stealth
• Zones-of-attack
• Cover
• Network-path obstacles
• Mobility corridors
• Avenues of approach
• The attacker's capabilities for collecting
  intelligence
• Key network tactical-assets

14

• Building a model of the threat
• Based on knowledge of what the attacker has
  done,
• Determine
• Capabilities
• Personality traits
• Intentions
• Working with multiple attackers

15

• The attackers capabilities
• Abilities
• computer skill
• attack skill
• tenacity
• discipline
• Method of operation
• Knowledge of the network
• Possessions (i.e., occupied territory)
• Exploitable vulnerabilities

16

• Courses of Action (COAs)
• possible, likely, and most-dangerous
• Use knowledge of COAs to identify
• Likely-Compromised-Devices

17

• Principles for predicting COAs
• Simple predictions based on battlespace effects
  and attackers capabilities and intentions
• The Economics of Crime
• attackers valuation of network assets
• his costs for exploitation of vulnerabilities
• his resources for attacks
• Opportunistic Attacks
• due to attackers limited and unfolding
  knowledge, both of means and ends

18
Cyber IPB
19
The Nature of C-IPB

• C-IPB is a continuous process
• steps are performed roughly in order
• Revision and feedback is normal, due to
• dynamic environment (an active threat)
• C-IPB responders continual increase in
  understanding
• correction of erroneous info
• uncertain and deceptive info
• developing interdependent models
• battlespace and threat

20
The Nature of C-IPB

• Uncertainty-- an environmental constraint
• speculative vs. deterministic analysis
• Clausewitz
• in war everything is uncertain
• Ludwig von Mises (economist)
• uncertainty of the future is already implied by
  the very notion of human action
• military combat and entrepreneurial ventures
  require wise speculation about future human
  behavior

21
The Nature of C-IPB

• The need for human judgement
• cyber battle is unpredictable, due to variation
  in
• attackers, networks, resources-available
• C-IPB provides
• a systematic and orderly process
• useful principles and techniques
• understanding of salient characteristics of
  battlespace and threat
• Ultimately, the C-IPB analyst must use his own
  judgement, insight and cunning

22
The Nature of C-IPB

• USMC text, Tactical Fundamentals

"The tactics involved in warfare are not an exact
science. When faced with a tactical problem on
the battlefield, you. . . cannot apply a set of
rules or a mathematical formula to obtain the
ideal solution. . .
23
The Nature of C-IPB
. . .You must consider the principles of war and
fundamentals of combat that apply to the
situation. . .
US Navy photo https//infosec.navy.mil
24
The Nature of C-IPB
. . .If you fail to recognize and analyze all the
influencing factors in an intelligent and orderly
manner, you can bring disaster to your own
forces."
USAF photo http/web1.ssg.gunter.af.mil/support/
default.htm
25
Cyber-IPB and the Intel Cycle
26
Cyber-IPB and the Intel Cycle
27
On-going Research

• Developing a model for the investigation process
• How do we manage all this data we're collecting?
• Testing Cyber-IPB on real incidents

28
Investigation for Cyber-IPB

• We're adopting a model of fact-investigation for
  judicial proof
• military intelligence concerned with the present
  and future
• judicial proof concerned with the past
• Investigation an on-going process of
  hypothesis, inquiry, insight

29
Data Management for Cyber-IPB

• Lots of data collected, processed, managed
• The state-of-the-art pencil and paper!
• Requirements for a data management system
• uncertainty poses big problems!
• the organization of the data influences the
  effectiveness of the investigation

30
Data Management for Cyber-IPB

• Adopting techniques and theory from
• legal investigation
• military intelligence
• database theory

31
Cross-Discipline Research
32
Overview

• Cyber-IPB used to locate likely-compromised
  devices
• paper Intrusion-Detection During
  Incident-Response using a military
  battlefield-intelligence process
• Computer Networks, 10/2000, http//www.elsevier.c
  om
• Seeking collaboration
• Have incident-response process, will travel!
• Testing Cyber-IPB on actual incidents
• Data-management system for incident-response