LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed - - PowerPoint PPT Presentation

lariat lincoln adaptable real time information assurance
SMART_READER_LITE
LIVE PREVIEW

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed - - PowerPoint PPT Presentation

Oct 04, 2022 44 likes •316 views

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed Lee M. Rossey Jesse C. Rabek, Robert K. Cunningham, David J. Fried, Rich P. Lippmann, Marc A. Zissman RAID 2001 October 10, 2001 This work was sponsored by the United States

slide-1
SLIDE 1

RAID 2001 - 1 LMR 10/26/2001

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed

Lee M. Rossey Jesse C. Rabek, Robert K. Cunningham, David J. Fried, Rich P. Lippmann, Marc A. Zissman

RAID 2001

October 10, 2001

This work was sponsored by the United States Air Force under contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Government.

slide-2
SLIDE 2

MIT Lincoln Laboratory

RAID 2001 - 2 LMR 10/26/2001

Overview

  • Introduction

– Motivation – Background – Goals

  • LARIAT Description
  • Attacks and Scenarios
  • Deployments & Uses
  • Current Efforts
  • Summary
slide-3
SLIDE 3

MIT Lincoln Laboratory

RAID 2001 - 3 LMR 10/26/2001

Motivation

  • Provide an environment to develop new information

assurance (IA) systems

  • Provide tools to assist evaluation and configuration of IA

technologies

– Intrusion detection systems – Firewall settings and proxies – Access control lists

slide-4
SLIDE 4

MIT Lincoln Laboratory

RAID 2001 - 4 LMR 10/26/2001

Background

DARPA 1998 IDS Evaluations DARPA 1999 IDS Evaluations DARPA 2000 IDS Attack scenario DoD: LARIAT

Real-time, deployable Full-automation

DARPA: CyberPanel

Large networks Simulated Traffic

1998 1999 2000 2001

DoD: LARIAT

High throughput, Attack scenarios Windows traffic

time

slide-5
SLIDE 5

MIT Lincoln Laboratory

RAID 2001 - 5 LMR 10/26/2001

What does it do ?

  • Emulates the network traffic from a

small organization connected to the Internet

Internal Users External Users Internal Enterprise Real or Emulated Internet

Network IDS Host IDS

Background traffic attacks

External Enterprise User Groups and attackers

slide-6
SLIDE 6

MIT Lincoln Laboratory

RAID 2001 - 6 LMR 10/26/2001

Goals

  • Extend the previous work to provide additional capabilities

– Deployable – Simple to use – Full automation – Real-time – High throughput – Attack scenarios

slide-7
SLIDE 7

MIT Lincoln Laboratory

RAID 2001 - 7 LMR 10/26/2001

Overview

  • Introduction

– Motivation – Background – Goals

  • LARIAT Description
  • Attacks and Scenarios
  • Deployments & Uses
  • Current Efforts
  • Summary
slide-8
SLIDE 8

MIT Lincoln Laboratory

RAID 2001 - 8 LMR 10/26/2001

Central Research Tasks

  • Background traffic for estimating IA tool false alarms

– Realistic user models (administrators, secretaries, managers, developers) – Modernized traffic

(MIME encoded mail w/ attachments, ftp downloads from Internets sites)

– Multiple configurable user groups (collection of users) – Windows traffic (in development) – New operating systems and services

  • Attacks for estimating IA tool detection rates

– Collection of attack components – New components – Attack models using scenarios – Framework to automate and manage attacks

slide-9
SLIDE 9

MIT Lincoln Laboratory

RAID 2001 - 9 LMR 10/26/2001

LARIAT Test Flow

Verify / Score

  • examine attack logs
  • verify attack success
  • examine IDS output (future)
  • score IDS (future)

Distribute Configurations

  • distribute profiles to hosts

Pre-conditions

  • setup network conditions required

for the test (eg. Anonymous ftp)

  • generate traffic & attack scripts
  • schedule attack + traffic scripts
  • start loggers

Run Traffic

  • view progress in “real-time”
  • attacks, IDS output

Clean Up

  • reinstate corrupted files
  • remove pre-conditions
  • archive traffic scripts
  • clear process table

Network Discovery

Verify accessibility of hosts and services

Initialize Network

  • reset user accounts
  • remove old traffic
  • clear logs
  • clear process table

Select Profile

  • select & edit traffic profile
  • select attacks & strike time
slide-10
SLIDE 10

MIT Lincoln Laboratory

RAID 2001 - 10 LMR 10/26/2001

LARIAT – Profile Selection

Select time interval Select time interval Select Background Traffic Profile Select Background Traffic Profile Select Attack profile Select Attack profile

slide-11
SLIDE 11

MIT Lincoln Laboratory

RAID 2001 - 11 LMR 10/26/2001

LARIAT – User Models

  • Specify time interval,

traffic distribution, and amount of traffic to be generated for each user model (ftp, telnet, …)

  • Modify the service traffic

distribution & rate

  • Specify time interval,

traffic distribution, and amount of traffic to be generated for each user model (ftp, telnet, …)

  • Modify the service traffic

distribution & rate

  • Configure aggregate

traffic generation times and amount of traffic

  • Configure aggregate

traffic generation times and amount of traffic

slide-12
SLIDE 12

MIT Lincoln Laboratory

RAID 2001 - 12 LMR 10/26/2001

HR User Group ~50 hosts Operations User Group ~30 hosts

User Groups

  • Groups interact using

defined service models

– http, https, smtp, ftp, telnet, – ssh, icmp, irc, pop, imap, sql, finger – Active directory, exchange, file-sharing, – Protocol interdependencies:

arp, dns, nfs, direct-hosting (SMB over TCP), LDAP, …

  • Traffic volume scales from 0-100Mbps

Internal Enterprise Real or Emulated Internet ~2600 sites Engineering User Group ~30 hosts External User Group ~60 hosts

Background traffic

DMZ External Enterprise

slide-13
SLIDE 13

MIT Lincoln Laboratory

RAID 2001 - 13 LMR 10/26/2001

Overview

  • Introduction

– Motivation – Background – Goals

  • LARIAT Description
  • Attacks and Scenarios
  • Deployments & Uses
  • Current Efforts
  • Summary
slide-14
SLIDE 14

MIT Lincoln Laboratory

RAID 2001 - 14 LMR 10/26/2001

Perl Imwheel Xterm Pamslam Tmpwatch Epcs2 Dump-exp Man dump SCM- Impersonation Eject Ffbconfig Fdformat Ps Eject catman Ffbconfig Fdformat Ps

User to Superuser

Adore ssh trojan ssh trojan ssh trojan

Tools on Victim host

Apache2 Teardrop Back Neptune Mailbomb UDP Storm Process Table named-xfer Streaming Zeros Jolt2 mStream Stream2 Mailbomb Neptune Process Table named-xfer Apache2 Syslogd UDP Storm Neptune Mailbomb Back Process Table

Denial of Service

IP Sweep Smurf Nmap Dig Portsweep Satan Dsniff Siphon IP Sweep Smurf Nmap Dig Portsweep Satan IP Sweep Smurf Nmap Dig Portsweep Satan Dsniff Siphon IP Sweep Smurf Nmap Dig Portsweep Satan Dsniff Siphon

Surveillance/ Probing

Xfer, rwwwshell, netcat, cryptocat

Transport

Dictionary Xlock Phf Ftp-write Xsnoop Imap Guest lprNG Named Sendmail Udirectory guestbook Telnet2000 IIS Unicode Dictionary Ftp-write Sadmind Dictionary Phf Ftp-write Guest Xsnoop Xlock Sadmind

Remote to Local Linux Windows NT/2000 Solaris (x86) Solaris (sparc)

Attack Components

  • 50 attacks against 9 operating systems
  • Need a way to manage, reuse and automate attack components
slide-15
SLIDE 15

MIT Lincoln Laboratory

RAID 2001 - 15 LMR 10/26/2001

Attack Component Description (XML)

Attack component Attack scenario

Scripts

  • Attack
  • Verify
  • Cleanup

Scripts

  • Attack
  • Verify
  • Cleanup

Preconditions:

what does the attack require

Preconditions:

what does the attack require

Parameters

  • Victim IPs
  • Victim Ports
  • 1. Simplifies deployment
  • 2. Component reuse

Parameters

  • Victim IPs
  • Victim Ports
  • 1. Simplifies deployment
  • 2. Component reuse

Multiple Variations:

  • Different skill levels
  • Visibility
  • Speed of execution

Multiple Variations:

  • Different skill levels
  • Visibility
  • Speed of execution

UID UID

slide-16
SLIDE 16

MIT Lincoln Laboratory

RAID 2001 - 16 LMR 10/26/2001

Attacker Knowledge Base

  • Repository for runtime attack information

– Attack parameters: launch time, source IP, target IP, user … – Attack launch, execution and verification status – Acquired results for scenario

  • Simple API

– Store and retrieve information – Coordinates attack components

slide-17
SLIDE 17

MIT Lincoln Laboratory

RAID 2001 - 17 LMR 10/26/2001

Attack Scenario Model

  • Attack components don’t start until

requirements are satisfied

Requires: Started Requires: Completed Until: Completed 1 External Network Scan 1 External Network Scan 4 Internal Network Scan 4 Internal Network Scan 5 Identify IIS Server 5 Identify IIS Server 6 Remote- to-User exploit 6 Remote- to-User exploit 7 Download User-to- SuperUser code 7 Download User-to- SuperUser code 8 User-to- Super User exploit 8 User-to- Super User exploit 2 Identify IDS Agent 2 Identify IDS Agent

Time

3 Blind IDS Agent 3 Blind IDS Agent

slide-18
SLIDE 18

MIT Lincoln Laboratory

RAID 2001 - 18 LMR 10/26/2001

Network Data from IIS Server Attack

  • Network traffic recorded on the inside of the firewall

FTP client download payload HTTP banner grabber IIS UNICODE web server traversal Named pipe impersonation Setup backdoor on Win2K server

slide-19
SLIDE 19

MIT Lincoln Laboratory

RAID 2001 - 19 LMR 10/26/2001

Overview

  • Introduction

– Motivation – Background – Goals

  • LARIAT Description
  • Attacks and Scenarios
  • Deployments & Uses
  • Current Efforts
  • Summary
slide-20
SLIDE 20

MIT Lincoln Laboratory

RAID 2001 - 20 LMR 10/26/2001

First Use Cases

  • MIT Lincoln Laboratory

– Development laboratory

  • First remote installation

– Standalone network configuration running attack scenarios

  • Second remote installation

– Integrated into an existing network environment

slide-21
SLIDE 21

MIT Lincoln Laboratory

RAID 2001 - 21 LMR 10/26/2001

MIT Lincoln Laboratory

  • Stand-alone network with no external network connectivity
  • Development network

Internet Server Redhat 6.2

suzie.world.net

Firewall: CISCO PIX 6.0 Hub Hub Traffic Generator Redhat 6.2

mara

.world.net

Server: Solaris 8 x86

pascal.baltimore.af.mil

Server: Redhat 7.0

marx.baltimore.af.mil

Traffic Generator Redhat 7.0

nicca.baltimore.af.mil fw.baltimore.af.mil

NAT .20-40 (out NAT) .50 (smtp) .51 (exchange) .52 (ssh) .443 (exchange)

fw-int.baltimore.af.mil

LARIAT @ LL

Internet external virtual hosts internal virtual hosts

Server: Win2000 Adv Serv

hume.baltimore.af.mil

Sniffer Sniffer

fw-dmz.baltimore.af.mil

NAT: .50 (www) www.baltimore.af.mil

Traffic Generator Redhat 6.2

ella.baltimore.af.mil

internal virtual hosts

slide-22
SLIDE 22

MIT Lincoln Laboratory

RAID 2001 - 22 LMR 10/26/2001

First Installation & Example Scenario

Redhat 7.0 Web server CISCO PIX 6.0 firewall Redhat 7.0 mail server dns server Windows 2000 IIS server, exchage Solaris 8 file server Internet emulation LAN host emulations DMZ 1 2 1 2 Scan network, detect firewall and NAT’d web server Probe web server, determine version and OS 3 Use some old Apache attacks and CGI probes 3 4 Install “Adore” kernel rootkit 5 Install ssh trojan to record usernames and passwords 8 7 Transmit usernames and passwords to attacker 10 Use harvested ssh account to log into Solaris host via NATed port 11 Exploit Solaris to gain root 12 Grab all the stored mail on the system and bring it back as a compressed tar file Modify smtp built-in account to create a backdoor super-user account 13 4 5 6 9 10 12 13 11 Gain local access by exploiting CGI vulnerability Gain root access by exploiting redhat vulnerability Attacker uses encrypted communications method to gain a shell (ssh talkback, Rot13 cgi script) 6 9 7 8

  • Standalone network showing an available scenario
slide-23
SLIDE 23

MIT Lincoln Laboratory

RAID 2001 - 23 LMR 10/26/2001

Second Remote Installation

  • LARIAT is integrated into an

existing network infrastructure

– LARIAT hosts become subnets

  • ff the real network

– Integrated with: DNS servers, Routers, Switches, Firewalls

  • Provide the tools and capability

to allow the organization to test and evaluate new products prior to deployment

LARIAT Server: Redhat 7.0 LARIAT Traffic Generator Switch Internet Firewalls LARIAT Traffic Generator LARIAT Internet Server Router Router Router Switch Proxy Exchange Server Network Management Server RDBM Server Name Server Name Server Web Cache Web Cache Web Cache Switch Switch VPN LARIAT Trafffic Generator LARIAT Server: Solaris 8 Switch External Web Server Network Management Server Internal Web Server Switch Internal Servers & Hosts

External LARIAT servers Internal LARIAT servers

slide-24
SLIDE 24

MIT Lincoln Laboratory

RAID 2001 - 24 LMR 10/26/2001

Overview

  • Introduction

– Motivation – Background – Goals

  • LARIAT Description
  • Attacks and Scenarios
  • Deployments & Uses
  • Current Efforts
  • Summary
slide-25
SLIDE 25

MIT Lincoln Laboratory

RAID 2001 - 25 LMR 10/26/2001

Current Efforts

  • Building Windows traffic generators

– Direct hosting, file sharing, exchange – Modeling Windows users

  • Adding attack components and building them into

scenarios

  • Improving installation & deployment procedures
slide-26
SLIDE 26

MIT Lincoln Laboratory

RAID 2001 - 26 LMR 10/26/2001

Summary

  • LARIAT supports

– Evaluation of intrusion detection systems and related information assurance technologies in a repeatable, quantitative, automated fashion – Development and verification of new algorithms and concepts – Operational network configuration testing – Evaluations by users with a range of knowledge and experience

  • Attacker actions modeled by scenarios that can test end-to-

end network configurations, defensive capabilities and impact on users

slide-27
SLIDE 27

RAID 2001 - 27 LMR 10/26/2001

Questions ??? lariat@sst.ll.mit.edu