Outline Problem Approach Integration with IDSs Demo 1 Attack - - PDF document

outline problem approach integration with idss demo
SMART_READER_LITE
LIVE PREVIEW

Outline Problem Approach Integration with IDSs Demo 1 Attack - - PDF document

Dec 17, 2023 110 likes •313 views

Combinatorial Analysis Utilizing Logical Dependencies Residing On Networks (CAULDRON) Outline Problem Approach Integration with IDSs Demo 1 Attack 160 158 47 Target Vulns Vulns Vulns 107 Vulns Vulnerability Scanner 60

slide-1
SLIDE 1

1

Combinatorial Analysis Utilizing Logical Dependencies Residing On Networks (CAULDRON)

Outline

  • Problem
  • Approach
  • Integration with IDSs
  • Demo
slide-2
SLIDE 2

2

Vulnerability Scanner

3

Vulnerability Scanner 41 Vulns 15 Vulns 160 Vulns 158 Vulns 47 Vulns 60 Vulns 107 Vulns

Attack Target

External Attacker

Limitations of Vulnerability Scanners

  • Generate overwhelming amount of data
  • Example Nessus scan

– Elapsed time: 00:48:07 – Total security holes found: 255 – High severity: 40 – Low severity: 117 – Informational: 98

  • No indication of how vulnerabilities can be combined
  • Can an outside attacker obtain access to the Crown

Jewels?

  • Where does a security administrator start?
slide-3
SLIDE 3

3

Limitations of IDSs

  • Generate overwhelming number of alerts
  • Many false alerts – normal traffic or failed

attacks

  • Alerts are isolated
  • No indication of how alerts can be combined
  • Incomplete alert information
  • Where does a security administrator start?
  • Is the attacker trying to obtain access to Crown

Jewels?

  • Require extensive human intervention

Summary

  • Current security measures largely

independent

  • Little synergy among tools
  • Vulnerabilities considered in isolation may

seem acceptable risks, but attackers can combine them to produce devastating results

slide-4
SLIDE 4

4

What is lacking?

  • Context for total network security
  • How outsiders penetrate firewalls and

launch attacks from compromised hosts

  • Insider attacks

8

The reality – security concerns are highly interdependent.

Simply Listing Problems Misses the Big Picture!

slide-5
SLIDE 5

5

Penetration Testing

  • Few experts available
  • Red teams can be expensive
  • Tedious
  • Error-prone
  • Impractical for large networks
  • No formal claims

Attack Graphs

  • An attacker breaks into a network through a

chain of exploits where each exploit lays the groundwork for subsequent exploits

  • Chain is called an attack path
  • Set of all possible attack paths form an attack

graph

  • Generate attack graphs to mission critical

resources

  • Report only those vulnerabilities associated with

the attack graphs

slide-6
SLIDE 6

6

Firewall Attacker Web Server Mail Server Hub NT4.0 IIS Linux attack tools 10.10.100.10 10.10.101.10 10.10.100.20 Linux wu_ftpd

slide-7
SLIDE 7

7

slide-8
SLIDE 8

8

slide-9
SLIDE 9

9

Reference

  • Sushil Jajodia, Steve Noel, Brian O’Berry,

“Topological analysis of network attack vulnerability,” in Managing Cyber Threats: Issues, Approaches and Challenges, Vipin Kumar, Jaideep Srivastava, and Aleksandar Lazarevic, eds., Springer, 2005, pages 248-266. Minimal-Cost Network Hardening

slide-10
SLIDE 10

10

Solution 1 Solution 1 Solution 1 Solution 1 Solution 1 Solution 1 Solution 2 Solution 2 Solution 2 Solution 2

slide-11
SLIDE 11

11

No impact No impact

Reference

  • Lingyu Wang, Steven Noel, Sushil

Jajodia, "Minimum-cost network hardening using attack graphs," Computer Communications, 2006.

slide-12
SLIDE 12

12

23

Attack Graph Visualization Problem Even small networks can yield complex attack graphs!

24

Attack Target

External Attacker

slide-13
SLIDE 13

13

25 26

slide-14
SLIDE 14

14

27

Limitations of IDSs

  • Generate overwhelming number of alerts
  • Many false alerts – normal traffic or failed

attacks

  • Alerts are isolated
  • No indication of how alerts can be combined
  • Incomplete alert information
  • Where does a security administrator start?
  • Is the attacker trying to obtain access to Crown

Jewels?

  • Require extensive human intervention
slide-15
SLIDE 15

15

Alert Correlation

  • Correlate alerts to build attack scenarios
  • For efficient response, this must be done

in real time

Attack Graph Approach

  • Provides context for alarms
  • Can help with forensic analysis, attack

response, attack prediction

slide-16
SLIDE 16

16

Hypothesizing and Predicting Alerts

  • Correlation based on the prepare-for

relationship is vulnerable to alerts missed by IDSs - Reassembling a broken attack scenario is expensive and error-prone

  • By reasoning about the inconsistency between

the knowledge (encoded in attack graph) and the facts (represented by received alerts), missing alerts can be hypothesized

  • By extending the facts in a way that is

consistent with the knowledge, possible consequences of current attacks can be predicted

32 What-If Protect Detect

Network

slide-17
SLIDE 17

17

33

Security Metrics Alarm Correlation And Attack Response Sensor Placement Network Hardening

CAULDRON has Numerous Applications

34

CAULDRON Has Wide Customer Base

NSA DHS FAA AFOSR AFRL NRO DISA JIOC

slide-18
SLIDE 18

18 FAA CSIRC Deployment, Leesburg, VA FAA CSIRC Deployment, Leesburg, VA

35

FAA Headquarters

Summary of CAULDRON

  • Automated analysis of all possible attack paths through a

network

– Resulting attack “roadmap” provides context for optimal defenses – Transforms volumes of isolated facts into manageable, actionable results

  • Integrates with existing tools for capturing network

configuration

  • Your network is provably secure, with minimum effort
  • Best tool for making informed decisions about

network security

36

slide-19
SLIDE 19

19

Further Information:

Sushil Jajodia

jajodia@gmu.edu

(703) 993-1653 http://csis.gmu.edu/