Trapping and Tracking Hackers: Trapping and Tracking Hackers: - - PowerPoint PPT Presentation

Trapping and Tracking Hackers: Collective Security for Survival in the Internet Age Trapping and Tracking Hackers: Trapping and Tracking Hackers: Collective Security for Collective Security for Survival in the Internet Age Survival in the Internet Age

Douglas B. Moran

Vice President, R&D

Recourse Technologies

www.recourse.com

w w w . r e c o u r s e . c o m

Our Philosophy

Pure defensive strategy doomed Defenses subverted: “bit-rot” and legit user Respond to attackers when still detectable

• Assess and prioritize
• Defenses change in response to changes in threat
• If wait for undetectable: response = recovery

Some attacks will succeed: ameliorate

w w w . r e c o u r s e . c o m

Collective Security

Multilevel

• Subnet/Cluster
• Enterprise/Organization/Site
• Coalitions
• Internet

Collective security of defensive systems

• Detect attacks/evasion against others
• Simplify design of tools
• Increase complexity of attackers choices

w w w . r e c o u r s e . c o m

Better Reporting

Needed:

More detections More reports More complete More consistent Sooner Attacks, not exploits Chains of hosts

Impediments

Expertise needed Labor intensive Confidential info Loss of confidence

w w w . r e c o u r s e . c o m

Honeypots

Deception Hosts

Full environment Capabilities&Intentions Insider abuse Delay

• For trackback
• Improve defenses
• Attacker wastes time

Deception Servers

Network services Shallow deception Detect scanning New network exploits

w w w . r e c o u r s e . c o m

Deception Host: ManTrap™

Monitoring Setup and resetting Containment: host Quality of the deception

• Faithful representation of platform
• Concealment of monitoring and management
• Convincing content: escalating requirements

w w w . r e c o u r s e . c o m

Deployment: “Minefield”

Load Balancer

Attacker

W W W 1

ManTrap ManTrap

W W W 3 W W W 4 Server N W W W 2 W W W 5

w w w . r e c o u r s e . c o m

Deployment: “Zoo”

Network

ManTrap Host

Automountable Home Directory Symmetric Password Passwordless Login

ManTrap ManTrap ManTrap

Cage Cage Cage Cage W W W Mail Database

Deployment: “Shield”

Firewall Web Developer Sys Admin. FTP W W W 1 W W W 1

ManTrap

HTTP FTP SSH

Internal Network

SSH DMZ Deception

IDS

FTP CGI Exploit

w w w . r e c o u r s e . c o m

w w w . r e c o u r s e . c o m

Collective Security

Normal Host IDS / ManHunt Are you a ManTrap? NO! ManTrap But now I am ! But now I am ! Help, I’m Help, I’m being attacked being attacked Are you a ManTrap? NO!

Normal Host

Tradeoffs for Attacker

IDS / ManHunt ManTrap Are you a ManTrap? I’m going I’m going to tell ! to tell ! Signature Developer

• To test or not to test
• detection
• capability and intentions
• When to test
• trackback
• redirection
• When to react to test results

DDoS IRC Zombie Zombie Target Attacker Zombie Zombie Zombies Attacker Target DDoS

Classic

Attacker DoS Target

Feb 2000

Zombie UDP Zombie Attacker Target DDoS

Trinity Projected

Trajectory of DDoS Technology

w w w . r e c o u r s e . c o m

ManHunt: Detect and Trackback

Switch Switch Switch Switch

w w w . r e c o u r s e . c o m

ManHunt Cluster

Enterprise

Site A Site B

Analysis Analysis Database Database Sensor Sensor

ManHunt ManHunt

w w w . r e c o u r s e . c o m

Across Administrative Domains

No presumption of shared trust Decouple trace and construction of chain Trace (trackback):

• Edge flow (minimal info)
• New info: traffic recognized as attack
• No automatic backflow (except acknowledge receipt)

Reconstruction of chain of hosts

• Various requirements, politics: “trust is not transitive”
• Automate selectively

w w w . r e c o u r s e . c o m

Summary

Attacks will succeed (eventually)

• Delay onset of damage
• Collect and disseminate intelligence (quickly)

Automated trackback

• Push back battleground: target ⇒ stepping stones
• Raise chance of catching attacker

Collective Defense

• Create unpleasant tradeoffs for attackers
• Raise complexity of attacks