Trapping and Tracking Hackers: Trapping and Tracking Hackers: Trapping and Tracking Hackers: Collective Security for Collective Security for Collective Security for Survival in the Internet Age Survival in the Internet Age Survival in the Internet Age Douglas B. Moran Vice President, R&D Recourse Technologies www.recourse.com
Our Philosophy � Pure defensive strategy doomed � Defenses subverted: “bit-rot” and legit user � Respond to attackers when still detectable • Assess and prioritize • Defenses change in response to changes in threat • If wait for undetectable: response = recovery � Some attacks will succeed: ameliorate w w w . r e c o u r s e . c o m
Collective Security � Multilevel • Subnet/Cluster • Enterprise/Organization/Site • Coalitions • Internet � Collective security of defensive systems • Detect attacks/evasion against others • Simplify design of tools • Increase complexity of attackers choices w w w . r e c o u r s e . c o m
Better Reporting Needed : Impediments � More detections � Expertise needed � More reports � Labor intensive � More complete � Confidential info � More consistent � Loss of confidence � Sooner � Attacks, not exploits � Chains of hosts w w w . r e c o u r s e . c o m
Honeypots Deception Servers Deception Hosts � Network services � Full environment � Shallow deception � Capabilities&Intentions � Detect scanning � Insider abuse � New network exploits � Delay • For trackback • Improve defenses • Attacker wastes time w w w . r e c o u r s e . c o m
Deception Host: ManTrap ™ � Monitoring � Setup and resetting � Containment: host � Quality of the deception • Faithful representation of platform • Concealment of monitoring and management • Convincing content: escalating requirements w w w . r e c o u r s e . c o m
Deployment: “ Minefield ” Load Balancer W W W 1 W W W 3 W W W 4 Server N Attacker W W W 2 W W W 5 ManTrap ManTrap w w w . r e c o u r s e . c o m
Deployment: “ Zoo ” Network Symmetric Passwordless Automountable Password Login Home Directory W W W Mail Database Cage Cage Cage Cage ManTrap ManTrap ManTrap ManTrap Host w w w . r e c o u r s e . c o m
Deployment: “ Shield ” W W W 1 ManTrap W W W 1 CGI IDS Exploit FTP HTTP Firewall DMZ Deception SSH FTP SSH FTP Web Developer Sys Admin. Internal Network w w w . r e c o u r s e . c o m
Collective Security IDS / ManHunt Help, I’m Help, I’m being attacked being attacked Are you a ManTrap? Are you a ManTrap? NO! NO! Normal Host But now I am ! But now I am ! Normal Host ManTrap Tradeoffs for Attacker IDS / Signature ManHunt To test or not to test � Developer • detection • capability and intentions Are you a ManTrap? When to test � • trackback I’m going I’m going • redirection to tell ! to tell ! When to react to test results � ManTrap w w w . r e c o u r s e . c o m
Trajectory of DDoS Technology Classic Feb 2000 Zombie UDP DDoS Attacker Attacker DoS Target Zombie Target Projected Trinity Zombie Zombie Zombies IRC DDoS Attacker Attacker DDoS Zombie Zombie Target Target
ManHunt: Detect and Trackback Switch Switch Switch Switch w w w . r e c o u r s e . c o m
ManHunt Cluster Enterprise Site A Site B ManHunt ManHunt Sensor Sensor Analysis Analysis Database Database w w w . r e c o u r s e . c o m
Across Administrative Domains � No presumption of shared trust � Decouple trace and construction of chain � Trace (trackback): • Edge flow (minimal info) • New info: traffic recognized as attack • No automatic backflow (except acknowledge receipt) � Reconstruction of chain of hosts • Various requirements, politics: “trust is not transitive” • Automate selectively w w w . r e c o u r s e . c o m
Summary � Attacks will succeed (eventually) • Delay onset of damage • Collect and disseminate intelligence (quickly) � Automated trackback • Push back battleground: target ⇒ stepping stones • Raise chance of catching attacker � Collective Defense • Create unpleasant tradeoffs for attackers • Raise complexity of attacks w w w . r e c o u r s e . c o m
Recommend
More recommend
