Where the Wild Things Are The Most Difficult Problems for Incident Response Tom Longstaff, JHU/APL (Story and Images Based on “Where the Wild Things Are” by Maurice Sendak)
What’s the Point? • Our stovepipe policies are designed to monitor and control our adversaries • We think we own and control our infrastructures • Technology has created a cyber ecosystem that cannot be directly controlled • Our main problems in CSIRTs must be addressed in this context •
L. Northrop, P. Feiler, R. P. Gabriel, J. Goodenough, R. Linger, T. Longstaff, R. Kazman, M. Klein, D. Schmidt, K. Sullivan, and K. Wallnau, Ultra-Large-Scale Systems: The Software Challenge of the Future. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
The Johns Hopkins Applied Physics Laboratory The core purpose of APL is to enhance the security of the nation through the application of science and technology APL is firmly committed to space science and technology and other challenging areas that are synergistic with our core purpose The Lab also supports the University in areas that are important to JHU’s other missions 3
Cast THE NIGHT MAX WORE HIS WOLF SUIT AND MADE MISCHIEF OF ONE KIND AND ANOTHER. Criminals Terrorists State-Like Conflicting ideologies NGOs
• All exert influence • Each believes they are right and have a right to use the technology
Developing The Threat Model • Successive levels of refinement • Upward and downward information flow • Processes (emergent and otherwise) that transform one level into the next
Heritage Style Viewgraphs
5 29
1998
1998 Howard-Longstaff Incident Taxonomy
2010 Incident (Strategic Adversary Model) Attack (Tactical) Action
Event (Observed)
Attackers
Tradecraft
Vulnerability
Action
Target
Result
Objectives
National Military
Deep Penetration
User Behavior
Spoof
Nation State
Positioning
Political Gain
Exfiltration
Supply Chain Access
Modify
DIB
Control
Financial Gain
Under Protocols
0 Day Code Errors
Bypass
Executives
Corruption
Strategic Advantage
Stealth
CIP Vulnerabilities
Read
Vendors
Access
Re-route
Data
Deletion
User Manipulation
Copy
Cloud
Denial
Cloud nets
Re-play
Service
Theft
Multiple Accts
Deny
Network
Mis-direction
Probe
Computer
Scan
Component
Flood
Process
Spies Criminal Networks Cyber Militia Mercenaries
Infrastructure control
Hacker Collectives
Social exploitation
Vandals
Hardware privs
Threat Impact
Account
Tactical Advantage National Objectives Military Objectives Industrial Espionage Damage Challenge/thri ll
Our Current Mindset Us
Them
The Internet
HIS MOTHER CALLED HIM "WILD THING!” AND MAX SAID: "I'LL EAT YOU UP!!” SO HE WAS SENT TO BED WITHOUT EATING ANYTHING.
So What’s Wrong? • Collapsing under – – – – –
Increasing traffic Hidden activity Social networking Multiple languages …
• And…. • That’s not where the action really is!
2011 Data from International Corporations Attacker Hactivist Local competitor
Tradecraft Timebomb Spear phishing
Nation-state
Remote control
Insider / opportunist Criminal gang Disgruntled administrator Organized crime Unidentified foreign power Former employee
Action Spoof Reroute
Target Ports IP addresses
Result Theft Data loss
Objective Financial gain Political protest
Copy
People
Control
Generic hacking tools Social engineering
Vulnerability Excessive access Open export (soft & hard copy) Lack of egress control User behavior
Read
Bid data
Destroy
Zero day
Probe
Social networks
Privilege escalation
Scan
Classified information Web server
Reputational damage Lawsuits
Intellectual property Strategic advantage Mayhem
Drive-by download Torpig
User manipulation Lack of physical security Lack of detection controls Lack of segmentation Outdated technology Unpatched systems Organizational vulnerabilities No input validation
Bypass Flood
MAC address Wintel systems
Monetary loss Deny
Deny
Customer data
Identity fraud
Contacts
Shareholder action Regulatory investigation
Masquerade Got job – gain trust Infiltrate
Keys Bank account Credentials
Reconnaissance
Payment system
Malware Infrastructure control SQL injection Exfiltration tools Ion cannon Infiltration Internet reconnaissance Credential sniffing Network vulnerability Key logging E-mail sniffing Brute force entry
Network vulnerabilities Trust Lack of endpoint controls Well known exploits Split tunnels Publishing role – specific information
Export Clear-up Cover tracks Google hacking Install Delete
Bragging rights Devalue brand Damage economy Industrial espionage
A Better Representation • Us, them, and everyone else are mixed in an amoeba soup – – – –
Ownership? Control? Governance? Threat?
THAT VERY NIGHT IN MAX'S ROOM A FOREST GREW, AND GREW, AND GREW UNTIL THE CEILING HUNG WITH VINES AND THE WALLS BECAME THE WORLD ALL AROUND AND AN OCEAN TUMBLED BY
“Big Rock” Problems in Operations • An analysis of collected R&D requirements identified several pervasive problems in applying technologies to operations – Enrichment – Confidence in the Data and Analysis – Interoperability and Use of Standards
• These are common themes in both R&D and technology acquisition for cyber operations • These are inter-related problems that are difficult to address in isolation 12
We’re all in this (mess) together …WITH A PRIVATE BOAT FOR MAX. AND HE SAILED OFF THROUGH NIGHT AND DAY AND IN AND OUT OF WEEKS AND ALMOST OVER A YEAR TO WHERE THE WILD THINGS ARE!
Everyone else
Them Us
AND WHEN HE CAME TO THE PLACE WHERE THE WILD THINGS ARE THEY ROARED THEIR TERRIBLE ROARS! AND GNASHED THEIR TERRIBLE TEETH AND ROLLED THEIR TERRIBLE EYES! AND SHOWED THEIR TERRIBLE CLAWS!
Parts are Parts Other Stuff
Web
Mail
Cloud
Who Controls this Infrastructure? Home Users International Corporations IETF Law Enforcement
Criminals International Agreements IT/Telecom
IT Vendors
Everyone?
Financial Guards
Research And Education
Military
Environmental Factors Metabolomics for CyberSpace
Be Still! • The power of influence – Control is an illusion: both for our system and theirs – Policy, training, incentives, deterrence, and deception are all examples of Influence – We have no science of cyber influence TILL MAX SAID: "BE STILL!"AND TAMED THEM WITH THE MAGIC TRICK OF STARING INTO ALL THEIR YELLOW EYES WITHOUT BLINKING ONCE
Image by Gary Lucus http://www.garylucas.com/www/rvw/Wild_Rumpus_Press_2_1000.jpg
AND THEY WERE FRIGHTENED AND CALLED HIM THE MOST WILD THING OF ALL!! AND MADE HIM KING OF ALL WILD THINGS. "AND NOW, LET THE WILD RUMPUS START!!
• Actions prompt reactions • Both attack and defense actions create unintended consequences • Holistic analysis with partial information is hard! • Interdependencies at all levels of abstraction lead to emergent behaviors
What’s the Point? • Our stovepipe policies are designed to monitor and control our adversaries • We think we own and control our infrastructures • Technology has created a cyber ecosystem that cannot be directly controlled • Our main problems in CSIRTs must be addressed in this context •
L. Northrop, P. Feiler, R. P. Gabriel, J. Goodenough, R. Linger, T. Longstaff, R. Kazman, M. Klein, D. Schmidt, K. Sullivan, and K. Wallnau, Ultra-Large-Scale Systems: The Software Challenge of the Future. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
Data Enrichment • • •
Operational decisions must often be made upon speculative information To support decision making, speculative data is annotated with known information from other sources, both speculative (imperfect confidence) and non-speculative This constitutes a challenging problem – Context of input data may not match, or match imperfectly – Data formats from different tools and different systems must be consumed seamlessly – Level of abstraction is necessarily different in different systems, and from various data sources, and must be reconciled
• •
Data Enrichment allows an analyst to more accurately establish the confidence level of speculative information by automatically presenting related information and evidence in an organized fashion A more accurate and justifiable confidence level allows more informed decisions on how to act on data which is speculative, or from a source which is untrusted
Confidence and Security • Although establishing heightened confidence levels in our tools and data does not itself result in security, it is never the less a critical requirement which is pervasive across all technical areas – What is the confidence that our models are correct? Sensors? Damage assessment (both offensive and defensive)?
• Establishing a justifiable confidence level in collected data, derived data, and analytics is necessary to make an informed decision • To add to the challenge, the confidence level of individual components (and the confidence level of results when combining components and data) must be presentable in a form which is easy for an operator or analyst to understand at a glance • As an analyst uses the tools and adds their own confidence analysis to automated calculations, that information is fed back into the system as a new input, and is included in subsequent analysis
Enrichment + Confidence = Actionable Predictive Data • Enrichment and justifiable confidence allows decision makers to make better, more informed decisions on how to act on predictive data • This is the same problem a stock market investor faces every day – Bombarded with data from multiple sources, possibly conflicting, and of uncertain confidence and trustworthiness/origin – Before risking money, an individual investor wants the best information possible, and some way of establishing confidence in both its truth and predictive power
• For defense analysts, the stakes are even higher – Solving these problems can save lives
Interoperability and Standards • Modular solutions needed in a rapidly changing environment – Static, vertical solutions are obsolete before they are deployed – Rapid plug-and-play modular solutions can be constructed as the response needs change – Most available solutions do not support rapid integration, but require extensive integration – This is both easy and hard… 23
Standards • Use of open data exchange and storage standards supports a dynamic integration model • Proprietary protocols, internal non-standard data formats, closed user interfaces, and incompatible execution environments are common in our currently available solutions • The vertical business model for security solutions at all levels of abstraction is the problem • “My product can read your data format” and “you can write a script to extract the information you need” are not valid solutions as they do not really integrate the functions of the technology 24
Even Harder Problems • Syntactic versus semantic interoperability – Maintain the meaning during data exchange – Resolving and exposing disagreement between analytical results
• Multiple data streams – Handling different time scales, data types, different levels of confidence
• Multiple levels of abstraction – From data to information to knowledge to shared understanding – Individual to network scales
• Privacy protection – Some modules will strip PII creating a downstream impact – These must be mitigated while maintaining policy-based separation
25
Where do we go from here? “Data Finds Data” Analytics to study the amoeba Feedback loop for influence Study the science of influence for cyber! • Implications for education are profound MAX STEPPED INTO HIS PRIVATE • • • •
NOW, STOP!” AND SENT THE WILD THINGS OFF TO BED WITHOUT THEIR SUPPER....AND MAX THE KING OF ALL WILD THINGS, SAID: "I'M LONELY!” AND WANTED TO BE WHERE SOMEONE LOVED HIM BEST OF ALL
BOAT AND WAVED GOOD-BYE AND SAILED BACK ALMOST OVER A YEAR AND IN AND OUT OF WEEKS AND THROUGH A DAY AND INTO THE NIGHT OF MY OWN ROOM WHERE HE FOUND HIS SUPPER WAITING FOR HIM …
… AND IT WAS STILL HOT!