CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Network Based Cyber A1acks John E. Savage Brown University

Size: px

Start display at page:

Download "CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Network Based Cyber A1acks John E. Savage Brown University"

Candace Kelly
5 years ago
Views:

1 CSCI 1800 Cybersecurity and Interna4onal Rela4ons Network Based Cyber A1acks John E. Savage Brown University

2 Outline Firewalls, inward and outward facing. Tunneling SSH, IPsec Intrusion detec4on Types of alarm, IDS system, event, data collec4on Port scanning, honeypots Data Loss Preven4on Wireless networking Lect07 2/18/2015 JE Savage 2

3 Two Approaches to ATacks Keep the bad guys out. There are two types of corpora4ons, those that know they have been compromised and those that don t. Dmitri Alperovitch, Crowdstrike Use firewalls and intrusion detec4on to stop them Cope with them once they get in. Detect, disrupt, deny atackers communica4ons with their command and control network to prevent data loss. Lect07 2/18/2015 JE Savage 3

4 Firewalls Firewalls are designed to keep bad guys out. Firewalls enforce policies concerning IP addresses, port numbers, and some content. Lect07 2/18/2015 JE Savage 4

Firewalls Usually placed at the periphery of a network May be in a special processor (a proxy) or so`warew Policies limit traffic going out and coming in.

5 Firewalls Usually placed at the periphery of a network May be in a special processor (a proxy) or so`warew Policies limit traffic going out and coming in. Packets are allowed through, dropped, or rejected. May use whitelists (blacklists) of sites (not) allowed to communicate with the network or machine. Lect07 2/18/2015 JE Savage 5

6 Sample Firewall Policies Packets arrive at an IP address with a port number 1. File type is shown at beginning of a file, e.g. <!DOCTYPE html... %PDF Allow HTTP (HTTPS) traffic only on port 80 (443) 3. Only internal users may ini4ate HTTP sessions. 4. VoIP traffic rejected may hide malicious traffic 5. No packets accepted from blacklisted sites. Lect07 2/18/2015 JE Savage 6

7 Stateless Firewalls No info kept on packets previously seen. If server handling only web request, no need to permit SYN packets on port 80 from it. Client SYN Seq = X Server SUN- ACK Seq = Y Ack = X+1 Firewall ACK Seq = X+1 Ack = Y+1 Lect07 2/18/2015 JE Savage 7

8 Stateful Firewalls Like NATs, they keep data on previously seen packets, such as IP addresses, port number, sequence number, and protocol type. Could allow only TCP sessions ini4ated internally. Applica4on layer firewalls manage accesses based on content at the applica4on layer. Could filter SQL queries to avoid injec4on, deny access to malicious web sites, drop malware, etc.. Lect07 2/18/2015 JE Savage 8

Security requires robust iden4ty and authoriza4on.

9 Tunneling Tunneling is the embedding of packets from one protocol as payload of another, o`en for security. Security requires robust iden4ty and authoriza4on. Encryp4on/decryp4on increases overhead. Protocol 1 Packet is Payload for Protocol 2 H2 H1 =Body 1 Protocol 2 Packet Lect07 2/18/2015 JE Savage 9

10 Types of Tunneling Secure shell (SSH), provides privacy IPsec, provides authen4city & privacy at network layer Virtual Private Network (VPN) allows trusted sharing of remote network resources. It simulates being on site at the remote computer. Lect07 2/18/2015 JE Savage 10

11 Public- Key Cryptography Each party has public & private keys Alice: Priv Alice, Pub Alice ; Bob: Priv Bob, Pub Bob. Alice encrypts message M for Bob with X = E K (M) where K = Pub Bob. Bob decrypts Alice s encrypted message with M = D K* (X) where K* = Priv Bob. Idea proposed by Diffie and Hellman Rivest, Shamir and Adleman (RSA) gave first prac4cal method (1977). Lect07 2/18/2015 JE Savage 11

12 Symmetric vs Public Key Crypto Symmetric key system has one key per user pair Thus, there are n(n- 1)/2 keys for n users. If n = 10 4, that s about 50x10 6 keys! In public- key system, 2n keys suffice. Each party publishes one key, keeps the other secret Symmetric key system faster than public key. PK systems o`en used to create/exchange secret key Lect07 2/18/2015 JE Savage 12

13 RSA Public- Key System Brief defini4on of modular arithme4c add and mul4ply integers modulo n result is remainder a`er dividing by n. E.g. (3+4) mod 5 = 2, (4*3) mod 3 = 0 Bob s public key is integer pair (e,n). His secret key is d. Message is integer M in {0,1,2, n- 1}, n is product of two primes. e,d and n are such that M de mod n = M. Finding d from e and n is as hard as factoring n very hard! Alice encrypts message M for Bob as C = M e mod n Bob decrypts by compu4ng C d mod n = M. Note that C d mod n = (M e ) d mod n = M de mod n = M Lect07 2/18/2015 JE Savage 13

14 Secure Shell (SSH) Uses public key cryptography (PKC) to create & exchange private keys for efficient, secure communica4on. TCP used to connect client and server Both agree on SSH version, encryp4on method. Exchange secret session key using PKC. Client authen4ca4on occurs SSH provides secure access to resources, such as file transfer and command prompt. Lect07 2/18/2015 JE Savage 14

15 Diffie- Helman Key Exchange Alice and Bob need a common secret. Start with common color Each chooses secret color They mix their two colors Send mixtures to other Add in their secrets Create a common secret! Can do this with numbers! Lect07 2/18/2015 JE Savage 15

16 Diffie- Helman Key Exchange B & A choose prime p & primi6ve root g mod p. (g is primi4ve if for each integer in {0,1,2,, p- 1} is equal to g k mod p for some integer k.) Alice s secret is a and Bob s is b. A sends r = g a mod p. B sends s = g b mod p. A computes s a mod p. B computes r b mod p. s a mod p = (g b mod p) a = g ba mod p = g ab mod p = r b mod p. They now have a common secret! Lect07 2/18/2015 JE Savage 16

17 IPsec Ipsec offers secure communica4on at network layer It is completely transparent to applica4ons. Provides confiden4ality, authen4ca4on & data integrity. Ini4alizing IPsec Par4es set up ini4al generic encrypted channel. Decide on subsequent encryp4on method, hash algorithm, and authen4ca4on method. Now ready for secure communica4on. Lect07 2/18/2015 JE Savage 17

18 IPsec Two modes: transport and tunnel Tunnel Mode: En4re old packet encrypted, placed in new packet Used for VPN Transport Mode: Only payload is encrypted or authen4cated IPsec header informa4on inserted before payload. Lect07 2/18/2015 JE Savage 18

19 Protec4on via Inward Facing Firewalls 1 Try to prevent atacker from communica4ng with a command and control site. Blacklist malicious sites by URL or IP address Author 1 proposes crea4on of a Na4onal Cyber Threat Response Center (NCTRC) Threat reports from cer4fied sensors sent to NCTRC Firewall vendors provide NCTRC data to customers 1 Based on A Na4onal Model for Cyber Protec4on by Jeff Brown, CISO, Raytheon, See htp:// 29_isa_response.pdf Featured on and Cyber Command site. Lect07 2/18/2015 JE Savage 19

20 Protec4on via Inward Facing Firewalls 1 Advantages to customers of this service: Order of magnitude improved protec4on. Early no4ce of infec4on. Advantages of repor4ng infec4ons to NCTRC Common opera4onal picture of infec4ons possible Can reveal nature of atacks underway. Disadvantage legi4mate sites that have been compromised would be blocked. Lect07 2/18/2015 JE Savage 20

21 Intrusion Detec4on Intrusion detec4on systems (IDSs) are more complex than simple firewalls. They monitor ac4vity. Rules based on ac4vity determine whether alarms are sounded. Can you invent some interes4ng rules? Many IDSs do deep packet inspec4on (DPI). DPI: packet content analyzed, not just the headers US Department of Homeland Security (DHS) has designed three IDSs, Einstein 1, 2 and 3. htp://en.wikipedia.org/wiki/einstein_(us- CERT_program) Lect07 2/18/2015 JE Savage 21

22 Types of IDS Alarms Malware atack ARP (address resolu4on protocol) spoofing Denial of service atack Port scans one site tes4ng many ports ATempt at DNS cache poisoning Lect07 2/18/2015 JE Savage 22

23 Types of ATacker Masquerader atacker impersonates another. Misfeasant insider exceeds granted authority Clandes4ne user tries to cover his tracks Lect07 2/18/2015 JE Savage 23

24 Types of IDS Host IDS Monitors ac4vity on one machine. Tries to catch criminal & clandes4ne user. Looks for abnormal or unauthorized ac4vity. Network IDS Tradi4onal IDS, placed at periphery of network. Does DPI looking for sta4c or sta4s4cal signatures. May look for protocol viola4ons, e.g. on web server. Lect07 2/18/2015 JE Savage 24

25 IDS Events Alarm sounded False posi4ve benign event found, annoying True posi4ve malicious event found good Alarm not sounded True nega4ve benign event good False nega4ve malicious event, serious oversight Lect07 2/18/2015 JE Savage 25

Data Loss Preven4on (DLP) Monitor outgoing Internet traffic Endpoint DLP (@host) or network DLP (@ border) Works on unencrypted files only!

26 Data Loss Preven4on (DLP) Monitor outgoing Internet traffic Endpoint DLP or network DLP border) Works on unencrypted files only! Look for structured content or indices on unstructured data Structured content Keywords, SSNs, credit card #s Unstructured content So`ware, text pictures Lect07 2/18/2015 JE Savage 26

27 Data Loss Preven4on (DLP) Unstructured data chopped into standard pieces and hash of each piece is computed Hashes are stored in database. As data exits network, Compare structured data to template or database Compute hash of unstructured data and compare to hashes in database DLP is a supplement to other technologies. Lect07 2/18/2015 JE Savage 27

28 Port Scanning Internet- based computers communicate using IP addresses and port numbers. Some port numbers: 22 SSH, 80 HTTP, 143 IMAP, 179 BGP, 443 HTTPS, Nintendo WiFi For security, firewalls block access to most ports A port is open (responding) or blocked (non- responding). What is a port scan? It s a scan of ports at an IP address to see which ports respond. Code running at a port might have a flaw, such as a buffer overflow error, allowing penetra4on. Lect07 2/18/2015 JE Savage 28

29 Types of Scan TCP Scans atempt to connect via TCP SYN Scans try TCP SYN packet on all ports. If response received, send RST port is open. Fingerprin4ng slight differences in response to scans can iden4fy OS and service running at a port. Lect07 2/18/2015 JE Savage 29

30 Blind Port Scan Blind port scan is technique to do a port scan on vic4m without revealing your iden4ty (aka idle scan) 1. ATacker A sends TCP packet to innocent zombie Z to get its sequence number X. 2. ATacker A sends TCP packet to vic4m V with Z as source. If V responds to Z, Z may increase its sequence number X to X A sends 3 rd TCP packet to Z to learn if Z s sequence number is X+1 or if V has responded. Lect07 2/18/2015 JE Savage 30

31 Honeypots A honeypot is a collec4on of machines, data and applica4ons that looks real but serves no other purpose than to atract an atacker. Any traffic to a honeypot is deemed suspicious. Can be used for following reasons: Intrusion detec4on allows defenders to study intrusion methods. Evidence incrimina4ng evidence may be le`. Diversion can distract atackers from real thing. Lect07 2/18/2015 JE Savage 31

32 Wireless Networking All traffic sent via radio can be heard by all! Wireless protocols support encryp4on methods WEP (wired equivalent privacy) not very secure WAP (Wi- Fi protected access) is considered secure Lect07 2/18/2015 JE Savage 32

33 Review Firewalls, inward and outward facing. Tunneling SSH, IPsec Intrusion detec4on Types of alarm, IDS system, event, data collec4on Port scanning, honeypots Data Loss Preven4on Wireless networking Lect07 2/18/2015 JE Savage 33

CSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University

CSCI 1800 Cybersecurity and Interna4onal Rela4ons Design and Opera-on of the Internet John E. Savage Brown University Outline Network security The link layer The network layer The transport layer Denial