Flow Analysis for Network Situational Awareness Tim Shimeall January 2010
NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C- 0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. 2
What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working Together Network dependencies Analysis Summary 3
What this class is Approaches, methods, trends of interest in building network situational awareness Big picture view of analysis Assumes you have good handle on analysis tool suites 4
What this class is not Cool tricks with SiLK Installing and using SiLK Everything you need to do analysis Bits and bytes on the wire 5
A couple of rules ASK! No smoking/chewing Cell phones on stun No smelly food 6
Recognition Stances 7
Definition The systematic gathering, analysis and interpretation of data from local and remote networks regarding structure, applications, traffic and resources to produce actionable information for decision making in network operations and defense. (Shimeall, 2008) Network Situational Awareness 8
Alternate Definitions Situation Awareness (SA): The perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future." (Endsley, 1988) Network SA: the operational picture that consolidates all available information that is actually needed for identifying attacks and for selecting and applying appropriate countermeasures. (Kemmerer et. al., 2008) 9
Network Situational Awareness Practice Know your network Know current external events and trends Know how they fit together 10
How these Definitions Apply Know Network Know Events/Trends Know How They Fit 11
Vulnerability Note VU#800113 Multiple DNS implementations vulnerable to cache poisoning http://www.youtube.co m/watch?v=xdkw8ny 6IcM# July 2008 12
Cable Cuts, January 2008 13
Estonia, April 2007 14
The 2008 Olympics 15
Questions of Interest Is my bandwidth increasing from business-related activity, or from non-work related activity? How will my business be impacted by implantation of more stringent security policy? If my backbone Internet Service Provider chooses to de-peer with another backbone provider, how will I be affected? How will socio-political uprisings impact my network? What are the most important dependencies my network has with external resources? Do computers on my network follow policy? Can my network survive a distributed denial-of-service attack? How can I prioritize resources during a bandwidth-limiting attack? 16
Building Understanding Operators/Groups Victims/ Bystanders Internet Behavior Opportunities/ Vulnerabilities Status Attributes Dynamics Stimuli/Motives 17
Challenges to Analysis Gathering sufficient datasets to make statistically valid judgments Developing automated technical analysis tools Developing a reliable methodology for cyberanalysis Overcoming organizational bias against sharing information 18