Presentation Title - George Mason University

Presentation Title - George Mason University

Minimizing Losses from Zero Days A New Layer of Defense (SCIT) Game-Change Concepts: Moving Target + Exposure Management Next Generation Server Security Technology Arun Sood Ph. D. Dept of Computer Science & International Cyber Center, SCIT Labs Inc http://cs.gmu.edu/~asood/scit http://www.scitlabs.com +1703.347.4494 SCIT Multi-National Security Breach http://news.bbc.co.uk/2/hi/technology/7118452.stm A huge campaign to poison web searches and trick people into visiting malicious websites has been thwarted. If a user searched Google for terms such as "hospice", "cotton gin and its effect on slavery", "infinity" and many more The first result pointed to a website from which malicious software was downloaded and embedded on user system. Criminals in country A created domains that were mostly bought by companies in country B and hosted in country C. Tens of thousands of domains were used. These domains tricked the indexing strategy of Google to believe that these web pages were good and reliable source of information. Our focus: targeted and organized attacks.

SCIT Anatomy of an Hack Analyze publicly available info. Set scope of attack and identify key targets Check for vulnerabilities on each target Exploitation Buffer Overflow Spoofing Password DOS Attack targets using library of tools and techniques Automated Scanning Machines Ports Applications Identify Target Install Malicious Code

Hack Other Machines Take over Domain Controller Deliver Payload Custom Trojan Rootkit Attack targets using installed software Damage Owning IP Theft, Blackmail, Graffiti, Espoinage Destruction Damage Owning IP Theft, Blackmail, Graffiti, Espoinage Destruction Richard Stiennon, May 2006, http://blogs.zdnet.com/threatchaos/?p=330 SCIT Automated Approach

Foot print analysis Who is NSLookup Search Engines Enumeration Scanning Machines Ports Applications Manual Approach Foot print analysis Who is NSLookup Search Engines Enumeration Attacking a Multi-tier Architecture Web-App-DB-Domain Controller Step 1: Identify Target

Step 2: Initial Compromise Become a privilege user like internal user on the target system Step 4: Hacking Other Machines Web pages are always exposed opportunity for ingress Step 3: Elevate Privileges Network address ranges Host names Exposed hosts Applications exposed on those hosts Operating system and application version information Patch state of both the host and of the applications Structure of the applications and back-end severs Own the network. Step 5: Take over Domain Controller Jesper Johansson and Steve Riley , Protect Your Windows Network: From Perimeter to Data, Addison-Wesley Professional, 2005.

SCIT The Problem Verizon Business (DBIR2009): 285 M records compromised for 90 sites. Customized malware hard to detect. Intrusion persists for days, weeks, months. Network Solutions, Wyndham Hotels. Symantec produced 920,000 malicious signatures in 2009. 50% of all vulnerabilities in web apps. Half of disclosed vulnerabilities had no fixes. Recovery from a breach is costly: $6.3M [Ponemon Inst] Focus on targeted and organized attacks. Current reactive approaches are inadequate. We introduce intrusion tolerance a new paradigm. SCIT Verizon (DBIR2010): Time Frame SCIT The SCIT Solution SCIT provides Intrusion Tolerance for servers using virtualization to restore the OS and application to a pristine state after attack! SCIT Virtual Partition Enterprise Server SCIT

Virtual Server Firewall Hacker (Actual Photo) Every minute SCIT software cleans and restores the virtual server to its pristine state 02/09/20 SCIT 7 Cross Sector Cyber Threats Strategy Defense in Depth Approach to Security Multi layered Approach to Security: Best if layers operate independently Firewalls depend on inspection of incoming packets IDS/IPS depend on inspection of incoming and outgoing packets With increasing bandwidth and more matching requirements, the cycles devoted to packet inspection will keep increasing Threat independent approaches are needed for protection against zero-days Other approaches should be included in the mix, including approaches that do not rely on packet inspection and have potential for threat independent performance:

White list of software Time-dependent recovery-based intrusion tolerance SCIT Cross Sector Cyber Threats Strategy The SCIT Solution Static Servers Converted to Dynamic Environment Facilitates Incorporation of Diversity Threat Independent Rapid Recovery: Work Through an Attack Mission Resilience Emphasize Temporal Dimension Virtualization as a New Framework for Server Security SCIT How Does SCIT Provide Additional Security? SCIT servers Regularly restored to a known state and remove malicious software installed by attackers. Provide protection while manufacturer is developing a patch, i.e. SCIT servers are protected in the time period between vulnerability detection and patch distribution. Gives data center managers an additional level of freedom in developing a systematic plan for patch management.

SCIT DNS servers Domain name / IP address mapping is protected from malicious alteration, thus avoiding improper redirection of the traffic. SCIT Web servers Protect the corporate crown jewels, front ends for sensitive information, e.g. customer or employee data sets, IP, and informational web sites. Regularly restores the sites to known states, and makes it difficult for intruders to undertake harmful acts such as deleting files. Avoid long term defacements. Reduces the risk of large scale data ex-filtration. SCIT Key Intrusion Tolerance Approaches OASIS (DARPA) MAFTIA (EU) SCIT (GMU) Fault Tolerance Based: Intrusion Detection First Recovery Based Structure Based Structure Based Time Dependent

Packet Inspection Yes Yes No Voting Algorithm Yes Yes No Deterministic No No Yes Performance Impact Yes Yes Yes

Diversity Required Required Optional. Diversity will make scheme more robust Recovery Performed upon detecting intrusion. Performed upon detecting intrusion. Built in automatic periodic recovery. See IEEE Security andSCIT Privacy paper for details Comparison of IDS, IPS, SCIT Issue Firewall, IDS, IPS Intrusion tolerance Risk management. Reactive.

Proactive. A priori information required. Attack models. Software vulnerabilities. Reaction rules. Exposure time selection. Length of longest transaction. Protection approach. Prevent all intrusions. Impossible to achieve. Limit losses. System Administrator workload. High. Manage reaction rules. Less. No false alarms Manage false alarms. generated. Design metric. Unspecified. Exposure time: Deterministic.

Packet/Data stream monitoring. Required. Not required. Higher traffic volume requires. More computations. Computation volume unchanged. Applying patches. Must be applied immediately. Can be planned. 02/09/20 SCIT 12 Server Rotations Example: 5 online and 3 offline servers Servers -Virtual -Physical

Server Rotation Online servers; potentially compromised Offline servers; in self-cleansing 02/09/20 SCIT 13 Server Rotations Example: 5 online and 3 offline servers Servers -Virtual -Physical Server Rotation Online servers; potentially compromised Offline

servers; in self-cleansing 02/09/20 SCIT 14 Server Rotations Example: 5 online and 3 offline servers Servers -Virtual -Physical Server Rotation Online servers; potentially compromised Offline servers; in self-cleansing 02/09/20 SCIT 15 Server State Transitions

Current Additional States Planned for Analysis and Archiving 02/09/20 SCIT 16 SCIT Supports Session Persistence SCIT does not require changing the application server or application code SCIT servers support session persistence but do not migrate state Session data is stored in shared memory or shared by multicasting among the virtual servers Session info is data and not executable 02/09/20 SCIT 17 SCIT - Intrusion Tolerance Approach Increase security by reducing exposure window Exposure window is the time a server is online between rotations Optimizes application-specific exposure windows to servers

Decreasing available time for intrusion, reduces potential losses Loss Curve SCIT does not eliminate vulnerabilities or prevent intrusions, but makes it difficult to exploit the vulnerability Loss No packet inspection; No signatures; No detection Additional layer of defense T Intruder Residence Time Integrated system: prevention, detection, tolerance Cost Reduce managed services cost Adaptive SCIT Increase availability reduce down time for upgrades fewer reboots 02/09/20 SCIT T 18 Transaction Length in Multitier Architecture

Layer Implementation Transaction Length Client Layer Web site, DNS service Short Middle Layer Authentication, Single Sign On Short VPN, Streaming Media Long Transaction Processing Short File Access Mixed Complex Database Queries Long

Back End Layer SCIT Exposure Time Reductions Application Current Server SCIT Server Websites Windows Server 1 day to 3 month 60 seconds Websites UNIX Server 1 month to 6 months 60 seconds DNS services Linux Server 3 months to 1 year 30 seconds In the following slides we show that: Reducing Exposure Time Significantly Reduces Expected Loss SCIT

Security Risk Assessment Threat Level Threat Probability (Threat Probability x Risk Factor) Criticality Factor Risk Factor (Criticality/ Effort ) Exposure Factor (EF) Effort Required (Threat Level x I mpact) x Asset Value (AV) Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) Vulnerability Factor Annual Loss Expectancy (ALE) I mpact (Loss Factor) Asset Priotiy Follows SecurityFocus.com (Symantec), Microsoft SCIT

Risk Shaping by Exposure Time SCIT Multi Tier Example Un-trusted domain Corporate Trusted domain Private domain High Risk Medium Risk Low Risk Zone 3 Workstation Zone 2 Content Management Server Zone 1 Database Server

SCIT SCIT vs Traditional Cumm Single Loss Expectancy $80,000 Multi Tier Architecture Web server DNS server Content Manager Database server $70,000 $60,000 $50,000 $40,000 $30,000 $20,000 $10,000 $0 SCIT Exposure Time Reducing Exposure Time Significantly Reduces Expected Loss SCIT Avoidance is Better Than Cleaning You cannot clean a compromised system by

patching it. removing the back doors. using some vulnerability remover. using a virus scanner. reinstalling the operating system over the existing installation. You cannot trust any data copied from a compromised system. the event logs on a compromised system. your latest backup. The only proper way to clean a compromised system is to flatten and rebuild. CLEANING COMPROMISED SYSTEMS IS DIFFICULT. IT IS BETTER TO AVOID HACKING. SCIT Case Study: Payment Card Industry

Cost per exposed accounts (legal and professional fees, customer contact, post event clean up and improvements) More than 1M accounts compromised: $50 per account Few (1500) accounts compromised: $1500 per account Cost for protecting data 100,000 customers Method $ per customer Year 1 Comments Recurring Encrypt data at rest $5 $1 Application Changes Host IDS $6

$2 False Alarm management Continuous security audits $3 - $4 $3 - $4 Vulnerability scanning Bottom Line: Cost of exposed accounts >> Cost of protection Reducing Exposure Time provides additional layer of defense - makes it more difficult to exploit vulnerabilities and steal data. Source: Rapid 7 Vulnerability Management Trends. Also Gartner Group SCIT Sample Requirements Met by SCIT Servers Web site should not be defaced longer than 1 minute DNS tables should be restored within 1 minute System should reduce data ex-filtration when combined with IDS the volume of data that can be maliciously retrieved can be computed To ensure clean servers, remove malware every minute Change the face of the website every minute SCIT

Randomized Defensive Strategies Current servers are static and overexposed -almost sitting ducks Randomly change the exposed face of the target Hide, obscure, alter, move target Develop approaches that are effective in server farms and at the point of the spear Issues to address: Impact on system administration Scalability SCIT Comparing 4 Architectures IDS SCIT NIDS + HIDS NIDS + SCIT SCIT Results of Simulation Parameters used in the simulation Case

Simulation Metrics Value (units) Number of queries used 50,000 Intruder Residence Time (IRT) 0 minutes to 2 months Mean IRT Pareto distribution 48 hours SCIT: ET 4hrs SCIT: ET 4 mins Exposure Time 2 cases 1. 4 hrs 2. 4 mins NIDS + HIDS

Data Ex-filtration rate 675 records/breach NIDS + SCIT (ET 4 hrs) NIDS + SCIT (ET 4 mins) NIDS SCIT Results of the simulation Total No. of damage breaches (records) Mean Damage (records/ breach) 245,962 (100%) 55,364 (23%) 1,015 (0.4%) 192 1,281

508 508 109 2 210,578 (86%) 20,931 (9%) 164 1,284 191 110 383 (0.16%) 191 2 Long Transaction Length Short Target Applications E-Commerce payments

long session of multiple short transactions Streaming media Web servers DNS services Single Sign On Firewalls Authentication (LDAP) Transaction Processors VPN Complex Database Queries Back end processing File Transfer (size dependent) Low High Value for Exposure Window Management SCIT Collaboration with Systems Integrators Lockheed Martin Testing and validation of SCIT servers. Funded SCIT research Northrop Grumman Testing and validation of SCIT servers. Matching partner Virginia CTRF project Raytheon

Collaborated on SBIR proposal 02/09/20 SCIT 32 Testing by Northrop Grumman Component Test Objectives Findings Basic Web Server with Session persistence Defacement (recovery) System Compromise (limit effects) Data Corruption (recovery) Data ex-filtration (limit effects) The resilience of the underlying VM architecture proved effective at thwarting any long term or permanent damage to the platform as a result of malicious activity. E-Commerce Application Defacement (recovery time) System Compromise (limit

effects) Data Corruption (recovery) Data ex-filtration (limit effects) Shopping Cart Price manipulation The findings were the same as the basic web server and the shopping cart was not subject to manipulation Single Sign-On SQL injection System Compromise Unauthorized access Due to effective firewall and authentication input filtering the SSO architecture proved immune to O/S Corruption and Database Exploitation attack vectors. The underlying rotation of SSO Virtual Machine instances proved transparent throughout the entire course of testing. Overall The SCIT platform does reduce exposure time and confuses attacker efforts. There is a slight performance degradation as exposure time is reduced. SCIT Lockheed Testing The overall security features of the SCIT system performed as advertised. This tool is very effective in ensuring application availability and the

integrity of the web server itself. It provides a stable platform on which an enterprise can host web applications. The evaluators found that the first step, port scanning, was successfully accomplished. However, the Nessus software just hung when establishing sessions with the open ports it found. This was probably because the rotation of the servers deleted the session information that Nessus left on the servers. Recovery from DoS attack Verify that the system will automatically recover from a website defacement attack. Verify that the system will automatically recover if the service is made unavailable. Resiliency Verify that if the vulnerabilities were executed they would not seriously impact the overall system SCIT does not fix app/OS vulnerabilities; does not protect against the integrity, and confidentiality of the users session and sensitive data; these properties are the same as that of the application. Current SCIT implementations do not change the application code. SCIT Quick Review + Road Map SCIT: Why? How? Scope. Independent Validation. Performance.

DOD Network. Specific Server: SCIT DNS. Scalability. Plans. Demo SCIT Performance & Functionality Stress Tests Workload: number of user sessions/minute (50,100,125) User session: Series of request and response from server Select item from drop down list and add it to persistent storage OpenSTA is used to generate workload 3 runs per case. Duration of run = 3 * Exposure time for the run each VM is tested at least once Workload consists of N requests every 10 secs. Exposure times of 2,3 and 4 minutes, No Rotation Stand alone web server for Non-SCIT test. 02/09/20 SCIT

36 Performance Test Results Exp Time (minutes) User Sessions Avg. Response Time (secs) STD Dev 2m 50 6.16 0.07 2m 100 6.24 0.01 2m 125 6.27

0.02 3m 50 6.10 0.04 3m 100 6.15 0.02 3m 125 6.31 0.05 4m 50 6.08 0.04

4m 100 6.15 0.02 4m 125 6.14 0.02 No Rotation 50 6.03 0.01 No Rotation 100 6.03 0.00 No Rotation

125 6.04 0.00 02/09/20 SCIT SCIT Server Environment Entry Level DELL System Dual processor 4 cores each Memory: 4 GB Slackware OS Apache, Tomcat, Shopping Cart (Java) 37 SCIT and DoD Networks Network Relative Size Frequency of Change Security Support Staff Sustaining Network

Many servers. Worldwide. Slowly changing. Large & talented support Tactical Network Fewer servers. Smaller region. Potential for rapid change. Limited support. Frequent staff rotations. Sustaining Networks SCIT provides additional layer of defense. Tactical Networks SCIT provides continuity of operations, automatic recovery. 02/09/20 SCIT 38 Standards and Compliance

Requirements DODI 8500.2 Enclave and Computing Environment Integrity ECID-1 Host Based IDS Host-based intrusion detection systems are deployed for major applications and for network management assets, such as routers, switches, and domain name servers (DNS). Payment Card Industry Data Security Standard Consumer Data Protection Requirement Compensating Control 02/09/20 SCIT 39 Potential Target Audience Web site/ Ecommerce Commercial Data Centers Government Critical Infrastructure sites (e.g. Emergency preparedness) Database server protection DNS servers SSO servers

Cloud Computing Services 02/09/20 SCIT 40 DNS & DNSSEC & SCIT-DNS DNS is an essential part of Internet. Used where names are used web, email, web services, etc DNS was designed for trusted environment. DNSSEC adds end-to-end security to DNS. OMB has mandated DNSSEC. .. represents an infinitesimal presence . (http://dns.measurement-factory.com/surveys/200910.html) Particularly challenging in some environments, like tactical. SCIT DNS DNSSEC is the preferred solution. SCIT-DNS provides near DNSSEC trust with DNS convenience Focus of Army SBIR 02/09/20 SCIT 41 SCIT DNS Trust Degradation With Time DNS

SCIT-DNS DNSSEC 1.2 1 Trust 0.8 0.6 0.4 0.2 0 0 1 2 3 4 5 6 7 Time 02/09/20 SCIT

42 SCIT in Server Farms Scalability Issues Can SCIT be incorporated in Enterprise environments? Version 1 Objectives System Admin Function Many apps and servers Monitoring of the system state Diagnostics Many servers Many applications Can SCIT work in a multiple apps per server environment? Deployment of VMs App related VMs are assigned to the servers Distribute after testing at a staging server System captures VM map to facilitate deployment Can SCIT VMs be distributed across the server farm? Can SCIT effectively exploit multi-core architectures?

02/09/20 Distributing the sever load Prelim simulation model Resource Allocation model SCIT 43 SCIT Configuration & Construction Staging Server Pristine Image VM 02/09/20 SCIT 44 Current Status Validated the scalability of SCIT: Developed SCIT Infrastructure System (SIS) Monitor server farm from a single point Diagnostics from a single location

Automate the staging, testing and deployment of SCIT apps Pristine images, clones, dispatcher, controller Specified the key management requirements Configuration Simulation of SCITized multiple application server farm Independent validation at Lockheed units Testing at Gaithersburg, Omaha, Rockville Capture new use cases: upload and download of files taking 3 to 4 minutes: Share Point Independent validation at Northrop Grumman Triad Labs - Colorado Moving target defense SCIT DNS SCIT SSO SAML compatibility Community of interest: pubs, invited presentations and workshops Parallel Effort: Development, Quantitative, Simulation 02/09/20 SCIT 45 Way Ahead Further Validation and Certification Seeking Pilot project opportunities Examine long duration applications Up to 5 minute uploads SCIT improvements

Dispatcher is static; can this be rotated; what about apps distributed across server boxes Dynamism enables diversity in deployment: OS, App, Memory Image Multi-level rotations: apps, OS, hardware SCIT reconnaissance SCIT in cloud computing, Virtualized Desk Top Infrastructure Multiple apps per server Adaptive SCIT; Memory image based IDS; Hardware Enabled SCIT 02/09/20 SCIT 46 IP Protection and Recognition Issued Patents: " Self-Cleaning System, US 7549167. Issued 6/16/2009. Inventors: Yih Huang and Arun Sood "SCIT-DNS: Critical Infrastructure Protection through Secure DNS Server Dynamic Updates", US 7680955. Issued 03/16/2010. Inventors: David Arsenault, Yih Huang and Arun Sood. Single Use Server System", US 7725531. Issued May 25, 2010 Inventors: David Arsenault, Yih Huang and Arun Sood.

Pending Patents "Data Alteration Prevention System", Utility Patent Application No.: 11/419,832, 5/23/2006, Docket No.: GMU-05-037U. Inventors: David Arsenault, Yih Huang, and Arun Sood. Two additional patents applied in 2010. Research Support: Army (TATRC), NIST/CIPP, SUN, CTRF/Northrop Grumman, Lockheed Martin Awards: Winner Security Technologies for Tomorrow GSC and CNI-Expo competition 2 June 2010. 2nd place GSC Cyber Security Challenge 13 Novermber2009. GSC=Global Security Challenge, associated with London Business School. SBIR: Army SCIT DNS with focus on tactical environment. 02/09/20 SCIT 47 Benefits of SCIT SCIT removes malware every minute without detection .. 85 percent of the 285 million records breached in the year were harvested by custom-created malware. Verizon. SCIT reduces data ex-filtration

Data ex-filtration is slow gradual process to avoid IDS detection & SCIT interrupts the flow every minute SCIT does not rely on signatures and is threat independent IPS / IDS depend on signature matching and focus on known threats. SCIT relies on exposure time control. SCIT automatically recovers from defacement or software deletion attacks: mission resilient SCIT reduces intrusion response (alerts) management cost SCIT provides an additional dimension to separate false alarms. 02/09/20 SCIT 48 SCIT: Additional Capability Apply hot patches Operating Systems Applications Potential for fast recovery from bad patches Technology that converts a static system (sitting duck) into dynamic system Different types of diversity: admin cost security trade off Explicit use of time in secure system design SCIT SCIT Publications + Contact Info

SCIT technical publications Links to media reports Links to demo videos http://cs.gmu.edu/~asood/scit http://www.scitlabs.com Questions? Arun Sood {[email protected], [email protected]} +1703.347.4494 02/09/20 SCIT 50

Recently Viewed Presentations