Every network security manager fights an escalating and asymmetric war against adversaries aiming to penetrate networks or disrupt services hosted there. Symantec reported that major attacker-caused data breaches rose almost 25 percent last year, while Verisign reported almost a 300 percent increase in average DDoS attack size. Asymmetries abound: automated attacks move embarrassingly faster than defenders can react (the top five zero-days unleashed last year averaged 59 days to patch, and ¾ of scanned websites still had known vulnerabilities); and last year 317 million new pieces of malware and 6,500 newly found vulnerabilities far exceeded the capacity growth of skilled human network defense operators. In 1904-1908, the British Royal Navy under Admiral Sir John “Jackie” Fisher faced a similar challenge of limited resources and new adversary capabilities. Fisher risked being out-flanked on four fronts. First, his coastal defense fleet, constrained to shallow water, was threatened by new torpedo and submarine technology. Second, his station cruisers and commerce escorts were threatened both by the emergence of submarines and the advent of fast, armored adversary cruiser squadrons. Third, his existing fleet required huge crews deployed far from home, limiting both number of ships he could crew and his ability to keep crews trained and up to date. Fourth, economic conditions in the United Kingdom prevented funding of a complete overhaul of the navy. Our situation today is strikingly similar to Fisher’s. Our server installations are large, continuously present targets precisely because we aim to serve customers well. New adversary technologies such as advanced persistent threat (APT) components seek to map out, compromise, and exploit these targets quietly, over long periods, while relatively old technologies such as denial-of-service (DoS) attacks continue to be surprisingly effective at taking down critical services by using updated techniques such as DNS reflection and NTP amplification. Our reliance on human defenders limits our ability to respond and slows our learning curve. And of course there’s never enough corporate budget allocated to “do security right”. Fisher’s solution is still an inspiration to military strategists today. He abandoned an entrenched strategy that would have led to disaster in an asymmetric war of old station cruisers vs. lightweight torpedo boats and submarines. Instead, he adopted exactly those new threat technologies to create a highly effective coastal defense framework while at the same time creating a distributed fleet that focused on speed and hitting power rather than formidable size and continuous presence. With that groundwork laid, here’s the key (but somewhat obvious) question: How can you “pull a Fisher” in network defense? Here are a few ideas we might try. You might use these thoughts to start conversations in your own organization.
Swamp the enemy with work to do
If your IDS can detect unusual traffic, why not also use it to protect the network by confusing the attacker? One way to do this is to trigger virtual chaff: significant numbers of lightweight VMs that mimic “real” machines right down to shallow simulations of services and artificial inter-host communications. Launching several hundred or even a few thousand chaff hosts can distract network mapping and other attacks without disrupting normal business processes. When an attack subsides, the chaff can be retracted, allowing the network to resume its normal appearance.
Present a moving target defense
Researchers have for several years reported various ways to use software defined networking (SDN) mechanisms to assign externally visible virtual IP addresses to hosts, and then perform virtual-to-real IP address translation on-the-fly at internal subnet switches. This moving target defense approach allows for dynamic, frequent mutation of the virtual IP map of the network so that attackers can’t easily get a fix on their would-be targets from outside, while avoiding change to end-host IP address assignments that might disrupt business logic.
Capture the enemy’s attack pattern at fine grain during attacks
Rather than attempting to reconstruct at coarse grain after the fact. Chaff VMs, mentioned above, have another interesting use. Traffic targeted at chaff hosts is by definition unusual traffic, because those hosts provide no real services. That gives chaff VMs a unique ability to isolate such traffic and record its patterns. These patterns can then be added to IDS triggers and shared with other organizations to improve overall defensive posture.
Share timely threat intelligence in detail with defenders in other agencies or corporations
We have the basic transport mechanisms: DDS and TAXII are examples here. With current IDS technology and even more with the use of virtual chaff, we have the threat data to share. You might argue that we need a common language for expressing this information, but that’s merely a domain-specific language design problem. The truth is more likely to be that we don’t share because we’re unwilling to share, either because of outmoded privacy concerns or worries about corporate reputation. Are we willing to let those issues stop us from turning down the volume on exfiltration of customer data? I hope not. Even if we are, there are options. Research over the past several years has shown that secure database technology can be both performant and secure. Database contents and queries can both be encrypted such that curious onlookers (even if they’re lurking on the database server) learn nothing about the data, the query, or even what part of the database a query accessed. So, even if we have privacy or reputation concerns, what’s stopping us from sharing threat data in near real-time? Adopting the ideas mentioned here require some informed risk-taking, just as Admiral Fisher took risks in re-inventing the British navy. He succeeded for the long term. So can we.
About the Author: David Archer is a Research Program Lead at Galois, Inc., where he directs research in computing on encrypted data, cryptography, and security-related provenance of data and computation. He holds a PhD in Computer Science from Portland State University (Portland, OR) as well as an MS in Electrical Engineering from the University of Illinois at Urbana-Champaign. Dr. Archer’s research interests also include cyber privacy and information assurance. Dr. Archer also has 25 years experience in processor and computer system design, and in leading large hardware and software product design teams at Intel Corporation and Mentor Graphics Corporation. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
