Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes David Dittrich The Information School/C&C The University of Washington.

Honeypots, Honeynets, Active Defence and Changes in Thinking about Cyber Crimes

David DittrichThe Information School/C&CThe University of Washington

POLCYB Keynote, 1 November 2003

The Problem

Spam again? Been there, …Spam again? Been there, …

… … but never done THAT!but never done THAT!

Threat Spectrum

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

Attack sophistication vsIntruder Technical Knowledge

Increasing Attack SophisticationIncreasing Attack Sophistication

1998

Not your typical crime scene

Systems must remain runningMore “DC Sniper” than “O.J. Simpson”

Not enough yellow “CRIME SCENE” tape to circle the planet

There is no “Hogan’s Alley” for cyberspace

Implications for LE

More economic crimes involving computers

More multi-jurisdictional crimes (intranational/international)

More complex tools

More loss of private information

Honeypots

Concept of Honeypots

First popularized in “The Cuckoo’s Egg” by Cliff Stoll

Redefined by the Honeynet ProjectA security resource who’s value lies in being probed, attacked or compromised

Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise

Used for monitoring, detecting and analyzing attacks

Utility – Identifying new exploits

The Role Of Honeypots In The Enterprise

Augments Firewalls and IDS

Research

Incident Response / Forensics

Deception / Deterrence

Advantages

Fidelity – Information of high value

Reduced false positives

Reduced false negatives

Simple concept

Not resource intensive

Return on Investment

Disadvantages

Labor/skill intensive

Limited field of view

Does not directly protect vulnerable systems

Risk (more on this later…)

Honeynets

Gen IIHoneynet

Virtual Honeynet

Data Control

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

Attacks loggedAttacks logged

Andourattackeris…?

IRC traffic plugin outputIRC traffic plugin output

Legal Issues

Entrapment

Liability

Privacy

Entrapment

Applies only to law enforcement

Useful only as defence in criminal prosecution

Still, most legal authorities consider honeypots non-entrapment

LiabilityAn organization may be liable if their honeypot is used to attack or damage third parties

Example: T.J. Hooper v. Northern Barge Corp. (No weather radios)Civil issue, not criminalDecided at state level, not federal

This is why the Honeynet Project focuses so much attention on Data Control.

PrivacyNo single US federal statute concerning privacy

Electronic Communications Privacy Act (amends Title III of the Omnibus Crime Control and Safe Streets Act of 1968)

Title I: Wiretap Act (18 USC § 2510-22)

Title II: Stored Communications Act(18 USC § 2701-11)

Title III: Pen/Trap Act (18 USC § 3121-27)

Active Defence

US Senate Debate"If we can find some way to do this without destroying their machines, we'd be interested in hearing about that. If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize [the seriousness of their actions.] There's no excuse for anyone violating copyright laws.”

Utah Senator Orrin Hatch

Attacks (Strategic level)

Denial of ServiceTheft/alteration of data

Web page defacementIndustrial espionage

Theft of services/resources“Stepping stones”/anonymityCaching data/malware

Violation of copyright (“warez”)

Attacks (Tactical level)Remote service exploitationLog alteration"root kits"SniffersCovert channel/encrypted commsStepping stonesBinary encryptionAddress forgery/hijackingDistributed attacksReflected attacks

You are where…?

Defenses (Strategic level)

FirewallsIDSLogging/monitoring

Host (e.g., accounts, processes, services)Network (flows, connections, data)

Honeypots/HoneynetsAugment FW/IDSDeception

Defenses (Tactical level)Traffic analysis

Topological/Access control changes

Sniffing/keystroke logging

Traffic redirection

Honeypots/Honeynets

Service enumeration, banner grabbing, info collection

Remote exploitation

Denial of Service

Small loss over time

0

50

100

150

200

250

Day 1 Day 2 Day 3 Day 4

Losses (* $1)

Individual selling used books on Amazon

Big loss over time

0

100

200

300

400

500

600

700

800

1sthour

2ndhour

3rdhour

4thhour

Losses (*$1000)

Example.com’s lost revenues

Stages of Response

0 - Unconscious

1 - Involved

2 - Interactive

3 - Cooperative Response

4 - Non-cooperative (AD) Response

“Unconscious”Stage 0: “Right out-of-the-box”

“The firm/system owner/operator takes no active role, either directly or through proxy, to modify, improve, enhance, or alter defensive capabilities inherent in the hardware, firmware, and/or software as delivered from the manufacturer or installer.”

“Involved”Stage 1: “Doing Business”

“The firm/system owner/operator establishes (either directly or via proxy) a baseline, tailored, day-to-day defensive posture involving only resources directly owned or operated by that owner/operator. The posture is maintained / kept current.”

“Interactive”Stage 2: “We’ve Got a Problem”“The firm/system owner/operator applies measures, in response to warning or evidence of malfeasance, to resources directly owned or operated by them. The measures are beyond the baseline because they cause some loss of flexibility, capability, or ease of use and the owner/operator does not want/intend them to become routine business practice.”

“Cooperative Response”Stage 3: “Reach out …”

“The firm/system owner/operator engages other organizations/firms/systems to take measures intended to attribute, mitigate, or eliminate the threat through cooperative efforts beyond the ability of the owner/operator to effect but within the lawful authority of the cooperating other party or parties.”

“Non-cooperative Response”Stage 4: “... and Touch Someone.”

“The firm/system owner/operator takes measures, with or without cooperative support from other parties, to attribute, mitigate, or eliminate the threat by acting against an uncooperative perpetrator or against an organization/firm/system that could (if cooperative) attribute, mitigate, or eliminate the threat.”

Active Defense

Agora workshop on June 8, 2001 defined “Active Defense” to be activity at Stage 4Stage 4 has levels, though

Less intrusive to more intrusiveLess risky to more riskyLess disruptive to more disruptive

Justification for your actions depends on how well you progress through all 4 stages

Levels of Active Defense4.1 - Non-cooperative ‘intelligence’ collection

External services Back doors/remote exploit to access internal services

4.2 - Non-cooperative ‘cease & desist’“Interdiction” ala Berman-Coble billDisabling malware

4.3 - Retribution or counter-strike4.4 - Preemptive defense

Ideal AD Response PathIdeal AD Response Path

Risk in ideal caseRisk in ideal case

What must you know?What are your personal and organizational risks?

Who can help?

Who are you going to call if you do this?

Who/what is the target? How do you know?

Who defines what active defense is for you?

Was there another way? Or “Creative Response versus Active Defense”

Best Practice: Plan Ahead

Risk Mitigation Strategy: Early, early, early

Pre-arrange services w/your ISP

Business interruption insurance

Before-the-fact discussions with LE

Pre-arranged responses within org

Range of response options for the CEO

Who provides the oversight of this decision?

Private Intrusion Response

Stevan D. Mitchell and Elizabeth A. Banker (11 Harv. J. Law & Tec 699)

They cite many of the same issuesDifficulties in detection

Limited reporting

Jurisdictional complexity

Resource constraints

Issues (cont.)

CFAA limits private response

LE capabilities vs. private sector

Options few between criminal remedies and doing nothing

Authors call for balanced public/private approach

Benefits from oversight mechanism

Industry getsStandards

Defined liability

Marketing advantage from license

Benefits…

LE gets Cadre of trained professionals

“Ready made” cases

Better info about complex computer crime

Benefits…

Public getsTrust in quality of service

Confidentiality

Less risk of third-party damage

Issues to be resolved

Under what authority? (Fed or State?)

Who should be covered?

Mandatory or permissive?

Required changes in the law

Possible model: 10 CFR 1046.1

Department of Energy Physical Protection of Security Interests

Required of all contractor employees at govt. owned facilities, whether or not privately run

Defines personnel

Defines knowledge, skills, abilities

Defines (re)training requirements

Closing thoughts…How do we fill the gap between private first responders and LE/military?How do we build victim’s trust so they involve LE?How do we improve the evidence delivered to LE?How do we empower private industry to act w/o breaking the law?

Thank youCredits

Cisco Systems CIAGMarc Lampson, UW Information School

AD Research Project members

More informationhttp://project.honeynet.org/http://staff.washington.edu/dittrich/ad/

Emaildittrich @ u.washington.edu

Slides available at:http://staff.washington.edu/dittrich/talks/POLCYB-keynote.ppt