SLIDE. Intrusion Tolerance and the Chief Information ...statisticalcyber.com/talks/2017-09-22-Fisk-DSCS.pdf.pdf · The Weakest Link Matters: Software Vulnerabilities vs. Authentication

NOTE: THIS IS YOUR TITLE SLIDE.

If you use the Walk-in Slide, you may replace the gray LANL logo on the Title Slide with your organization’s logo and delete the NNSA logo/management statement.

If you DO NOT use one of the two the Walk-in Slide options, you MUST keep the LANL and NNSA logos and management statement on this Title Slide.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Intrusion Tolerance and the Problem with Best Practices

Mike FiskChief Information Officer

Los Alamos National Laboratory

September 2017


2

NOTE:This is the lab color palette. ➔ Orientation: The Los Alamos Agenda

• Instrumenting computers and networks and curating the data

• Bridge between ugly, artifact-filled data and domain scientists and mathematicians

• Releasing significant data sets to advance the science of cybersecurity

• Streaming and parallel analysis systems• Scalable, distributed, usable, federated,

privacy preserving• Anomalous change detection & machine

learning• Statistical approaches to quantifying likelihood• Many excellent collaborations with Imperial

faculty, students, postdocs• Industry spin-outs

• Use the data to reduce impact of intrusions• Intrusion tolerance• Data-driven strategies


3

NOTE:This is the lab color palette. ➔ How much would you pay for this patch?

LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(),

error.getArgs())


4

NOTE:This is the lab color palette. ➔

Equifax: $6B loss in market capital.


5


[Oxford Economics/CGI Group 2017]


6


Intrusion-Tolerance & Security of Complex Distributed Systems

• Our work emphasizes security properties of large systems with interdependencies• Individual nodes are imperfect and a

compromise is inevitable• Cyber/physical systems with real-world

impacts• Objectives:

• Reduce overall system impact (scale, duration, and outcome) of intrusion

• Detect system compromises inside the perimeter

• Engineer for intrusion tolerance• Interdependence → Independence

• Cost to Defense < Cost to Offense


7

Premise: Cybersecurity decision making is poor when it is not data driven

Reactive Best-Practice Decisions • If you’ve suffered a breach, it is

because your security was too weak and you should fix that weakness.• Find a best practice and adopt it

• More security is better

Data-Driven Decisions• Prioritize security investments

based on cost-effectiveness• Quantify effectiveness using

data and models• Secure the weakest link


8

The Weakest Link Matters: Software Vulnerabilities vs. Authentication

• 1% of breaches involve exploiting software vulnerabilities

• Diminishing returns on patching

• 100% of breaches involve stolen credentials• <4% involve brute force guessing• 34% involve phishing• 33% involve use of stolen

credentials

2017 Verizon Data Breach Report


9


Hour 0

Hour 1

Hour 2

Intruders Steal Authentication CredentialsTo Traverse Networks

C1

C2 C3 C4

C1C5

C6

C12

C7 C8

C9 C10 C11

C13 C14 C15 C16 C17C18

C1

C2 C3 C4 C12

C9 C19 C7

C10

C5

C20

C21

Normal Use

Intruder Explores

Normal Use & Multiple Intruders

Authentication graphs: Analyzing User Behavior Within an Enterprise Network [Kent 2015]


10

NOTE:This is the lab color palette. ➔ Simple Engineering Decisions Impact Intrusion Tolerance

Connected Components and Credential Hopping in Authentication Graphs [Hagberg 2014]

Effect of authentication credential cache size on connected component size

Cache size = 5 Cache size = 3

Percent of network reachable by user trust relationships [Lemons, et al]


11


Multiple Adversary Alternatives to Achieve an Objective

Benefit > Cost

Benefit < Cost

Eliminating or raising cost of a an alternative is only useful if there are no other alternatives with equal or better cost benefit.


12

NOTE:This is the lab color palette. ➔ 2004 Case Study

Philip Gabriel Pettersson (16-years old)• Stole Cisco source code• Compromised most supercomputer centers

(SDSC, JPL, NASA, etc.)• Captured SSH passwords at one site to move to next• One-time passwords slowed him down --- for 1 day

• Then he started hijacking SSH sessions to bypass authentication [IhaQueR 2002]


13

Case Study: U.S. Government Cyber Sprint for PIV Smartcards

• Personal Identity Verification (PIV) card for government employees and contractors• User identity proofing• Authentication (Chip & PIN)• Developed in 2004-5

• Reusable password for remote access cited in OPM breach of private information of 17M individuals

• White House required agencies to require PIV for computer login• On each agency's report card

Employees Required to Use PIV

Is this cost effective policy?


14


A Measure of Effectiveness: Intruder Productivity

• Intruder Productivity = Access Duration / Delay• Access Duration: Amount of time that adversary maintains access• Delay: Amount of time the adversary has to wait to obtain access

≥1 Access most of the time0 < x < 1 Some access 0 No access

• Related Work• Risk = Expected Loss = Probability x Consequence• Cost-Benefit (purely monetary comparison)

• Defender ROI: Expected loss avoided by the defender / Cost of improved defense [Wei 01]• Security improvements translated to reduced probability of loss• Subjective: Will this technology reduce intrusions by 20%?• Does not measure increased attacker costs to obtain the a successful intrusion

• Attacker ROI: Defender reduces the attacker ROI by increasing cost of attack [Cremonini 05]• Still measured as (subjective) probability of compromise

• Intruder Productivity is a time-based measure of cost of attack• Decreased intruder productivity is a measure of effectiveness for the defense


15

Scenarios for Analysis

Authentication Technologies• Password• One-Time Password

• Smart card

Scenarios• Guess

• Brute force guessing• Phish

• User tricked into entering information on a fake website

• Pivot• User’s client has already been

compromised• Used to obtain access to another

service/system• 51% of breaches involve malware —

typical enabler for pivot [Verizon 17]


16

NOTE:This is the lab color palette. ➔ Standards and Models

• Data for many policies & behaviors is enterprise-specific• We use parameters from national standards when possible

• 3 password failures allowed every 15 minutes [CNSS 1253]• 180-day max password lifetime [NIST 800-53]

• λ=90day expected duration when compromised • Frequency of authentication events is modeled on a workplace

• 8-hour day plus 1-hour break; 1 authentication per hour

Expected time until the next authentication event: u1 = 15.4 hoursExpected time until user is present: u2 = 14.5 hours


17

Passwords

• Guess: Single password may be hard to guess

• In a large population, some password is easy to guess• 26% of passwords come

from a small dictionary of 10,143 common passwords [Dell’Amico 2010]

• When targeting many accounts, equivalent of ~10-bits of random values [Bonneau 2012]

• Easily stolen (keylogger, memory, etc.) [XKCD]


18

NOTE:This is the lab color palette. ➔ One-Time Password

• Time-based One Time Password (TOTP) Standard• New password every 30 seconds• Server accepts passwords from 90 second window

to allow for clock skew• Cryptographically random number, but short enough

to transcribe• Phish: A single one-time password can be stolen via

phishing• Limited window of opportunity to use it

• Time-based vs. sequence-based systems• Pivot: Can steal a password as it is entered on a

client by a user• Assumption: token is not on a compromised device

• Keyfob, smartphone app, etc


19

NOTE:This is the lab color palette. ➔ “Guess” Scenario Productivity

• Passwords• Delay:

• 10-bits of random• 3 failures allowed every 15 minutes [CNSS 1253]• Assume >=342 accounts → 210 Guesses in 1 minute

• Success in <1 minute• Duration: 180-day max [NIST 800-53] → 90-day expected (λ)• Productivity = 90d / 1m = 105

• One-Time Passwords• Duration: 45 seconds (half of 90 second window)• Assume 7-digit numeric passwords• Assume no more than 3 guesses per account per 15 minutes [CNSS]

• More than 90-seconds per guess for an account• Makes it a Bernoulli process since valid password changes each time• p = 3 / 107 ; expected number of guesses = 107 / 3• For 10,000 accounts, delay = 107 / 3 / (10,000 * 3 / 15m) = 27.8 hours

• 33 guesses per second • Productivity = 45s / 1667m = 10-3

• Smartcards• Assume TLS protocol or equivalently secure • Cryptographically secure: credential will expire before guessed• Productivity = 0


20

NOTE:This is the lab color palette. ➔ “Phish” Scenario Productivity

• Assume 1 day delay for successful phish (need better data)• Passwords

• Duration is remaining lifetime of password (expected value is 90 days)• Productivity = 90d / 1d = 102

• One-Time Passwords• A one-time password can be stolen via phishing

• Limited window of opportunity to use it• Time-based vs. sequence-based systems

• Assume clocks in sync → Expected age of password is 15 seconds• Valid duration is 75 seconds

• Productivity = 75s / 1d = 10-3

• Smartcards• Assume TLS protocol or equivalently secure

• TLS protocol cryptographically proves participation between two named parties (the card key and a network service)

• A phishing site cannot reuse that proof against another service• Cryptographically secure: credential will expire before guessed• Productivity = 0


21

NOTE:This is the lab color palette. ➔ Intruder Productivity by Mechanism


22

NOTE:This is the lab color palette. ➔ “Pivot” Scenario Productivity

• Recall that expected time until user present is u1 = 15.4h• Passwords

• Delay: Expected time until the next authentication event: u1 = 15.4h• Duration is remaining lifetime of password (expected value is 90 days)• Productivity = 90d / 15.4h = 102

• One-Time Passwords• Delay: Expected time until the next authentication event: u1 = 15.4h• Duration:

• Assume clocks in sync → Expected age of password is 15 seconds

• Valid duration is 75 seconds• Productivity = 75s / 15.4h = 10-3

• Smartcards• Assume TLS protocol or equivalently secure • Cryptographically secure: credential will expire before guessed• Productivity = 0


23

NOTE:This is the lab color palette. ➔ Smartcards

• Smartcard trusts a terminal for user interaction• No built-in display or human input• Many attacks on smartcard authentication

systems are against the terminal/protocol• Your computer is your terminal

• General purpose computers are not secure• Keystroke logging• PIN stored in memory in Windows• User may not know transactions are even

occurring• Smartcard can be used remotely

• Pivot productivity depends on usage• Lowest Risk: Card is inserted only when used

and promptly removed• Common: Card is inserted entire time user is

present• Highest Risk: Card is left in computer at all

times (or is a virtual smartcard on builtin hardware)

Chip & PIN Terminal

General Purpose Computer

https://pixabay.com/en/photos/hacker/

https://commons.wikimedia.org/wiki/File:ASEDriveIIIeV2BioTCS4.JPG

https://pixabay.com/en/credit-card-terminal-payment-1727353/


24


Threat models matter. Adding the pivot scenario changes the preferred technology.


25

NOTE:This is the lab color palette. ➔ NTLMv2

Authentication mechanism enabled by default on all Windows systems

• 1998 upgrade of 1980’s OS/2 network authentication protocol• Uses a long-lived credential (hash of a password) stored on clients

and servers• Credential only expires when user’s domain password is changed• Credential exists even if user doesn't have (know) password

• Guess: Protected (unless password is known to user)• Cryptographic challenge response protocol

• Phish: Protected• Unless user uses a password, then same as a password

• Pivot: Unprotected, Credential stored in plain text in memory• Duration: Remaining lifetime of the “password”: 90-days on average• Delay: none


26


If you have NTLMv2 enabled, not much can help you.

Adversary will find the weakest link


27


Policy change from NTLMv2+Passwords to NTLMv2+Smartcards: Effectiveness: ≤ 0Cost: Significant (many $M)

Cost Effectiveness

min security = Largest intruder productivity across scenariosmin delay = Minimum delay across scenarios

• An adversary may only need one shot

Adversary will find the weakest link.


28


Conclusions

• Security of large, complex systems (macro cybersecurity) is important• Underemphasized in academia compared to “micro cybersecurity”• Engineer for intrusion tolerance

• The importance of measures that matter

• A “best-practices” approach to cybersecurity may be not be effective or efficient• Adversaries seek the weakest link• Investments in non-weakest links may be a waste of time and money• Defense can bankrupt itself responding to attacker stimuli

• The importance of reproducible data-driven science

• I challenge this community to come up with new ways to measure intrusion tolerance from data and reason about system design


29


Thank you!

[email protected]

Joint work with Alex Kent, Aric Hagberg, Nathan Lemons, Curt Hash, Alex Brugh, Aaron McPhall, Boris Gelfand,

Aaron Pope, James Wernicke, Mike Kyle, et al

mailto:[email protected]

SLIDE. Intrusion Tolerance and the Chief Information ...statisticalcyber.com/talks/2017-09-22-Fisk-DSCS.pdf.pdf · The Weakest Link Matters: Software Vulnerabilities vs. Authentication

Documents