Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein...
-
Upload
barnard-townsend -
Category
Documents
-
view
214 -
download
1
Transcript of Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein...
Critical National InfrastructureWhat is attacking your network,
and how do you know?
By
Frode Rein
ICT Manager, The Norwegian Parliament – Stortinget
(Nigel Beighton, Symantec, Advance Threat Research)
ECPRD Nicosia 6.th November 2003
What is CNI
“CNI” is an initiative to prepare and protect a country’s critical organisations and infrastructure
The “CNI project” is a community based early warning and reporting capability currently in development as a pilot by Symantec and selected organisations
We need early warning to be prepared & alerts for all our community.
Attacks in August
0
500
1000
1500
2000
2500
3000
3500
Att
acks
Mo
nit
ore
d Blaster
Welchia
Sobig.F
Events over last 7 days
Governments
need to protect
Experience
“…need time to be prepared”
“…interested in benchmarking”
Trends
Increase speed and severity of hit
Sector targeting
Organisations
Services
CNI
Where did it come from?
Newresearch
Change in Exploitability of Vulnerabilities
0 %
10 %
20 %
30 %
40 %
50 %
60 %
Exploit Available No Exploit Available No Exploit Required
Jan-Jun 2002
Jan-Jun 2003
“..its easy”
“..in theory”
“..it can be done”
Patch, patch, patch
Averaging 90 serious/critical vulnrabilities a month !
Organisations can not constantly patch – emergency patches are only tested against the vulnrability
• Not all vulnerabilities lead to attacks
• Will this vulnerability become the next Blaster?– Watch them try it, build exploits, test it and start it
• Need to prioritise which patch to do, when and where
• You need time to be prepared
The Changing Threat Picture
targeted
they try it, they test it
Blaster Milestones
July 16
Buffer Overflow vulnerability discovered
Microsoft Patch
Released
22 23 25 August 7 11 13 Aug 16
Sample Exploit code circulating in
the hacking community
Symantec sees increase in TCP
port 135 scanning
Exploit code captured & made
public
Automated tools observed start of
exploiting vulnerability on a large scale
Symantec discover the W32.Blaster worm. virus
updates released.
Blaster hit the headlines with reported
spread affecting 188,000 systems
worldwide.
Microsoft delisted windows
update.com website and
averted denial of service attack.
CNI Members contacted
directly about Blaster
CNI Members advised
31
Broadcast media to comment on
Blaster
CNI CORe team begin specific
monitoring
Blaster worm
30,000
15,000
Time
Unique Source IPs
0July 20 July 27 August 3 August 10
CNI Customers advised of potential issue
CNI Customers contacted directly re
Blaster
Broadcast media comment on Blaster
Less time to react
Vulnerability Release Date v Time to Active Exploitation
0
50
100
150
200
250
300
350
1-Oct-00 19-Apr-01 5-Nov-01 24-May-02 10-Dec-02 28-Jun-03
Date
Day
s
W32.BlasterWorm
Where does the data come from?
• Symantec’s 20,000 internet and private network sensors (180 countries)
• 200+ pop-up honey-pots• Security Focus Bugtraq• Virus response team (and their
zoo!)– 100M submitting AV systems
• Internet community (black_hat & white_hat)
• External authorities
Directly monitored averagesper day*:
Logs/alerts imported
400M
Triggered events
250,000
Severe events
300
Correlated with5.5B events
40M attacking IP addresses
Directly monitored averagesper day*:
Logs/alerts imported
400M
Triggered events
250,000
Severe events
300
Correlated with5.5B events
40M attacking IP addresses
*Ex. virus!
CommunityMonitor & Alert
CommunityMonitor & Alert Early WarningEarly Warning
CommunityKnowledge
CommunityKnowledge
Analysis & Reporting
Analysis & Reporting
What do we get
CommunityMonitor & Alert
CommunityMonitor & Alert
Early WarningEarly Warning
Community KnowledgeCommunity Knowledge AnalysisAnalysis
• Security device monitoring
• Community specific alerting
• Online threat reporting.
• Deep probe activity report (weekly)
• Online technology vulnerability alerting
• Analysis & trend tracking events (quarterly)
• Online community forum
• Online threat reporting
• Online regulatory and standard industry benchmarking
• Custom reporting and analysis
Important notes
CNI will provide “observations”, “probables”, “potentials” – this needs to be treated accordingly.
Do not have all data on all companies in all segments – it grows with the community
(Public) Device data is initially processed in the US (Alexandria central SOC) – now moving to European only processing.
It is a pilot (experimental) – development input is essential
Q. How accurate?Q. How accurate?
What is the Pilot?
• 6 months• Up to 8 sensors
Monitored• Deepsight access• Early warning• Shared data
(Anonymised)
• 6 months• Up to 8 sensors
Monitored• Deepsight access• Early warning• Shared data
(Anonymised)
.. and involvement• Sensor data• Workshops• Feedback• Ideas
… and an understand of the information basis..
PilotCustomers
AdvanceRelease
Customers
FullLaunchPhase 1
Phase 2
now Feb 04 April 04
Our experiences
• A pilot is a pilot– Pros
• High attention from vendor• State of the art technology
– Cons• Deficient routines• Reports still in development• State of the art technology• Time-consuming for the customer• No community parliament warning (We are alone )
Options – data sensitivity
• Option2 – outside IDS collector only
• Option1 – multi devices
NIDS
FirewallsInternet
secure log data
NIDS
FirewallsInternet
secure log dataIDS Collector
• Multi-dimensional analyses• Internal & External• Comprehensive• (Not acceptable)
• External only• Less comprehensive• Acceptable
LANStortinget Internet
ManHunt IDSFirewall
Pilot infrastructure
Our Home page
Reports
• Weekly Event Digest
• Emerging Threat Notifications
• Community Watch Report
• Deep Sight Alert Service
People – our greatest resource
• This technology/concept is very interesting, but without dedicated people within your organization this concept will fail
• Heavy use of internal personal resources– Incident handling,routines, reports, monitoring
• Well-educated personnel– High requirements for internal IT security and
networking skills
Responsibility
• In the end; you cannot transfer responsibility to the vendor– Still you have to keep up the high focus on IT
security
Internal handling of CNI information
• Daily routines and procedures
• Incident management– Incident Response Team
• Who is doing what in a crisis– Who is pulling the plug– Who is handling the press– Who is responible for handling forensic evidence
Controversials
• You have to give something before you get something
• Collecting data from the parliament– IDS’ and Firewalls– Inside or outside the Firewall?– What do the MP’s say if we tell them that an
american company are collecting data from IDS’s and FW within their local network
Why join this concept?
• Parliamentary community– European Parliamentary IRT– A large community gives high attention from
the vendor– More reliable data from a large community – Benchmarking within the community– Community warning– A problem shared is a problem halved