Jonathan M. Spring

Monitoring Cloud Computing by Layer, Part 1

In part I, the author briefly introduced cloud computing and a model of it that has seven layers (facility, network, hardware, OS, middleware, application, and the user). Each cloud computing deployment must have these layers, but different deployment types give control of them to different parties. Here, the author covers controls that could be implemented in the middleware, application, and user layers to monitor and audit information assurance.

Cyber Security via Signaling Games: Toward a Science of Cyber Security

In March of 2013, what started as a minor dispute between Spamhaus and Cyberbunker quickly escalated to a distributed denial of service DDoS attack that was so massive, it was claimed to have slowed internet speeds around the globe. The attack clogged servers with dummy internet traffic at a rate of about 300 gigabits per second. By comparison, the largest observed DDoS attacks typically against banks had thus far registered only 50 gigabits per second. The record breaking Spamhaus/Cyberbunker conflict arose 13 years after the publication of best practices on preventing DDoS attacks, and it was not an isolated event. Recently, NYUs Courant Institute and Carnegie Mellon Software Engineering Institute have collaboratively devised a game-theoretic approaches to address various cyber security problems involving exchange of information asymmetrically. This research aims to discover and understand complex structures of malicious use cases within the context of secure systems with the goal of developing an incentives-based measurement system that ensures a high level of resilience to attack.

SiLK: A Tool Suite for Unsampled Network Flow Analysis at Scale

A large organization can generate over ten billion network flow records per day, a high-velocity data source. Finding useful, security-related anomalies in this volume of data is challenging. Most large network flow tools sample the data to make the problem manageable, but sampling unacceptably reduces the fidelity of analytic conclusions. In this paper we discuss SiLK, a tool suite created to analyze this high-volume data source without sampling. SiLK implementation and architectural design are optimized to manage this Big Data problem. SiLK provides not just network flow capture and analysis, but also includes tools to analyze large sets and dictionaries that frequently relate to network flow data, incorporating higher-variety data sources. These tools integrate disparate data sources with SiLK analysis.

Thinking about intrusion kill chains as mechanisms

We integrate two established modeling methods from disparate fields: mechanisms from the philosophy of science literature and intrusion kill chain modeling from the computer security literature. The result demonstrates that model accuracy can be improved by incorporating methods from philosophy of science. Modeling security accurately is a key function in the science of security. Mechanistic modeling of computer security incidents clarifies the existing model and points toward areas for substantive improvement for computer security professionals. Additional models of computer security incidents are translated mechanistically to compare results and to demonstrate such modeling can be applied in multiple situations. This integration of philosophy of science and computer security is sensible only by integrating new adaptations to mechanistic modeling, specifically conceived to enable better modeling of engineered systems such as computers. The results indicate continued integration of the fields of philosophy of science and information security will be fruitful.

Global adversarial capability modeling

Intro: Computer network defense has models for attacks and incidents comprised of multiple attacks after the fact. However, we lack an evidence-based model the likelihood and intensity of attacks and incidents. Purpose: We propose a model of global capability advancement, the adversarial capability chain (ACC), to fit this need. The model enables cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it. Method: The model is based on four historical studies of adversarial capabilities: capability to exploit Windows XP, to exploit the Android API, to exploit Apache, and to administer compromised industrial control systems. Result: We propose the ACC with five phases: Discovery, Validation, Escalation, Democratization, and Ubiquity. We use the four case studies as examples as to how the ACC can be applied and used to predict attack likelihood and intensity.

Resistance Strategies: Authentication and Permissions

This chapter discusses various methods of authentication and authorization, the differences between those two terms, and common attacks on some of the methods, especially passwords. The chapter introduces the “what you know,” “what you have,” “what you are” triad for authentication factors and discusses examples of each factor. The example of password storage in Unix is developed as a technical example. The benefits of multifactor authentication are also discussed. Permissions are discussed both in practical detail and in theory—practically, in the context of Unix-like file permissions, and theoretically in the context of RBAC and RBAC’s contribution relative to older models MAC and DAC. Distributed authentication is discussed primarily in the context of Kerberos, and a brief technical introduction to Kerberos is presented. All the chapter’s discussions, especially Kerberos, cannot occur without a mention of cryptography, however, only the barest minimum of cryptography is introduced, to focus on concepts rather than technical procedures. Chapter 8 provides the appropriate cryptography discussion relative to resistance strategies. The chapter concludes by discussing two common classes of attacks on authentication systems: password cracking and social engineering, especially phishing.

Recognition Strategies: Intrusion Detection and Prevention

This chapter discusses intrusion detection and prevention technologies as a recognition strategy. The reason for intrusion detection systems (IDSs) is introduced; namely, that humans are too slow and network threats need to be addressed at network speed. Further, that the technology introduced in Chapter 5 as frustration strategies are not infallible, and an IDS is a method of auditing the success of frustration and resistance strategies. Given this motivation and that IDSs are important contributions to a layered defense, the chapter discusses several common pitfalls that can degrade IDS usefulness. These include problems of packet fragmentation, application reassembly, acting out of band, utilizing centrality effectively, and the base-rate fallacy. All IDSs have two basic modes of detection: signature based and anomaly based. The differences between these are introduced and the uses for each are discussed. Although the bulk of the chapter focuses on network IDSs, systems that use related but different data elements are also introduced: network behavior analyzers and wireless IDSs.

Network Analysis and Forensics

This chapter begins the first of four on recognition strategies. It focuses on the concepts of network analysis, specifically in the context of human-driven network analysis. This lays some foundation for the discussion of IDS in Chapter 12, since IDSs tend to automate many of the same processes that human analysts have developed. This chapter provides an introduction to the OSI model as a method of contextualizing network operations and to provide a mental model. Before exploring analysis methods, the chapter includes some guidance for nonanalysts as to what can be expected from analysis. The section discusses what questions are or are not easy or fruitful types of questions to ask network analysts. Various analysis methods are discussed, including network flow, metadata analysis, application-level analysis, signature analysis, and full-packet capture. The chapter also includes some pointers to web resources like blogs that a security analyst might find helpful in keeping up to date on breaking security news and threats. The chapter concludes with a discussion of network forensics and its similarity to analysis, as well as the importance of understanding the sensor architecture used to collect the data.

Towards Scientific Incident Response

A scientific incident analysis is one with a methodical, justifiable approach to the human decision-making process. Incident analysis is a good target for additional rigor because it is the most human-intensive part of incident response. Our goal is to provide the tools necessary for specifying precisely the reasoning process in incident analysis. Such tools are lacking, and are a necessary (though not sufficient) component of a more scientific analysis process. To reach this goal, we adapt tools from program verification that can capture and test abductive reasoning. As Charles Peirce coined the term in 1900, “Abduction is the process of forming an explanatory hypothesis. It is the only logical operation which introduces any new idea.” We reference canonical examples as paradigms of decision-making during analysis. With these examples in mind, we design a logic capable of expressing decision-making during incident analysis. The result is that we can express, in machine-readable and precise language, the abductive hypotheses than an analyst makes, and the results of evaluating them. This result is beneficial because it opens up the opportunity of genuinely comparing analyst processes without revealing sensitive system details, as well as opening an opportunity towards improved decision-support via limited automation.

Resistance Strategies: Partitioning and Need to Know

Where encryption focuses on increasing the resistance to attacks via controlling the comprehensibility of information that is either a target ossf the attack or a means for the attack to progress, this chapter focuses on increasing resistance to attacks via controlling the visibility of such information on the computer network.