attacker pov to computer networks attacker profiles and ...users.jyu.fi/~timoh/ties327/l3.pdf ·...
TRANSCRIPT
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Agenda
• Attacker POV to computer networks • Attacker profiles and public cases • Fuzzing and fuzzing tools • Modeling and simulation
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
File: Simo Huopio
• M.Sc. (HUT 1999) • Work: VTT, F-Secure, Nokia, PVTT • Embedded systems, Product security,
UX/Usability, Vulnerability testing
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
File: PVTT EIOS • PVTT: Defence Forces Technical Research Center
– Personnel count ~175 at Riihimäki & Ylöjärvi – Weapons Technology-, Explosives and CBRN
Protection Technology-, and Electronics & Information Technology (EIOS) divisions
– From 2014 on FDF Research Center • EIOS research teams:
– Radiofrequency Sensors – Electronic Warfare – C4 Systems – Operational Analysis
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Why attacker POV?
• Necessary in order to be a good defender: – Network (service) administrator – Networked device manufacturer – Every computer owner (I wish) – Applies naturally to manufacturer and user of any
technical defence equipment
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Steps within attacker POV
• Attack preparation • Example cases • More creative examples
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Attack preparations: Target intelligence • Gathering of all relevant data regarding the target • First step: OSINT = Open Source Intelligence
– Historically: Newspaper, news services, Radio and TV broadcasts, Public discussion
– Internet-domain: Following the traditional media, network fingerprint of companies, associations and individuals
• Next in the line: More active data acquisition
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
OSINT – under the surface • Search engine results (behind the obvious) • WWW page source code, metadata
– Tools, versions, usernames, service analytics, bugs • Old versions of the pages
– archive.org, search engine caches • Real people and companies connected to the pages
– Domain registration, company-, trademark- and patent registration, distinct search services
– Names, addresses, telephone numbers, email & web addresses, VAT & company id numbers
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
OSINT – Social Media
• The rate of self publishing through social media has exploded
• Multitude of services, complex approach to privacy
• Slips between the private and work domains
• Data mining, contact graphs, • Trends: Location, ”social media login”
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
OSINT – Information leaks
• From intranet to public Internet – Externalized communication
• eMail/Calendar/Contacts, telco/meeting services – Extranets – ERP systems
• Often a configuration error or user mistake • How to find: Creative use of search engines,
dedicated search engines • Intentional leaks / whistleblowers
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Tool example: Maltego Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Active information gathering
• Attack by itself so over the legality boundary • Natural targets for deeper analysis
– Wireless networks with insufficient protection – Unpatched/old software – Configuration errors on server software – Users (workstations and social engineering) – Etc..
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Example: Hostile WLAN -router • Man-in-the-middle attack to the users • Stealing the connection attempts and sessions of the
real router users • Easy to deploy where ”free internet” is available • Tools available for
– Traffic capture/analysis – Stealing the sessions and credentials – Providing malicious software updates
• Defences – Heavy duty end-to-end protection – Close monitoring of the used security certificates (e.g. https/
SSL) – Authentication of trusted WLAN access points (WPA2 XXX)
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected] 14
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Example: Generic malware
• Targets: workstations, smartphones, embedded systems...
• Distribution via spam, www-pages and directly • Infected computers are used to
– Sending spam and/or malware – Information gathering from the workstation and the network – To do generic purpose evilness as a bot in the botnet
• Commercial activity: All phases are available as a service with support and analytics
• Defences – Keeping software up-to-date, Anti-Virus – Rigorous security policy. – Separation of the admin –accounts and normal usage
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Example: Attacking an individual person/organization • E-mail with infected attachment/link sent apparently from
trusted partner • Target: acquisition of a specific information • Challenging from defender perspective
– Attack code can be quality tested and checked against the most recent Anti-Virus databases
– Forged SSL certificates can be used to reduce doubts – Zero day vulnerabilities may be used for high profile targets – As the messages used are not spam nor mass mailed and the
malware does not spread autonomously the attack can be easily go unnoticed.
• Defence – Restrictions for email attachments – Well configured firewalls (both on ws and on perimeter) – Avoiding to store passwords in the browsers/clients – Clear, enforced policy on protected data
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Example: Attacking a server
• Getting access to internet-connected server with active means
• Software vulnerabilities, configuration errors, asymmetry on attackers side
• Information theft, access to other systems within the company, malware distribution, blackmailing, publicity
• Defence – Efficient update- and security policies – Prepared and rehearsed approach to successful attacks
• Publicity seeking actors: Anonymous, LulzSec..
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Advanced Persistent Threat (APT)
• Generic term / buzzword for directed, tailored attack campaign
• Goal is usually data exfiltration, can be used to sabotage, data manipulation
• Attack vector is usually combination of social engineering and custom malware
18
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
APT – Definition (2)
• Advanced – Well prepared, Tailored, Professional
• Persistent – Long term, no hurry, secured access,
redundancy & diversity • Threat
– Target selection: Nation states, defence & high tech industry
19
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
APT – Defence (3)
• Gather logs, learn how to persistently follow them and do it
• Plan and know your network so you can see the anomalies
• Force the attacker to take risks • Plan and rehearse for attacker success Check/contact CERT-FI for further notes
20
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
It is worth to remember...
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
”USB Rubber duck”
23
$80 USB-stick which pretends to be a computer keyboard and executes quickly predefined commands on host machine (hak5.org)
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
”USB rubber duck” in detail • Internally the HW is e.g. Teensy or Arduino board
with extended USB capability. • USB HID –profile in use (works also when the USB
mass storage profile is blocked) • Example script functionalities (Kautilya)
– Open a browser with hidden window on page X – Open text file from URL, decode it and execute it as a
program – Activate ”Win7 Hosted Network” + backdoor (ADMIN) – Access the attacker AP and open URL (ADMIN)
• Restriction: HID profile is one directional. Return channel has to be arranged separately
24
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Creative use of mobile phones
ANTI: pentest tool for Android devices
Aircrack-ng on mobile: OSS tool for cracking WLAN-passwords
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
(Ancient) mobile phones..
Metasploit tookit Backtrack 5
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
SkyNET
“a 3G-enabled mobile attack drone and stealth botmaster”
Cost 600 USD
Speciality: Autonomous operation with predefined plan and message passing within the swarm
(USENIX 8/2011)
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Hobbyist drone which breaks in and eavesdrops WLAN and GSM networks. Cost 6500 USD (DEF CON 19, 8/2011)
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Car as a target?
• Practically all essential functionality of modern car is controlled by microcontrollers.
• Typically all controllers are networked on the same bus (CAN)
• External attack surface: Wireless connectivity for sensors, entertainment, service. CAN connectors on insecure locations. Media files.
29
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Car as a target? (2)
30
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Car as a target? (3) • Results:
– Devices on CAN –bus are very vulnerable
– CAN segmentation weak – Many viable vectors:
OBD-II, CD, WiFi, Bluetooth, TPMS, Mobile
– Controlling brakes, cruise.. • Exploitation needs lots of
work and results are car/model spesific
• www.autosec.org • DEF CON 21 /
Miller & Valasek
31
Attacker POV to computer networks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Osa 2: Q&A? Part 1: Q&A?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Part 2: Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Actors
• Criminals • Hactivists • Nation states
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Actors: Criminals • Motivation?
– Everything worth money: CC info, bank credentials spam, blackmail, bitcoin mining
– Reputation • Botnets as a primary tool
– Usage: DDoS, spam, malware distribution – Fierce R&D efforts and concurrent race with
OS vendors, app vendors and security researchers on • Distribution mechanism • Command & Control • Hiding the activity and the malware binaries. Obfuscation.
– All stages available as a service • Challenges:
– Trusting clients and partners, money transfers, mistakes
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Actors: Hactivists • Motivation?
– Ideology, need to influence the society – Reputation and lulz
• Tools – Everything that is available – Most effecitve ”weapon” is still the
available time and motivation of the individuals
• Challenge – Double life – Parents ;-)
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Actors: Nation States • Motivation?
– Political targets and pressure – National defence – Credibility and reputation
• Professional approach – Proper planning and intelligence – Testing and quality control – (Depending to the actor) the top professionals, resources
and knowledge available • Challenges
– Laws and international treaties – High risk on active pervasive operations, negative publicity – The professionals do not necessary have the top skills
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Public examples
• Project Aurora • Stuxnet (/Dugu/Flame/Gauss/XX) • Shady Rat • Red October • Leaked NSA operations
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Project Aurora
• Time: second half of 2009 • Target: Big US tech companies (Google,
Adobe, Juniper, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical, etc.)
• Result: – Lots of stolen IP: Source code, plans, analysis – Possible malcious changes to product source
code
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Project Aurora (2)
• Very sophisticated attack: Zero Day vulnerabilities used in e.g. Internet Explorer and Perforce
• SSL C&C connection to USA & Taiwan • Allegedly part of longer campain by
PRC
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Stuxnet • Internet-worm found in June 2010 • Allegedly part of US and Israel ”Olympic
Games” project which targeted to delay the nuclear program of Iran
• Technial target is SCADA: – Windows-workstations where certain software is
run (PCS7, WinC & STEP7) – Main target: Siemens S7-300 PLC with specific
configuration, e.g. Wacon frequency transformers – > Configuration which is used to control uranium
enritchment on Natanz nuclear research facility, Iran
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Stuxnet (2)
• Not the first CNO to SCADA but the most sophisticated so far: – Several zero days used – The first PLC rootkit – Multitude of cloaking and spreading
mechanisms – Remarkably big for a malware
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Dugu, Flame, Gauss, XX
• Several Stuxnet –related malware have been found
• Many commonalities within the family – Modular design, found to share modules – Partially share the same C&C channel – Many zero days used per specimen – Logic implemented using Lua
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Dugu, Flame, Gauss, XX
• Evident signs of long lasting professional software development – Version development of modules – Multitude and version changes of compiling
tools – Timeline analysis of the variats suggest a
single development team • (At least) one variant still unidentified
45
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Shady RAT (2011)
• An operation active since 2006 • RAT = Remote Access Tool • Allegedly very big, targeting at least 72
organizations: US defence contractors, UN, Olympic comittee
• Abnormal amount of exfiltrated data
Julkiset esimerkit
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Red October (2013)
• Another advanced cyberespionage campaign
• Specialties: targets also mobiles, relied on java vulnerabilities, amount of C&C and exfiltration domains
• Operational since 2007
47
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected] 48
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Snowden revelations
• NSA sigint operations have been massive: – “Upstream” for wholesale surveillance of
fibers in US (“Room 641A”) – “PRISM” for SIGINT collections directly
from the US internet company servers – “XKeyScore” for sifting the massive amount
of gathered data
49
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Snowden revelations (2)
• Many CNE operations revealed, e.g. – BELGACOM telco hacking (“OP SOCIALIST”)
by GCHQ/NAC – Long time monitoring/tapping of many nation
state leaders (e.g. Angela Merkel) by NSA • Technology: “Quantum Insert” by
redirecting traffic to trojanised version of a common website in Internet trunk network
50
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
”2012 – not much better”
52
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
”2013 – Snowden/NSA, #UMhack”
53
Public attack examples
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Part 2: Q&A?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Part 3: Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Why robustness testing?
• Quality control (own products) • Trust (products in use) • Security (white hat research) • Attack preparation (black hat research)
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Fuzzing? • Fuzzing is a process where one tries to break the
target software by doing something unpredictable to it • In order to fix or exploit the bugs in software they
have to be found first. Many exploitable bugs manifest themselves by crashing the software
• Most common errors that are externally triggered are caused by errors in input processing
• Challenge is to find suitably broken input in sensible time. Input space grows exponentially!
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Requirement vs. Implementation
Positive requirements
Undefined area
Negative requirements
Wanted functionality
Unwanted functionality
Actual functionality
Implementation Definition Result
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Black Box?
• In so called black box testing one doesn’t care the internal structure or the mechanisms of the target
• Target behaviour on different inputs is observed by comparing it to the wanted or the expected
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
White box?
• On white box- approach the internal structure and mechanisms of the target are known and they can be used for the testing
• E.g. The source code usage, built-time instrumentation of executeabl code, etc.
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
How to fuzz 1: Planning
• SUT? • Target? • Time and other resources available? • Black-/Whitebox? • Interfaces & How to inject? • Instrumentation? • Reporting?
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
How to fuzz 2: test setup
SUT Test workstation
Kohdeympäristö Test data input
SUT monitoring
Interface under test
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
How to fuzz 3: Going through the test material
Monitor SUT
Create Test data
Inject Test data
Save Error case
Deviation detected
SUT OK
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
How to fuzz 4: Closer analysis of the findings • Repeating the test case • Reducing the needed input in the case • Analysis of the seriousness of the bug • Reporting and further work
– White box • Finding (and fixing) the bug in the code
– Black box • SUT robustness analysis • Exploitation analysis
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Attack/Injection vectors
Grafiikkakirjastot Muistinhallinta
Järjestelmäkutsut Verkko API
NFS CIFS ISCSI RPC
Sovellukset
TLS / SIP
IP
Bt, WLAN
Files / Media Filesystem Applications / GUI
Net
Wireless
USB, FW
Perhiperal connectivity
Virransyöttö, I2C, JTAG, väylät, I/O
Internal embedded hw interfaces
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Where’s the bug?
7 Application layer (Services X,Y,Z..)
4 Transport layer (TCP/UDP)
3 Network layer (IP)
WAN, Ethernet, WLAN
7 Application layer
6 Presentation layer
5 Session layer
4 Transport layer
3 Network layer
2 Data link layer
1 Physical layer
Router, Firewall, IDS/IPS
Switch
Repeater, Hub
Gateway, Firewall, IDS/IPS
MAC Address
IP Address
(IP+) Port number
Application URL E-Mail address Torrent file (+layers within app protocol)
ISO OSI base Network Components
Internet realization Addressing
TCP/IP Stack
NIC FW + Driver
NIC HW
Client, Server, Proxy, local Firewall
Endpoint Components
TCP/IP Stack Firewall, IDS/IPS
Medium (wire, optical cable, air, etc.)
Modulation/Coding
Physical/Mechanical
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Where’s the bug?
(IP+) Port number
Application URL E-Mail address Torrent file (+layers within app protocol)
Addressing
Client, Server, Proxy, local Firewall
Endpoint Components
TCP/IP Stack
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Where’s the bug?
Client, Server, Proxy, local Firewall
TCP/IP Stack
OS/Browser: HTTP
Plugin: Adobe Flash
Browser: Javascript
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Where’s the bug?
OS/Browser: HTTP
Plugin: Adobe Flash
Browser: Javascript
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Where’s the bug?
Output State machine
Semantic analysis Format & Syntax check
Output State machine
Semantic analysis Format & Syntax check
Semantic analysis Format & Syntax check
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Where’s the bug?
Output State machine
Semantic analysis Format & Syntax check
Output State machine
Semantic analysis Format & Syntax check
Semantic analysis Format & Syntax check
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
The challenges in injecting on network environment • Application protocols are ”deep”
– Encryption- and authentication – Compressing – Web application GUI
• ”Soft” application protocol is usually exploitable in straightforward way
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
In practice
• Above mentioned challenges apply especially on server software
• When testing the clients most of the fuzzing is done locally – File formats (media, XML, etc.) – Server controlled by tester – Checksum and signing challenges apply
also locally
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Tool example: Radamsa – ”pack of fuzzers”
http://code.google.com/p/ouspg/wiki/Radamsa big parts © Aki Helin / OUSPG
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Radamsa?
• Unified command line front end to versatile group of fuzzing algorithms
• Handles fuzzer selection, file and network i/o, test and source material logistics
• Two main modes – Generating test material to set of files – Feeding/offering test material to network
clients/servers
Fuzzing?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
<clip clip>
• The rest of Radamsa –slides are removed from shared version
• Further information about radamsa from http://code.google.com/p/ouspg/wiki/Radamsa and from the author Aki Helin/OUSPG
81
Fuzzaus?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Part 3: Q&A?
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Part 4: Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Simulating network attacks
• Why model & simulate? • Different approaches • Key-Challenge Petri Net (KCPN)
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Questions by Administrators
• How an attack could affect to my network? • What could be an optimal way for
protection? • What are the priorities between the distinct
fortification efforts? • In order to get answers one can
– Apply standards and audit results – Try, make mistakes and learn – Model and simulate
85
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Why model and simulate?
• Flexible way to go through different scenarios
• When a working model is achieved it can be used to get quick answers to new kinds of questions
86
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Traditional approaches
• Attack graphs – Make very detailed analysis possible but in
practice do not scale to larger systems • Network simulators
– In many products simulating the security side is very limited
• Role playing – Creative way to get information out of the
group of experts
87
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN -model
• “Golden mean” level of abstraction – CIA: Confidentiality, Integrity, Availability – Attacker actions are abstracted
• Best ideas combined – The ability of examine the details of attack
graphs – Usability of network simulators – Flexibility of state machines – Scalability from hierarchy
88
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN –model: example
89
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN –model: topology
90
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN –model elements
91
• Input Gate – key challenge to attacker • Instantaneous Activity – state transition • Output Gate – key distribution
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN –model in simulator
92
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN –model: Hierarchy
93
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN vs. SAN
• Coloring of the places and hierarchy (HCSAN)
• CIA –attributes and their analysis • Key challenge –functionality on state
input gates
94
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
KCPN - realism
• The model is flexible but the fact that real world networks are very hard to simulate hasn’t gone anywhere
• At the moment KCPN is an academic idea – further development and verification is needed!
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Usage
• To ”smarten up” the protective measures of complex networks
• To get deferred benefit in planning of a network attack – Cf. Operational analysis of traditional
warfare
Simulating network attacks
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Summary
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Take-aways
• It is very hard to protect a service or a product connected a public network. It is best to plan for the successful attack
• In addition to having R&D process that can produce secure code, continuous robustness testing helps to find and fix vulnerabilities before anyone else
Summary
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]
Take-aways (2)
• The most sofisticated attacks are professionally planned and executed: Well planned on top of solid intelligence, tested against the probable AV products, zero day vulnerabilities,
• By modelling and simulating one can find the weakest points of the protected network and concentrate the efforts to fortify them.
Summary
13.11.2013 PVTTEIOS – Simo Huopio– [email protected]