Part I ATTACK VECTORS
Total Page:16
File Type:pdf, Size:1020Kb
Attack Simulation and Threat Modeling Olu Akindeinde February 8, 2010 Copyright © 2009 Olu Akindeinde Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in Appendix B entitled "GNU Free Documentation License". 2 ATTACK SIMULATION AND THREAT MODELING i PREFACE “The purpose of computing is insight not numbers” I wrote this book as a direct consequence of Security Analysis and Data Visualization1. A lot of ground rules were laid there - we simply follow up here. Attack Simulation and Threat Modeling explores the abundant resources available in advanced security data collection, processing and mining. It is often the case that the essential value inherent in any data collection method is only as good as the processing and mining technique used. Therefore, this book attempts to give insight into a number of alternative security and attack analysis methods that leverage techniques adopted from such subject areas as statistics, AI, data mining, graphics design, pattern recognition and to some extent psychology and economics. As security design and implementation become major components of the overall enterprise architecture and data collection tools improve and evolve, the ability to collect data will no doubt increase dramatically. This then brings us to the value of the data which is often only as useful as what the analysis can shape it into. Whilst the security process itself is key, the collection, processing and mining techniques used to analyze the data are even more important. As much as information security is a unique and evolving field with particular needs, analysis techniques typically span the boundaries of different disciplines. Analysts that limit themselves to the boundaries imposed by one field may unnecessarily miss out all the possibilities that may exist in the multitude of disciplines that exists outside of it. This is by no means different with information security: by aligning it with different disciplines, we expand the possibilities exponentially. This book examines various tools and techniques from these other disciplines in extracting valuable findings to support security research and decision making. The objective of Attack Simulation and Threat Modeling is essentially to serve as an eye opener for security analysts and practitioners that there are many more techniques, tools and options beyond the security research field that can be used and are fit-for-purpose. Hopefully, this will lay the foundation for a cross-discipline concerted and collaborative effort that will help identify more techniques for security research and modeling. 1http://inverse.com.ng/sadv/Security_Analysis_and_Data_Visualization.pdf iii On a final note, this book is also heavy on the use of free and open source tools (both on Microsoft Windows and Linux platforms). Part of the rationale for this is to bring the analyst up to speed with the concepts and techniques of computer (security) simulation and modeling without having a recourse to proprietary tools and applications. I think in my humble estimation, it bridges the knowledge gap quicker whilst bringing the core subject matter to the fore. HOW THIS BOOK IS ORGANIZED This book consists of four parts described below. Part 1: Attack vectors Chapter 1 - Attack Vectors explores the classifications and different vectors of security at- tacks. We examine the roles of configuration errors, bugs, flaws as well as trust rela- tionships in computer security attacks. Part 2: Attack Simulation Chapter 2 - Virtual Lab is all about setting the stage for various attack simulations. Virtual machine theory is discussed in depth whilst also exploring the implementations of three notable virtual machine applications that will be employed throughout - VMware server, VirtualBox and Qemu. Virtual lab will be the platform upon which we build all other components. Chapter 3 - Attack Signatures examines attack vectors using various implementations of In- trusion Detection Systems (IDS). We discuss various IDS technologies, architectures and distributed configurations. We then home in on the Snort IDS and how it is deployed in various modes to aid and assist in detecting intrusion and threat payload propagation. Chapter 4 - Signature Detection describes the various aspects of detecting attack signatures through the use of Honeypots and Honeynets. We also explore their use in modern computer security as well as implementations in security research environments. We enumerate the different types and functions of Honeypots. The deployments and ben- efits of Honeypots in modeling and simulation environments are primed. Lastly we explore the technique of building conceptual intelligent honeypots and honeynets. iv Part 3: Attack Analytics Chapter 5 - Behavioural Analysis profiles the different forms of threat propagation - from botnet tracking, malware extraction, propagation and behavioural analysis through to security and attack visualization. The tools and methodologies employed in capturing, processing and visualizing a typical security dataset are discussed. Chapter 6 - Attack Correlation describes the methodology of simple and complex event cor- relation techniques from event filtering, aggregation and masking through to root cause analysis employing various tools and techniques. Log processing and analysis are given an in-depth coverage. Part 4: Attack Modeling Chapter 7 - Pattern Recognition attempts to uncover alternative techniques used in security data analytics. Special emphasis is given to data mining and machine learning algo- rithms especially as research in these fields have been extremely active in the last couple of years with the resultant huge number of accurate and efficient learning algorithms. We will also employ some inductive learning algorithms in classifying and recognizing patterns in typical security dataset. Finally, The primary aim of this book is to bring to the front burner alternative methods of security analytics that leverage methodologies adopted from various other disciplines in ex- tracting valuable data to support security research work and chart a course for enterprise security decision making. AUDIENCE Since there is no way for me to gauge the level of aptitude of the audience, I can only make certain assumptions. I assume that the reader has a good grasp of the technical aspects of in- formation security and networking concepts and is very conversant with the TCP/IP model. I also assume that the reader is familiar with the Linux Operating System especially the com- mand line interface (CLI) environment as well as installation and execution of Linux binary and source code applications. Even at that, I try as much as possible (where necessary) to provide clear and comprehensive explanations of the concepts you need to understand and v the procedures you need to perform so as to assist you in your day-to-day attack simulation and threat modeling activities. Overall, Attack Simulation and Threat Modeling is an intermediate level book but the con- cepts and methodologies covered are what you are most likely to encounter in real life. That means you can obtain enough information here to aid your comprehension of the subject mat- ter better. It can also be used as a reference source and as such will be useful to security research analysts, technical auditors, network engineers, data analysts and digital forensics investigators. It is also suitable as a self-study guide. The approach taken of evolving a se- curity and threat architecture from first principles, may provide useful insight to those that are learning about Internet security architectures and attack methodology. Whilst the book is intended for professional use, it is also suitable for use in training programmes or seminars for organizations as well as research institutes. At the end of the book, there is a glossary of frequently used terms and a bibliography. DEDICATION This book is dedicated to my late brother and grandmother. They were my friends and my confidants. They were loved by everyone who knew them, and they were described as angels by family and friends. They were my precious angels Though I can’t see them anymore, I thank God for the blessing of His gifts to me. ACKNOWLEDGMENTS This book again owes much to the people involved in the collation and review process, with- out whose support it would never have seen the light of day. A further special note of thanks goes to all the staff of Inverse and Digital Encode whose contributions throughout the whole process, from inception of the initial idea to final publication, have been invaluable. In partic- ular I wish to thank Wale Obadare, Sina Owolabi and Ola Amudipe - brilliant minds, artists vi and scientists sculpting the future - for their insights and excellent contributions to this book. Many thanks also to everyone who assisted me in the review process. Finally, I say thank you to my glorious mother and best friend Mrs T.A. Akindeinde - a perfect convergence of grace and substance, a paragon of virtues without whom I may never have been able to write this book. Many women do noble things, but mum, you surpass them all. Olu Akindeinde Lagos, Nigeria January 2010 ABOUT THE AUTHOR Olu has 9 years experience working in the IT and information security arena, but has spent the better part of the last few years exploring the security issues faced by Electronic Funds Transfer (EFT) and Financial Transaction Systems (FTS). He has presented the outcome of his research work at several conferences; including the Information Security Society of Africa (ISS), the forum of the Committee of Chief Inspectors of Banks in Nigeria, the apex bank - Central Bank of Nigeria (CBN), the Chartered Institute of Bankers (CIBN) forum as well as 13 financial institutions in Nigeria. In his professional life, Seyi, as he is otherwise called, sits on the board of two companies.