Conference Abstracts
A Framework for Collection and Management of Intrusion Detection Data Sets
Ben Uphoff and Paul CriscuoloLos
Alamos National Laboratory
Two areas in intrusion detection research receive little attention: data collection and data management. Gigabit Ethernet is becoming widely deployed, with ten gigabit Ethernet not far behind. Many current solutions strain under such bandwidth rates, resulting in data loss. This is unacceptable for accurate, reliable intrusion detection systems. Data management solutions vary greatly from product to product. Typically, older data is periodically migrated to some archived format. Once archived, the data set cannot be easily queried or analyzed without being imported back into the original tool. This makes forensics and trend analysis extremely difficult.
This paper addresses data collection and management for intrusion detection by providing a framework designed to accommodate high-volume, heterogeneous data sets. This framework solves many of the problems of conventional approaches to intrusion detection. Distributed computing is leveraged to assure scalability. Data can be captured, queried and analyzed in real-time; data set sizes are limited only by available storage. Benchmarks of the initial prototype are also provided.
Public Monitoring
Damon Morda
CERT Coordination Center
Topic:
Public monitoring is the process of gathering incident and vulnerability related information from publicly available sources such as web sites, newsgroups, and mailing lists. With the increasing number of new incidents and vulnerabilities being reported, it is essential that organizations have the capability to prioritize the monitoring of multiple sources and identify, assess, and respond to threats that may affect their infrastructure. This talk will focus on the CERT/CC's approach to public monitoring by describing tools, processes, and techniques we use to effectively manage the information. Through the public monitoring capability, information is collected that can be analyzed by the vulnerability, incident, and artifact handling teams. As with any process, there are also limitations and areas for improvement which will be discussed.
Outline:
- Brief description of my background
- Overview of the public monitoring process
- Reasons why public monitoring is an important process for anyorganization
- How public monitoring can be used by organizations to improve security posture
- Determining what to monitor
- Examples of sources that the CERT/CC uses for monitoring purposes
- Determining the quality of sources
- Description of how these sources are monitored
- Tools used for monitoring purposes
- How data that is collected is used within the CERT/CC
- Cooperating with other organizations in the monitoring process
- Current limitations and future improvements of public monitoring
- Questions
Targeted Level:
This discussion will focus on a technical process that can be performed by organizations. While there will be technical aspects covered, the level of technical depth will be fairly high level and most audiences should be able to grasp the information fairly quickly.
Intended Audience:
This discussion is intended for IT managers, incident response personnel, security researchers, and individuals with an interest in the technical aspects of public monitoring.
(*) If accepted, abstracts and biographies will be included in the conference proceedings.
The Incident Response Team object in the RIPE database - the direct link from IP numbers to CSIRTs
Don Stikvoort (Elsinore)
Wilfried Wober (Vienna University)
Please note that our abstract is already the detailed synthesis you are asking for. (the authors)
Topic:
Description of the concept, implementation and deployment of the database object describing an incident response team - the so-called IRT object - and its relationship with the IP-address space, in particular the so-called inetnum (or IP number) object.
The essence of this relationship is that, after proper implementation in real life (which has started in the summer of 2003), it enables e.g. CSIRT professionals (or indeed the general public) to easily find the CSIRT (or CSIRTs) that are responsible for dealing with the security incidents related to specific parts of the IP address space.
Objectives:
- explain the principles and mechanisms of the IRT object
- outline the available user-interface, both for maintenance and querying
- explain the security considerations with regards to the IRT object, in particular the integrity and credibility of data
- clearly describe the benefits of the IRT object approach
- give a report on the actual status of deployment of the IRT object in Europe (where it was conceived), and similar efforts in the other 3 regional databases that together cover the whole Internet address space
Outline of content:
Closely following the objectives defined above, the authors will:
- review the requirements that led to the definition of the IRT object
- outline the history of the IRT object
- describe the design of the IRT object (avoiding the lowest level of technical (database) detail)
- describe the implementation of the IRT object by the RIPE NCC
- progress report on the deployment of the IRT object
- identify next steps, in order to reach the goals of:
- completeness: bind "all" IP addresses to incident handlers
- a common user interface (set of tools) to query the different databases
- up-to-date and maintained data
Level of technical detail:
Intermediate. The level of technical detail of the formal RIPE technical documentation on the IRT object (of which both authors are co-authors) has been adapted to suit the needs of the below defined intended audience.
Intended audience:
Specifically for the FIRST conference:
- CSIRT incident handlers
- CSIRT managerial staff
Generally speaking the audience is wider and includes:
- users and maintainers of the IP-address-registry (specifically for the RIPE database, but the principle we address is compatible with the ARIN, APNIC and LACNIC databases)
Network Monitoring and web portal site Project in AP region
Arnold Yoon (KrCERT/CC)
Yurie Ito (JPCERT/CC)
Topic
Based on the activities of KrCERT/CC and JPCERT/CC for prevent security incidents, both organization agreed to develop several joint projects.
Objectives
Among the FIRST members draw the needs of coordination and information sharing not just for incident handling but to prevent incident and share those activities of AP region.
Contents
Trends in Korea and Japan (AP region trends included)
This section will help members to understand the growth of internet and the increase of security incidents related to Korea and Japan. This trend is not the same but can be used to predict the development model of other AP nations and also a careful assumption of the trend in AP region including China, the huge users and availability are contained.
Lessons from case studies
MS Slammer affected Korea very strong and it affected the main infrastructure of internet. This raised the needs of monitoring and controls of network as a national level and also to announce an early warning for the protection of the national infrastructure. This emphasized that the internet security affects the national infrastructure and the coordination with national security level is needed.
Current activities in each country
Korea has initiated the security information center as a centralized monitoring and operation center. Korea has two ways to collect various network volumes such as bps, pps and security events from the major networks. One is a top down method that collects information from the major ISPs and carriers, and the other is a bottom up method that comes from the end user. JPCERT/CC started Internet Scan Data Acquisition System, to provide network administrators with measures to prevent identified threats to network systems. ISDAS is bottom up way method that each sensor is installed on one IP address, capturing scan packets.
To be model
Enhance the coordination with governments, ISPs, IDCs, vendors and various CERTs in the own country. Also pay efforts to share information between countries and develop a new method to share the useful information.
Expectations
Merge every efforts from each region to share information by defining the standard such as exchanging format. And if there are many members who are interested, group a SIG for network monitoring and portal site. Also this can effect the best practices for FIRST to support new teams.
Internet Threat Detection System Using Bayesian Estimation
Masaki Ishiguro
Mitsubishi Research Institute, Inc.
We present an Internet security threat detection system using Bayesian estimation method. This system analyzes security state of the Internet using Bayesian estimation with transition of frequencies of IP packet arrival events to some specified IP addresses such as port scanning, worm activities and so on. While the system calculates the frequency of access events in each time interval, Bayesian updating has been repeatedly applied to improve the confidence in degree of Internet critical states. When the system detects security threat(s) on the Internet, a security alert message is automatically sent to registered E-mail addresses, such as system administrators', and the system issues security alert details on our Web site. We also provide compact HTML and HDML for mobile phone browsers aka NTT DoCoMo's i-mode and KDDI's EZweb. Since the security state of the Internet changes dynamically, application of Bayesian estimation for threat detection is considered suitable because parameters of the model of Bayesian estimation are considered as dynamically changing quantities. This paper is focused on mechanism of detecting security threat using Bayesian estimation and our experimental evaluation.
Some knoweldge on TCP/IP network technologies and statisics are required for this presentation. The intended audience of this paper presentation are network experts, network security researchers, system administrators, and data analysis researchers.
Security Implications of IPv6
Michael Warfield
Internet Security Systems Inc.
IPv6 is a new, widely available version of the Internet Protocol that carries a number of significant performance and security advantages over earlier versions. These same benefits also work to the advantage of IPv6-savvy attackers against, network administrators have not deployed IPv6. IPv4 administrators are unaware that IPv6 is available nearly anywhere IPv4 is available and that IPv6 traffic can pass through their networks without their awareness. Because they have ignored IPv6 as something to worry about in the future, they frequently lack the expertise to manage it and they assume it is not present on their networks. But IPv6 and IPv6 transitional mechanisms offer new security issues and open new avenues of attack even on IPv4 based networks.
This presentation will examine the current state of IPv6 and IPv6 transitional mechanisms and their deployment. Some of the security implications against IPv4-only networks in this multiprotocol environment will be explored. Recommendations and best praactices for the secure operation of IPv4-only networks in an IPv6 enabled world as well as IPv4/IPv6 dual stack networks will be offered for the network administrators in these environments.
This will be of moderate technical level intended for IPv4 administrators and network security professionals.
Defence in Depth: Protecting Against Zero-Day Attacks
Chris McNab
Matta Consulting Limited - London
The objective is to:
- demonstrate known issues in compiled applications
- demonstrate and categorize attack vectors and types
- define strategy and technologies to mitigate each attack risk
By going through this process, delegates will understand how to protect their environments against zero-day attacks. Even if vulnerable components exist, the risks can be mitigated, and incident response procedures used.
The level of technical detail is moderately high. I discuss runtime memory organization, use of the stack, heap, and processor registers, then use of canary values, non-executable memory segments, syscall monitoring, et al.
The target audience would be technical IT staff who require details of a sound and educated approach to mitigating zero-day threats.
ARAKIS - An Early Warning and Attack Identification System
Piotr Kijewski
CERT Polska/NASK
The paper describes the concept of an early warning and new attack identification system, called ARAKIS, being developed by CERT Polska. The system is meant to detect and identify the characteristics of new threats, such as self-propagating malicious code and other automated attacks that span across multiple sites. Its goals also include the automated creation of attack signatures for dissemination to intrusion detection systems and providing attack statistics. The paper presents the rationale behind the system. The problems encountered, current stage of development and future work are also outlined. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection, honeynets and firewalls is helpful.
Deploying new Wireless Standards in Corporate Environments
Laurent Butti
France TelecomSession
The topic and objectives
This paper is about wireless secure deployements with new wireless standards. It will describe a current solution based on IPsec, and will provide the reader with a precise snapshot of standardization process: this is the theorical part. Regarding all these informations, a deployment guideline and a case study (FT R&D) will be fully explained: this is the practical part.
A detailed outline of the content
Deploying IPsec technologies for secure wireless access is a good short-term solution, but this architecture has some drawbacks in both technical and economics areas. Standardization process evolves quickly and architecture based on WPA can be deployed now! These new standards are robust and flexible: they fulfill most corporate requirements in terms of technical constraints and security. FT R&D experimental deployment and experience returns will be fully described and explained.
The targeted level of technical detail
Current paper includes most technical details. Some architecture schemas will be added in the next revision, in order to increase readability and clarify some technical parts. Moreover a pros and cons summary table for deploying wireless networks with IPsec or WPA will be added. Lastly, all return experiences both from users and administrators point of views will be described.
A description of the intended audience
Intended audience is primarly technical as this paper describes technical solutions for practical issues in wireless deployments. But the presentation can be designed for a wider audience if requested.
The CSIRT and Wireless Security Breaches: Specialized Methods, Tools, and Techniques for Proactive and Reactive Wireless LAN Incident Response
Lance Hayden and Marcus Sitzman
Cisco Systems, Inc.Session
This paper will serve as a primer to computer security incident response teams (CSIRTs) on ways to incorporate wireless security expertise into their existing methodological and technical toolkits. While many aspects of wireless security incident response are similar to traditional network security incident response, an understanding of the additional threats posed by wireless networks, and the tools for mitigating and responding to those threats can inform and improve the capabilities of the CSIRT to manage new networking risks in the organizations for which they are responsible. The paper will include recommendations and insights at both high- level and technical levels.It will be appropriate for managers and network staff alike, and anyone with responsibility for creating or managing a CSIRT in an organization that is considering, or already has deployed, wireless networked infrastructures.
Outline:
- I. Wireless Threats
- II. Proactive Security Measures
- III. Scenarios
- Known Attack
- Unknown Attack
- Rogue AP discovery
- IV. Recommendations & Remediation
- V. Tools, Techniques, and Services
Update the APCERT activities (Under the Regional Initiative Activities Update slot with TF-CSIRT)
Yurie Ito
JPCERT/CC
Topic
- Trend of AP Region
- Activity update
Objectives
Among the FIRST members draw the needs of coordination and information sharing not just for incident handling but to prevent incident and share those activities of AP region. To provide one of the Regional Initiative activity model for other regions, to encourage to set up its own RI for efficient collaboration between CSIRTs.
TF-CSIRT Activity Update
Gorazd Bozic
SI-CERT
European CSIRTs have been examining different ways of cooperation since early 1990s. After trying several organisational models, the task force TF-CSIRT was formed in 2000 under the umbrella of TERENA (Trans-European Research and Education Networking Association). TF-CSIRT encompasses teams from academic, commercial and governmental organisations. The group spawned several projects addressing common issues: trust relationships between teams, a formal model for exchange of incident-related data, the training of CSIRT staff, problems related to differences in legislation, and soon. In continuous communications with the European Commission, TF-CSIRT has established itself as a credible partner in the area of network security. The growing number of participants in TF-CSIRT, as well as teams from elsewhere expressing interest in particular results of the group, can be regarded as a sign of the successfull efforts European CSIRTs have undertaken.
Paper and presentation target active CSIRTs as well as institutions and organisations that are considering a formation of one. General knowledge of incident-response practices is assumed.
FIRST at WSIS: The Security in the emerging Information Society
David Crochemore
CERTA
The first phase of the World Summit on Information Society (WSIS) was held 10-12 December 2003 in Geneva (Switzerland). This Summit is organised by the International Telecommunication Union (ITU) on behalf of the United Nations. The second phase will be held in Tunis in November 2005.
FIRST has been accredited as a Civil Society Entity, and therefore was allowed to attend the Summit in Geneva and participate in the process between the first and the second phase.
The participants of the Summit come from:
- the Governments
- the Private Sector
- the Civil Society
The anticipated outcome of the first phase was to develop and foster a clear statement of political will and a concrete plan of action for achieving the goals of the Information Society, while fully reflecting all the different interests at stake. " The deliverables of the Summit have been a Declaration of Principles and a Plan of Action, which can be downloaded at
http://www.itu.int/wsis/documents/
Some parts of the documents are dedicated to the security in the "Information Society".
Through the "Security and Privacy" working group and other means of participation, FIRST aims at being true to its vision and assuming its role of "a premier organization and recognized global leader in incident response".
The missions of FIRST fit with many of the actions included in the "Plan of Action" of the summit, and the active participation of FIRST in the WSIS is a good opportuniy to highlight the work of FIRST and its members to decision makers.
The objectives of the presentation at the conference are to explain to FIRST members and non-members what has been and will be the active role of FIRST in the whole process, and what would be the benefits for all of us:
- the increasing importance of Incident Response in the texts of reference
- the worldwide development of CSIRTs
- a better recognition of FIRST
- etc... etc...
Cyber Intelligence: Why a Business needs to set-up a Cyber Threat Analysis Unit
Ian Cook
Cogenta Corporation
This presentation will cover ways in which good intelligence procedures can be applied to the corporate sector to better enable senior management to take strategic decisions.
The structure of the presentation will be:
- Aim of a Cyber Intelligence Program
- Cyber Threats Changing
- Intelligence Defined
- Intelligence Cycle
- Planning & Direction
- Collection
- Processing
- Analysis
- Dissemination
- Feedback
For each of the above 6 steps in the Intelligence Cycle examples will be given of easily available tool which can be used to automate the Intelligence process.
- Business Benefits
The presentation is mainly aimed at non technical managers but will have enough technical content to keep the geeks in the room. :)
Critical Infrastructure Protection - a business view
Rolf Schulz
ComCERT
Critical Infrastructure Protection (CIP) becomes more and more important - for the Governments, for the Industry and for the Cert Community.
First mentioned in the late 90's under President Clinton, and rediscovered at 9/11, CIP is also an important business factor. It guarantees press attention and opens budgets for security projects, which normally are impossible to accomplish. However, if you ask 10 people about a definition of CIP, you will receive a minimum of 10 different explanations. Also a critical topic is the different view from the Government on the one side and the Industry on the other side on CIP.
This presentation will give a deeper look on Critical Infrastructure Protection out of the perspective of the involved Industry in central Europe, based on some basics to be defined in the first part of the presentation
1. The Battlefield.
We have different types of infrastructure, and we have typical risks on them. In this part of the presentation I will show a layered model, which can help to define a threat model on a given infrastructure in relation to its importance. (a bit like the OSI model)
2. The Enemies
Who is the typical attacker? What is his motivation? Where is the difference between a normal hacker and an information warfare attack. Again, this part will cover some definitions followed by an overview of the computer crime scene.
3. Intelligence
What do we know about an attacker? About his skills and about his infrastructure ? This issue deals with the problems of gathering information about the "evil ones".
4. The industries role - private initiatives
Germany was - back in the 70's - a prime target of terrorist attacks. The RAF (Red army fraction or Bader-Meinhof-Bande) fought their private war against the Government and financial Institutions. As a consequence, the financial industry developed plans to guarantee the availability of their vital systems. This topic will give an overview on the measures taken by them to protect their critical infrastructure in Germany and Europe.
5. The Governments Role - from the industry's point of view What is says. Some examples of the co-operation between the industry and the government. This will also include a discussion on the role of CERT Teams in this environment.
6. Conclusions
The target audience for this panel is the traditional IT manager, the CERT professional and the politician.
A knowledge of general IT and network technology is recommended, but not an assumption.
What Went Wrong?
Ken van Wyk (KRvW Associates, LLC)
Christopher Fischer (BFK GmbH)
The paper is a recounting of numerous incidents that we have handled, along with detailed lessons learned and our suggestions of how to avoid or otherwise effectively handle similar difficulties. Some of the difficulties and lessons that we discuss are technical in nature, although many are procedural/human situations.
The target audience is Incident Response managers and practitioners.
UNIX and Linux based Rootkits Techniques and Countermeasures
Andreas Bunten
DFN-CERT Services GmbH
The topic of the paper are rootkits as found on linux and UNIX systems and gives a survey to current techniques and countermeasures focussing on:
* An introduction to the concept of rootkits and the recent techniques employed by attackers and system administrators
* A Classification of observed rootkits and presentation of scenarios found while analysing compromised systems
* A presentation of experimental results where different rootkits and methods of detection have been compared; This should give guidance how to detect a rootkit at runtime
The paper will present as much technical details as required for distinction of the different types of rootkits while concentrating on the conceptional ideas. A technical audience familiar with the topic will be updated on the current developments. A general audience with technical interest will get a good idea of what is possible and what has to be expected on a compromised UNIX system.