Approach: regional intrusion control actuation Example Actuator: eResponder Primitives 1. diagnose . For diagnosing, and possibly restarting critical services or for filesystem exhaustion handling. 2. lockout . For locking out a user account via password disabling. Usually used right before a killall (sometime kill, as in non-anon FTP stuff). 3. killall . For killing all processes owned by a user. 4. kill . For killing a user session and subprocesses. 5. checkcfg : For Oki purposes. Informative only. No response necessary. 6. fixperms : for performing chmod and chown. 7. filter : for firewall response directives. 8. notify : for forwarding notification to a non-admin user that his/her data may have been subject to some misuse attempt. 9. reset : provides information needed for a response engine to sever malicious TCP connection via TCP reset. This directive reports information from an observed packet in the connection. The response agent will use this information to craft a set of RST packets so that one will be accepted by the target (see RFC 793). 10. recovered : provides information that a diagnosed service failure has recovered. 11. targeted : provides information that services have been the target of a probe Remote Directives R-Policy eResponder local domain eResponder eResponder eResponder eResponder INFOSEC alert aggregator Regional Intrusion Control
Regional CoA Playbooks are predefined to respond to single or multi-domain threats
Playbooks consists of one or more response primitives
Automated CoA selection will employ regional CoA playbooks in response to multi-enterprise threats
Advance research will pursue automated playbook formulation
Synchronization of regional intrusion control systems will resolve CoA conflicts and overkill
Technology transition: structuring for adaptability
Open source framework
provisions for optional proprietary “plug-ins”
Interfaces to standard management and security systems
commercial network configuration and management systems
OpenView, Tivoli, etc.
commercial and open-source intrusion detectors and firewalls
RealSecure, NetRanger, Dragon, snort, EMERALD, etc.
Gauntlet, PIX, Check Point, Raptor, ipchains, etc.
internet security management standards
SNMP, Intrusion Detection Message Format, and others
Automation for installation and maintenance
network inventory and configuration
intrusion sensor deployment, configuration, and activation