Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TOTEM: Threat Observation, Tracking, and Evaluation Model


Published on

Merriam-Webster defines a totem as any supposed entity that watches over or assists a group of people, such as a family, clan, or tribe. In this presentation I will focus on how TOTEM assists in watching over and evaluating the threat an IP represents. The idea behind TOTEM is simple: compare threat information from sources such as watchlists (DShield, Emerging Threats, SenderBase, etc.) to activities with the organization (IDS/IPS, flow logs, etc.) and other locations (SANS ISC, DOE federated model, etc.). As new threat information and activity sources are added, a better evaluation can be rendered.

Published in: Technology
  • Be the first to comment

TOTEM: Threat Observation, Tracking, and Evaluation Model

  1. 1. TOTEM: Threat Observation, Tracking, and Evaluation Model John J. Gerber CISSP, GCFA, GCIH, GISP, GSNA “ A totem is any supposed entity that watches over or assists a group of people, such as a family, clan, or tribe .” -- Merriam-Webster
  2. 2. TOTEM : Basic Idea <ul><ul><li>TOTEM? </li></ul></ul><ul><ul><li>Who Are You Guys? </li></ul></ul><ul><ul><li>Why Should Anyone Care?  </li></ul></ul><ul><ul><li>How the ANL Federated IDS Data Sharing Model Can Help. </li></ul></ul><ul><ul><li>Possible Problems. </li></ul></ul><ul><ul><li>Existing Methodologies/Frameworks. </li></ul></ul><ul><ul><li>Blended to Create TOTEM. </li></ul></ul><ul><ul><li>TOTEM. </li></ul></ul><ul><ul><li>Screen Shots. </li></ul></ul><ul><ul><li>Future Development. </li></ul></ul>
  3. 3. What is TOTEM? <ul><li>The idea behind TOTEM is simple:  </li></ul><ul><ul><li>Pick up where the ANL model stops. </li></ul></ul><ul><ul><li>Compare threat information from sources such as the federated model and other watchlists (DShield, Emerging Threats, SenderBase, etc.). </li></ul></ul><ul><ul><li>As new threat information and activity sources are added, a better evaluation can be rendered. </li></ul></ul><ul><ul><li>Use components from the individual site for evaluating risk. </li></ul></ul><ul><ul><li>Information is gathered and visualization provided. </li></ul></ul>“ Totemism : system of belief in which humans are said to have kinship or a mystical relationship with a spirit-being, such as an animal or plant. The entity, or totem, is thought to interact with a given kin group or an individual and to serve as their emblem or symbol.” -- Encyclopædia Britannica
  4. 4. Who Are You Guys? We are like dwarfs standing upon the shoulders of giants, and so able to see more and see farther than the ancients .  – Bernard of Chartres     Setting an example is not the main means of influencing another, it is the only means. –  Albert Einstein    
  5. 5. “ Danger , Will Robinson !” According to a May 6th Wall Street Journal article , the Pentagon confirmed that it detected 360 million attempts to penetrate its networks in 2008, which is up from six million in 2006.     The Department of Defense also disclosed that it had spent $100 million in the past six months repairing damage from these cyber attacks.
  6. 6. “ Danger , Will Robinson !” (04/09/2009) Electricity Grid in U.S. Penetrated By Spies reported in The Wall Street Journal . Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks. (05/09/2009) FAA's Web Security Audit: 3,857 Vulnerabilities security audit of the Web applications found 763 high risk, 504 medium risk, and 2,590 low risk vulnerabilities.  (04/21/2009) Computer Spies Breach Fighter-Jet Project reported in The Wall Street Journal . Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighter project. (05/2009) Inspector General report sent to the FAA - Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network. (05/20/2009) NARA suffers data breach reported in Federal Computer Week - the missing drive contains 1T of data with &quot;more than 100,000 Social Security numbers (including Al Gore’s daughter), contact information (including addresses) for various Clinton administration officials, Secret Service and White House operating procedures, event logs, social gathering logs, political records and other highly sensitive information. A Few Other Recent Government Occurrences
  7. 7. It is a Dangerous World “ IDSs have failed to provide value relative to its costs and will be obsolete by 2005.”  -- Richard Stiennon , Gartner Analyst, 06/03
  8. 8. It is a Dangerous World &quot;The worldwide wireless LAN (WLAN) intrusion prevention system (IPS) market is on pace to reach $168 million in 2008, a 41 percent increase from 2007 revenue of $119 million, according to Gartner, Inc.&quot; -- Gartner Press Release, 09/18/2008
  9. 9. Detection <ul><li>Key Points </li></ul><ul><ul><li>4 percent of incidents were detected through event monitoring and other forms of analytic technologies. </li></ul></ul><ul><ul><li>82 percent of the cases, victim possessed the ability to discover the breach had they been more diligent in monitoring and analyzing.  </li></ul></ul><ul><ul><li>Organizations lack fully proceduralized regimen for collecting, analyzing, and reporting on anomalous log activity. </li></ul></ul>
  10. 10. ANL Federated IDS Data Sharing Model <ul><li>Basic Idea :  an incident at one location can be a precursor to an attack on another similar location. </li></ul><ul><li>  </li></ul><ul><li>Current Members </li></ul><ul><li>  </li></ul><ul><ul><li>Argonne National Laboratory (ANL) </li></ul></ul><ul><ul><li>National Center for Supercomputing Applications (NCSA) </li></ul></ul><ul><ul><li>Los Alamos National Laboratory (LANL) </li></ul></ul><ul><ul><li>Lawrence Berkeley National Laboratory (LBNL) </li></ul></ul><ul><ul><li>Oak Ridge National Laboratory (ORNL) </li></ul></ul><ul><ul><li>U.S. Computer Emergency Readiness Team/DHS (USCERT) </li></ul></ul><ul><ul><li>Thomas Jefferson National Accelerator Facility (JLAB) </li></ul></ul><ul><ul><li>Brookhaven National Laboratory (BNL) </li></ul></ul><ul><ul><li>Sandia National Laboratories (SNL) </li></ul></ul><ul><ul><li>Idaho National Laboratory (INL) </li></ul></ul><ul><ul><li>Fermi National Laboratory (FNAL) </li></ul></ul><ul><ul><li>National Energy Research Scientific Computing Center (NERSC) </li></ul></ul><ul><ul><li>Pacific Northwest National Laboratory (PNNL) </li></ul></ul>
  11. 11. ANL Federated IDS Data Sharing Model (2)
  12. 12. ANL Federated IDS Data Sharing Model (3)
  13. 13. ANL Federated IDS Data Sharing Model (4)
  14. 14. Violent Felons in Large Urban Counties A majority (56%) of violent felons had a prior conviction record. Thirty-eight percent had a prior felony conviction and 15% had a previous conviction for a violent felony.
  15. 15. The More Sources the Better? <ul><ul><li>DNS-DB Malware Domain Blocklist maintains a list of domains, pulled from various sources, that are known to be used to propagate malware and spyware. </li></ul></ul><ul><ul><li>Global Watchlist pulls the list of suspected malicious IPs/Net ranges from different sources such as SANS DShield, Arbor atlas and so forth, then putting all of them in one place. </li></ul></ul><ul><ul><li>Ninja Chimp Strike Force provides a compiled list of hosts associated with bruteforce attempts, spam, botnets, etc. The list is comprised of data from Arbor Networks, Project Honeypot, Shadowserver, and about 24+ hosts. It is sorted on an hourly basis to keep information current and is consistently changing . </li></ul></ul>
  16. 16. Cooperative Protection Program (CPP) <ul><ul><li>Purpose </li></ul></ul><ul><ul><li>Define, integrate, deploy and operate sensors to collect high quality, information rich network data </li></ul></ul><ul><ul><li>Data analysis targeted at cyber adversaries and their activities against DOE </li></ul></ul><ul><ul><li>Detect and deter hostile activities directed at the Department’s information assets </li></ul></ul><ul><ul><li>Generate summary and alert information about boundary-crossing Internet traffic at DOE sites </li></ul></ul>
  17. 17. Problems <ul><ul><li>An incident at one location can be a precursor to an attack on another similar location. </li></ul></ul><ul><ul><li>Limited ACLs.  </li></ul></ul><ul><ul><li>False positives. </li></ul></ul><ul><ul><li>All sites are not created equal. </li></ul></ul><ul><ul><li>Mistakes happen.  </li></ul></ul><ul><ul><li>Politics. </li></ul></ul>
  18. 18. Trust Management <ul><li>Nicolas Luhman [1] defines trust management as:  a tool allowing our systems to keep working even if assumption of cooperation doesn't hold. Bernard Baber [2] formulates trust as an expectation about the future, citing three fundamental meanings of trust : </li></ul><ul><ul><li>Expectation of the persistence and fulfillment of the natural and moral social order. </li></ul></ul><ul><ul><li>Expectation of technically competent role performance from those we interact with in social relationships and systems. </li></ul></ul><ul><ul><li>Expectation that partners in interaction will carry out their fiduciary obligations and responsibilities (place other's interests before their own). </li></ul></ul>
  19. 19. Trust and Reputation Modeling Techniques <ul><li>Need : specialized knowledge structures used to predict the reliability of trusting agent's partners in the future interaction using the past experience of interactions with the trustees. </li></ul><ul><li>Examples </li></ul><ul><ul><li>Feedback mechanisms used by online auction sites (ex: eBay). </li></ul></ul><ul><ul><li>User ranking systems used by social networking. </li></ul></ul>
  20. 20. Dilbert and Albert Einstein
  21. 21. CAMNEP: System Architecture System developed by Martin Rehak.
  22. 22. CAMNEP: System Architecture System developed by Martin Rehak. <ul><li>Key Ideas </li></ul><ul><li>Network Behavior Analysis (NBA) - identifies attacks from traffic statistics. </li></ul><ul><li>Improves the classification rate by multi-layer combination. </li></ul><ul><li>Based on extended trust modeling. </li></ul>
  23. 23. CAMNEP: Multi-Source Trustfulness Integration
  24. 24. CAMNEP: Agent Specific Clusters
  25. 25. CAMNEP: Reporting
  26. 26. CAMNEP: Conclusions
  27. 27. Risk NIST publication SP 800-30: Risk Management Guide for Information Technology Systems . In the text we read: &quot; Risk is a function of the likelihood of a given threat-source 's exercising a particular potential vulnerability , and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.“ &quot; Vulnerability : A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.&quot;
  28. 28. Topological Vulnerability Analysis (TVA) Approach Steven Noel, Matthew Elder, Sushil Jajodia, Pramod Kalapa, Scott O'Hare, Kenneth Prole Basic idea : analyze and visualize vulnerability dependencies and attack paths for understanding overall security posture. Populate through automated network discovery, asset management, and vulnerability reporting technology.
  29. 29. Operating with Limited Data Seeing the forest through the trees.
  30. 30. Creating TOTEM <ul><li>Network Capture </li></ul><ul><ul><li>Nessus/ISS - VSWeb </li></ul></ul><ul><ul><li>NAC </li></ul></ul><ul><ul><li>FRAMS </li></ul></ul><ul><ul><li>Device Exception System (DES) </li></ul></ul><ul><ul><li>Network Registration System </li></ul></ul><ul><ul><li>Proxy logs </li></ul></ul><ul><ul><li>Splunk/log aggregators </li></ul></ul><ul><ul><li>Flow logs </li></ul></ul><ul><ul><li>Time Machine </li></ul></ul><ul><li>  </li></ul><ul><li>Vulnerability Database </li></ul><ul><ul><li>National Vulnerability Database (NVD) </li></ul></ul><ul><ul><li>The Open Source Vulnerability Database (OSVDB) </li></ul></ul><ul><ul><li>Emerging Threat  </li></ul></ul><ul><ul><li>SANS Internet Storm Center (IC) </li></ul></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>  </li></ul><ul><li>Exploit Conditions </li></ul><ul><ul><li>IDS/IPS - Snort and Bro </li></ul></ul><ul><li>  </li></ul><ul><li>Attack Scenario (Threat) </li></ul><ul><ul><li>Federated Model IPs </li></ul></ul><ul><ul><li>DNS-DB Malware Domain Blocklist </li></ul></ul><ul><ul><li>Global Watchlist </li></ul></ul><ul><ul><li>Ninja Chimp Strike Force </li></ul></ul>
  31. 31. TOTEM: What is the Point? How does one effectively distinguish false positives from actual threats? The answer may only be visible by looking at multiple sources with different levels of trust and doing a little aggregation and anomaly detection.  Our goal is to create attack road maps with weights/prioritizations in order to manage the possible risks.
  32. 32. TOTEM Analysis <ul><li>Trust model defined </li></ul><ul><ul><li>Past and current traffic </li></ul></ul><ul><ul><li>Traffic patterns to hosts </li></ul></ul><ul><ul><li>Traffic volume to hosts </li></ul></ul><ul><li>Evaluation Engine </li></ul><ul><ul><li>Traffic acquisition and data processing layer </li></ul></ul><ul><ul><li>Cooperative threat detection layer </li></ul></ul><ul><ul><li>Operator and analyst interface layer </li></ul></ul><ul><li>Data is processed in stages </li></ul><ul><ul><li>Anomaly detection </li></ul></ul><ul><ul><li>Trust update </li></ul></ul><ul><ul><li>Collective trust estimation </li></ul></ul><ul><ul><li>Method integration </li></ul></ul><ul><ul><li>History integration </li></ul></ul>
  33. 33. Creating TOTEM: Federated Model   The devil is in the details <ul><li>Classic LAMP System </li></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Apache </li></ul></ul><ul><ul><li>MySQL </li></ul></ul><ul><ul><li>Perl </li></ul></ul><ul><li>  </li></ul><ul><li>Additional Software </li></ul><ul><ul><li>GPG </li></ul></ul><ul><ul><li>GeoIP </li></ul></ul><ul><ul><li>Graphviz </li></ul></ul><ul><ul><li>Request Tracker </li></ul></ul><ul><ul><li>ModSecurity </li></ul></ul>
  34. 34. Information Shared by the Federated IDS Data Sharing Model <ul><ul><li>Strictly unclassified information </li></ul></ul><ul><ul><li>Information on (usually external) IP addresses that was malicious enough to warrant a site response (blocking or other) </li></ul></ul><ul><ul><ul><li>IP address:tcp/udp port # </li></ul></ul></ul><ul><ul><ul><li>Time of attack </li></ul></ul></ul><ul><ul><ul><li>Type of attack </li></ul></ul></ul><ul><ul><ul><li>Exploit attempted </li></ul></ul></ul><ul><ul><ul><li>Severity of attack </li></ul></ul></ul><ul><ul><ul><li>Previous history of offending IP at that site (corporate memory) </li></ul></ul></ul><ul><ul><ul><li>We could periodically share watch lists </li></ul></ul></ul><ul><ul><li>Information presented in a standardized exchanged format </li></ul></ul><ul><ul><ul><li>Small XML file </li></ul></ul></ul><ul><ul><ul><li>Using IETD standards for cyber data exchange </li></ul></ul></ul>
  35. 35. Other Blacklists Provide Information #, contact # ip/net, source, comment, name, last update (GMT+8),, Dshield: Top IPs, dshield-top-ips, 2009/05/13,, Spamhaus Block List, spamhaus, 2009/05/13,, ET RBN, rbn, 2009/05/13,, ET, compromised, # domain type original_reference-why_it_was_listed note--pound sign=comment # notice notice duplication is not permitted malware 20090321 fake_antivirus 20090505 phishing 20090505 Wed May 13 07:59:03 CDT 2009
  36. 36. Other Blacklists Provide Information (2) Top 10 Blacklist Providers Using 266 IPs from malware. Using 235 IPs from rbn. Using 172 IPs from coolwebsearch and spamhaus. Using 55 IPs from rogue. Using 23 IPs from malspam. Using 20 IPs from dshield-top-blocks. Using 15 IPs from exploit and sql_injection. Using 13 IPs from spyware and trojan. Using 11 IPs from rogue_antivirus. Using 10 IPs from botnet. Total Blacklisted IPs Downloaded : 1214 Blacklisted IPs Added Today : 39
  37. 37. Sample Reports: Blacklist <ul><li>Denotes IPs that are blacklisted by the Internet community more recent than 2009-05-11 17:12:07. </li></ul><ul><li>Denotes IPs that was blocked by the DOE Federated Community more recent than 2009-05-11 17:12:07.  </li></ul><ul><li>Denotes IPs that was blocked by the DOE Federated Community prior to 2009-05-11 17:12:07. </li></ul>
  38. 38. Sample Reports: Blacklist (2)
  39. 39. Signature Based Information Can be Useful In respect to Snort, we have been looking at trend information for awhile.
  40. 40. Sample Reports: Blacklist (3)
  41. 41. Sample Reports: Shuns <ul><li>Denotes IPs that are blacklisted by the Internet community more recent than 2009-05-11 18:02:07. </li></ul><ul><li>Denotes IPs that was blocked by the DOE Federated Community prior to 2009-05-11 18:02:07. </li></ul>
  42. 42. Sample Reports: Shuns (2)
  43. 43. Sample Reports: Shuns (3)
  44. 44. Sample Reports: Shuns (4)
  45. 45. There is a great deal of work yet to be done.  Some key areas to develop will be: <ul><ul><li>Additional work on the evaluation engine. </li></ul></ul><ul><ul><li>Improved visualization. </li></ul></ul><ul><ul><li>CPP. </li></ul></ul><ul><ul><li>ICSI Bro. </li></ul></ul><ul><ul><li>ICSI Time Machine. </li></ul></ul><ul><ul><li>Integration with Request Tracker (RT). </li></ul></ul>
  46. 46. Comments <ul><li>Seriously, I would appreciate any comments.  After the presentation, please feel free to contact me. </li></ul><ul><ul><li>John Gerber </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
  47. 47. Comments <ul><ul><li>John Gerber </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Thank you for the opportunity to discuss TOTEM. </li></ul>