Strengthening the Defence Deception, Red Teams, AI
िशवकुमार G. Sivakumar சிவகுமார்
Computer Science and Engineering
भारतीय पौयोिगकी संथान मुंबई (IIT Bombay) siva@iitb.ac.in
• The Good (The Dream: AI meets Web)
• The Bad (The Nightmare: Computer & Network Security)
• The Ugly? (Defence using Deception, Red Teams and AI)
The Good The Bad The Ugly
Why are we here?
Cyber Security Governance
(www.itgovernance.co.uk/cyber-governance)
An organisation’s board is responsible (and accountable to shareholders, regulators and customers) for the framework of standards, processes and activities that, together, secure the organisation against cyber risk.
Consequences of Breach
• Financial Loss
• Regulatory Investigations
• Loss of Reputation and Customer confidence
• ...
What should be the Board’s role?
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Takeaways from this Session
I will stretch following उपमा (Analogy) to breaking point...
What does it take to stay healthy?
• Hygiene (sine qua non!)
• Vaccination/Medicines (Deception)
• Diet/Exercise (Red Team)
• Meditation/Yoga (AI)
Hygiene is costliest (Clean Air, Clean Water) and requires CISO to buy costly Firewalls, IDS/IPS, Anti-Virus, SIEM, DAM, PIM and may other 3/4-letter tools and set up a SOC!
I will focus on the other 3 more today!
The Good The Bad The Ugly
Stone Age to Information Age
Technology (Wikipedia Definition)
Technology is the usage and knowledge of tools, techniques, crafts, systems or methods of organization in order to solve a problemorserve some purpose.
Zero, Wheel, Printing Press, Radio, Lasers, ... Any sufficiently advanced technology is indistinguishable from magic. [Arthur C. Clarke]
Two books by Yuval Noah Harari Sapiens
Who domesticated whom?
Homo Deus
Brain implants, DNA sequencing
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Web 1.0, Web 2.0, Web 3.0
Web 1.0 [1990-2005] (Right to Information)
• Internet: Info anytime, anywhere, any form
• Likedrinking water from a fire hose
• Search Engines to the rescue
Web 2.0 [2005-2015] (Right to Assembly)
• Social Networking (Twitter, Facebook, Kolaveri, Flash crowds)
• Producers, not only consumers (Wikipedia, blogs, ...)
• Proliferated unreliable, contradictory information?
• Facilitated malicious uses including loss of privacy, security.
Web 3.0 [current] (AI & ML meet Semantic Web)
• Intelligent Agents that “understand”
•
The Good The Bad The Ugly
Open Enterprises of the Future
What the Future Holds?
Modify a Google Calendar to allow a colleague to add a Faaso’s roll order to a meeting invite that can be picked up by Ola and delivered by a drone to a client’s office five minutes before the scheduled meeting starts.
What this needs?
• Everything connected
• Ubiquitous sensing & actuation
• High data volume
• Context-aware Analytics
• Identity Management
• GDPR compliant Distributed Ledger
• Smart Contracts for Payments
• Multi-Party Services Orchestration
• Transparent Information Flow
• Transparent Event Flow
• Semantic Consistency
• Network and Protocol Adaptability
• End-to-End Security
• Business Management
Web 3.0 meets AI, Big Data, 5g, IoT, Blockchain!
Having humans in the loop will not scale!
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Health Care (Dream or Nightmare?)
Slide from AnNet 2018 keynote by Prof. Wen-Tsuen Chen https://annet2018.loria.fr/
Eating for Doctor’s stomach!
The Good The Bad The Ugly
Why Information Technology is different?
Transistor, VLSI, Microprocessor, ...
Danger: Computers are coming! Taking away our jobs!
Construction, Farming, Banking, Surgery, Composing music, Teaching! Be very scared!
The Big Nine(Amy Webb) G-MAFIA + BAT
It’s a small group of people working at a very few number of companies who are making decisions about what to optimize using available data…
Caveat
But regulation doesn’t make sense because we shift from having a tiny group of people making decisions about optimization to a tiny group of people who are lawmakers, who are very well read and very smart people but overwhelmingly lack degrees in the hard sciences and technical experience.
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Compromising the Supply Chain
The Good The Bad The Ugly
Can this happen to you?
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
blackMail received at IIT Bombay
Dear All,
There is a veryingenious blackmailing emailcirculating around asking for money in bitcoins. ... they all have a few similar features:
• They include a password that you probably have used
• Claim to have installed malware, and record video of you through your webcam.
• Threaten to reveal your adult website habits and send videos ...
• Demand bitcoins...
Subject: 15xxxxxxx@iitb.ac.in is hacked From: 15xxxxxxx@iitb.ac.in Date: Thu, October 18, 2018 4:35 pm Hello!
My nickname in DARKNET is derrik82. I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.
So, your password from 15xxxxxxx@iitb.ac.in is xxxxxxxxx Even if you changed the password after that - it does not matter, my virus
...
I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!
...
Send the above amount on my BTC wallet (bitcoin):
1EZS92K4xJbymDLwG4F7PNF5idPE62e9XY Since reading this letter you have 48 hours!
The Good The Bad The Ugly
Insider Attacks
https://en.wikipedia.org/wiki/Insider_threat
... 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as “difficult”
and 17% as being “disgruntled.”
The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time.
• Quis custodiet ipsos custodes?
• PNB LoUs?
• Zero-Trust Model (Software Defined Perimeter)
• Security-Aware Applications!
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Internet’s Nightmare
Match the following!
Problems Attackers
Highly contagious viruses Unintended blunders Defacing web pages Disgruntled employees or customers Credit card number theft Organized crime
On-line scams Foreign espionage agents Intellectual property theft Hackers driven by technical challenge
Wiping out data Petty criminals
Denial of service Organized terror groups Spam E-mails Information warfare
Reading private files ...
Surveillance ...
• Crackers vs. Hackers
• Note how much resources available to attackers.
The Good The Bad The Ugly
Internet Attacks Toolkits (Youtube)
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Internet Attack Trends
From training material at http://www.cert-in.org.in/
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Security Requirements
Informal statements (formal is much harder)
• ConfidentialityProtection from disclosure to unauthorized persons
• IntegrityAssurance that information has not been modified unauthorizedly.
• AuthenticationAssurance of identity of originator of information.
• Non-RepudiationOriginator cannot deny sending the message.
• AvailabilityNot able to use system or communicate when desired.
• Anonymity/PseudonomityFor applications like voting, instructor evaluation.
• Traffic AnalysisShould not even know who is communicating with whom. Why?
• Emerging ApplicationsOnline Voting, Auctions (more later)
And all this with postcards (IP datagrams)!
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Asymmetry between Offence and Defence
• Attacker needs to find one hole .. Defender? (Black Swan)
• Attacker can use CaaS (darkweb) .. Defender?
• Attacker has immediate/considerable Return on Investment ..
Defender?
• Attacker can choose the time .. (APT) .. Defender?
• ...
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Partial Landscape (from CISO/CTO perspective)
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Defence (only) Using Cryptography
• sine qua non [without this nothing :-]
• Historically who used first? (L & M)
• Pure Defence only
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Security Mechanisms
• System Security: “Nothing bad happens to my computers and equipment”
virus, trojan-horse, logic/time-bombs, ...
• Network Security:
• Authentication Mechanisms “you are who you say you are”
• Access Control Firewalls, Proxies “who can do what”
• Data Security: “for your eyes only”
• Encryption, Digests, Signatures, ...
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Packet Switching in Internet
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all their conversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all their conversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Mutual Authentication
Goal
A and B to verify that both know the same secret number. No third party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Mutual Authentication
Goal
A and B to verify that both know the same secret number. No third party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Network Security Mechanism Layers
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Cyber Security Framework, NIST (April 2018) (CEO perspective)
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Common taxonomy and mechanism for
• Describing current cybersecurity posture
• Target state for cybersecurity
• Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
• Assess progress
• Communicate with stakeholders about cybersecurity risk
All this is justHygiene.
Not one size fits all!
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Threat-Defence Matrix
2 types of organizations- those who have been compromised and those who do not know that they have been compromised!
Threat Defence Example
Known Known Malware, DoS, SQL Injection ..
This is Hygiene, but what’s your score?
VA-PT, IS-Audit
Known Unknown Zero-Day, APT,
Risk Analysis and Mitigation
Sandbox (Evasion e.g. Macro on File-Close) Threat Hunting (Has it happened to us?)
Unknown Unknown ???? (Kill chain)
Recon Lateral Shift
Exfiltration
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Tackling the Known-Known
• Anti-Virus
• Firewall
• Patch Management
• IDS/IPS
• WAF
• VA-PT
• ..
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Active Defense
Despite best hygiene it is safe to assume that some attacker will breach the fortress.
What then?
Golden Hour (Wikipedia Definition)
The golden hour, also known as golden time, refers to the period of time following a traumatic injury during which there is the highest likelihood that prompt medical and surgical treatment will prevent death.
Use the principle Offence is the best form of defence and
proactively set traps that will reveal the attacker’s presence giving you a chance to respond before any damage is done.
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Indicators of Compromise
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Deception Technologies
• Decoys (Story of the Prince and YamaDhootas)
• Fake servers/services (ATM, Swift, ...)
• Must blend and adapt (not stale)
• ...
• Lures
• Vulnerable Ports/Services
• Mis-configuration
• Breadcrumbs
• File with credentials
• Mis-direction
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Threat Hunting
Diagram borrowed from CERT-IN workshop (July 2018)
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Intelligence Feeds: Atlas.arbor.net
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Real-time Intelligence- atlas.arbor.net
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Malicious Servers
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Red Teams
Muscles that are not exercised will atrophy. (Kings going in disguise)
Red Teaming
is a full-scope, multi-layered attack simulation designed to measure how well a company’s people and networks, applications and physical security controls can withstand an attack from a real-life adversary.
• Penetration Testing (network, application, mobile, device),
• Social Engineering (onsite, telephone, email/text, chat
• Physical Intrusion (lock picking, camera evasion, alarm bypass).
Leverage only the strategies that bad actors would most likely
actually use against you.
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
attack.mitre.org
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
attack.mitre.org
Think like a criminal
Attackers Tactics (each has many techniques)
1
Initial Access
2
Execution
3
Persistence
4
Privilege Escalation
5
Defense Evasion
6
Credential Access
7
Discovery
8
Lateral Movement
9
Collection
10
Exfiltration
11
Command and Control
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
attack.mitre.org
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Artificial Intelligence & Machine Learning
• Can AI of computers match NS of humans?
• Old Joke: Out of sight, out of mind
• Consider chess, once the holy grail of AI.
Does not play the human way at all! Mostly parallelized search in hardware (200 million positions/second!)
• December 2017: AlphaGo Zero used reinforcement learning to teach
itself chess in 4 hours! Beat world’s best program Stockfish
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga
Deep Patient
Are doctors practicing medical science?
https://www.nature.com/articles/srep26094 The machine was given no
information about how the human body works or how diseases affect us. It found correlations that let it predict the onset of some diseases more accurately than ever, and some diseases, such as schizophrenia, for the first time at all. It does this by creating a vast network of weighted connections that is just too complex for us to understand.
िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई
Tackling the UnKnown-UnKnown
User and Entity Behaviour Analysis
• Try saying I love you 10 times everyday to your spouse!
• All antennas will go up!
• All defence mechanisms will be strengthened.
AI/Machine Learning to the resue.
• Behaviour profiling (Baseline)
• Watch for anamolies
• Correlate with threats
• Reduce false positives
The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga