• No results found

• The Good (The Dream: AI meets Web)

N/A
N/A
Protected

Academic year: 2022

Share "• The Good (The Dream: AI meets Web)"

Copied!
45
0
0

Loading.... (view fulltext now)

Full text

(1)

Strengthening the Defence Deception, Red Teams, AI

िशवकुमार G. Sivakumar சிவகுமார்

Computer Science and Engineering

भारतीय पौयोिगकी संथान मुंबई (IIT Bombay) siva@iitb.ac.in

The Good (The Dream: AI meets Web)

The Bad (The Nightmare: Computer & Network Security)

The Ugly? (Defence using Deception, Red Teams and AI)

(2)

The Good The Bad The Ugly

Why are we here?

Cyber Security Governance

(www.itgovernance.co.uk/cyber-governance)

An organisation’s board is responsible (and accountable to shareholders, regulators and customers) for the framework of standards, processes and activities that, together, secure the organisation against cyber risk.

Consequences of Breach

Financial Loss

Regulatory Investigations

Loss of Reputation and Customer confidence

...

What should be the Board’s role?

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(3)

Takeaways from this Session

I will stretch following उपमा (Analogy) to breaking point...

What does it take to stay healthy?

Hygiene (sine qua non!)

Vaccination/Medicines (Deception)

Diet/Exercise (Red Team)

Meditation/Yoga (AI)

Hygiene is costliest (Clean Air, Clean Water) and requires CISO to buy costly Firewalls, IDS/IPS, Anti-Virus, SIEM, DAM, PIM and may other 3/4-letter tools and set up a SOC!

I will focus on the other 3 more today!

(4)

The Good The Bad The Ugly

Stone Age to Information Age

Technology (Wikipedia Definition)

Technology is the usage and knowledge of tools, techniques, crafts, systems or methods of organization in order to solve a problemorserve some purpose.

Zero, Wheel, Printing Press, Radio, Lasers, ... Any sufficiently advanced technology is indistinguishable from magic. [Arthur C. Clarke]

Two books by Yuval Noah Harari Sapiens

Who domesticated whom?

Homo Deus

Brain implants, DNA sequencing

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(5)

Web 1.0, Web 2.0, Web 3.0

Web 1.0 [1990-2005] (Right to Information)

Internet: Info anytime, anywhere, any form

Likedrinking water from a fire hose

Search Engines to the rescue

Web 2.0 [2005-2015] (Right to Assembly)

Social Networking (Twitter, Facebook, Kolaveri, Flash crowds)

Producers, not only consumers (Wikipedia, blogs, ...)

Proliferated unreliable, contradictory information?

Facilitated malicious uses including loss of privacy, security.

Web 3.0 [current] (AI & ML meet Semantic Web)

Intelligent Agents that “understand”

(6)

The Good The Bad The Ugly

Open Enterprises of the Future

What the Future Holds?

Modify a Google Calendar to allow a colleague to add a Faaso’s roll order to a meeting invite that can be picked up by Ola and delivered by a drone to a client’s office five minutes before the scheduled meeting starts.

What this needs?

Everything connected

Ubiquitous sensing & actuation

High data volume

Context-aware Analytics

Identity Management

GDPR compliant Distributed Ledger

Smart Contracts for Payments

Multi-Party Services Orchestration

Transparent Information Flow

Transparent Event Flow

Semantic Consistency

Network and Protocol Adaptability

End-to-End Security

Business Management

Web 3.0 meets AI, Big Data, 5g, IoT, Blockchain!

Having humans in the loop will not scale!

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(7)

Health Care (Dream or Nightmare?)

Slide from AnNet 2018 keynote by Prof. Wen-Tsuen Chen https://annet2018.loria.fr/

Eating for Doctor’s stomach!

(8)

The Good The Bad The Ugly

Why Information Technology is different?

Transistor, VLSI, Microprocessor, ...

Danger: Computers are coming! Taking away our jobs!

Construction, Farming, Banking, Surgery, Composing music, Teaching! Be very scared!

The Big Nine(Amy Webb) G-MAFIA + BAT

It’s a small group of people working at a very few number of companies who are making decisions about what to optimize using available data…

Caveat

But regulation doesn’t make sense because we shift from having a tiny group of people making decisions about optimization to a tiny group of people who are lawmakers, who are very well read and very smart people but overwhelmingly lack degrees in the hard sciences and technical experience.

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(9)

Compromising the Supply Chain

(10)

The Good The Bad The Ugly

Can this happen to you?

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(11)

blackMail received at IIT Bombay

Dear All,

There is a veryingenious blackmailing emailcirculating around asking for money in bitcoins. ... they all have a few similar features:

They include a password that you probably have used

Claim to have installed malware, and record video of you through your webcam.

Threaten to reveal your adult website habits and send videos ...

Demand bitcoins...

Subject: 15xxxxxxx@iitb.ac.in is hacked From: 15xxxxxxx@iitb.ac.in Date: Thu, October 18, 2018 4:35 pm Hello!

My nickname in DARKNET is derrik82. I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

So, your password from 15xxxxxxx@iitb.ac.in is xxxxxxxxx Even if you changed the password after that - it does not matter, my virus

...

I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!

...

Send the above amount on my BTC wallet (bitcoin):

1EZS92K4xJbymDLwG4F7PNF5idPE62e9XY Since reading this letter you have 48 hours!

(12)

The Good The Bad The Ugly

Insider Attacks

https://en.wikipedia.org/wiki/Insider_threat

... 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as “difficult”

and 17% as being “disgruntled.”

The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time.

Quis custodiet ipsos custodes?

PNB LoUs?

Facebook

Zero-Trust Model (Software Defined Perimeter)

Security-Aware Applications!

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(13)

Internet’s Nightmare

Match the following!

Problems Attackers

Highly contagious viruses Unintended blunders Defacing web pages Disgruntled employees or customers Credit card number theft Organized crime

On-line scams Foreign espionage agents Intellectual property theft Hackers driven by technical challenge

Wiping out data Petty criminals

Denial of service Organized terror groups Spam E-mails Information warfare

Reading private files ...

Surveillance ...

Crackers vs. Hackers

Note how much resources available to attackers.

(14)

The Good The Bad The Ugly

Internet Attacks Toolkits (Youtube)

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(15)

Internet Attack Trends

From training material at http://www.cert-in.org.in/

(16)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Security Requirements

Informal statements (formal is much harder)

ConfidentialityProtection from disclosure to unauthorized persons

IntegrityAssurance that information has not been modified unauthorizedly.

AuthenticationAssurance of identity of originator of information.

Non-RepudiationOriginator cannot deny sending the message.

AvailabilityNot able to use system or communicate when desired.

Anonymity/PseudonomityFor applications like voting, instructor evaluation.

Traffic AnalysisShould not even know who is communicating with whom. Why?

Emerging ApplicationsOnline Voting, Auctions (more later)

And all this with postcards (IP datagrams)!

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(17)

Asymmetry between Offence and Defence

Attacker needs to find one hole .. Defender? (Black Swan)

Attacker can use CaaS (darkweb) .. Defender?

Attacker has immediate/considerable Return on Investment ..

Defender?

Attacker can choose the time .. (APT) .. Defender?

...

(18)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Partial Landscape (from CISO/CTO perspective)

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(19)

Defence (only) Using Cryptography

sine qua non [without this nothing :-]

Historically who used first? (L & M)

Pure Defence only

(20)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Security Mechanisms

System Security: “Nothing bad happens to my computers and equipment”

virus, trojan-horse, logic/time-bombs, ...

Network Security:

Authentication Mechanisms “you are who you say you are”

Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(21)

Packet Switching in Internet

(22)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all their conversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(23)

Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all their conversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.

(24)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Mutual Authentication

Goal

A and B to verify that both know the same secret number. No third party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(25)

Mutual Authentication

Goal

A and B to verify that both know the same secret number. No third party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...

(26)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Network Security Mechanism Layers

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(27)

Cyber Security Framework, NIST (April 2018) (CEO perspective)

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Common taxonomy and mechanism for

Describing current cybersecurity posture

Target state for cybersecurity

Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process

Assess progress

Communicate with stakeholders about cybersecurity risk

All this is justHygiene.

Not one size fits all!

(28)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Threat-Defence Matrix

2 types of organizations- those who have been compromised and those who do not know that they have been compromised!

Threat Defence Example

Known Known Malware, DoS, SQL Injection ..

This is Hygiene, but what’s your score?

VA-PT, IS-Audit

Known Unknown Zero-Day, APT,

Risk Analysis and Mitigation

Sandbox (Evasion e.g. Macro on File-Close) Threat Hunting (Has it happened to us?)

Unknown Unknown ???? (Kill chain)

Recon Lateral Shift

Exfiltration

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(29)

Tackling the Known-Known

Anti-Virus

Firewall

Patch Management

IDS/IPS

WAF

VA-PT

..

(30)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Active Defense

Despite best hygiene it is safe to assume that some attacker will breach the fortress.

What then?

Golden Hour (Wikipedia Definition)

The golden hour, also known as golden time, refers to the period of time following a traumatic injury during which there is the highest likelihood that prompt medical and surgical treatment will prevent death.

Use the principle Offence is the best form of defence and

proactively set traps that will reveal the attacker’s presence giving you a chance to respond before any damage is done.

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(31)

Indicators of Compromise

(32)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Deception Technologies

Decoys (Story of the Prince and YamaDhootas)

Fake servers/services (ATM, Swift, ...)

Must blend and adapt (not stale)

...

Lures

Vulnerable Ports/Services

Mis-configuration

Breadcrumbs

File with credentials

Mis-direction

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(33)

Threat Hunting

Diagram borrowed from CERT-IN workshop (July 2018)

(34)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Intelligence Feeds: Atlas.arbor.net

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(35)

Real-time Intelligence- atlas.arbor.net

(36)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Malicious Servers

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(37)

Red Teams

Muscles that are not exercised will atrophy. (Kings going in disguise)

Red Teaming

is a full-scope, multi-layered attack simulation designed to measure how well a company’s people and networks, applications and physical security controls can withstand an attack from a real-life adversary.

Penetration Testing (network, application, mobile, device),

Social Engineering (onsite, telephone, email/text, chat

Physical Intrusion (lock picking, camera evasion, alarm bypass).

Leverage only the strategies that bad actors would most likely

actually use against you.

(38)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

attack.mitre.org

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(39)

attack.mitre.org

Think like a criminal

Attackers Tactics (each has many techniques)

1

Initial Access

2

Execution

3

Persistence

4

Privilege Escalation

5

Defense Evasion

6

Credential Access

7

Discovery

8

Lateral Movement

9

Collection

10

Exfiltration

11

Command and Control

(40)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

attack.mitre.org

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(41)

Artificial Intelligence & Machine Learning

Can AI of computers match NS of humans?

Old Joke: Out of sight, out of mind

Consider chess, once the holy grail of AI.

Does not play the human way at all! Mostly parallelized search in hardware (200 million positions/second!)

December 2017: AlphaGo Zero used reinforcement learning to teach

itself chess in 4 hours! Beat world’s best program Stockfish

(42)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Deep Patient

Are doctors practicing medical science?

https://www.nature.com/articles/srep26094 The machine was given no

information about how the human body works or how diseases affect us. It found correlations that let it predict the onset of some diseases more accurately than ever, and some diseases, such as schizophrenia, for the first time at all. It does this by creating a vast network of weighted connections that is just too complex for us to understand.

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(43)

Tackling the UnKnown-UnKnown

User and Entity Behaviour Analysis

Try saying I love you 10 times everyday to your spouse!

All antennas will go up!

All defence mechanisms will be strengthened.

AI/Machine Learning to the resue.

Behaviour profiling (Baseline)

Watch for anamolies

Correlate with threats

Reduce false positives

(44)

The Good The Bad The Ugly Hygiene Vaccination Exercise/Diet Meditation/Yoga

Analytics ( भूतभय भवभुः )

॥ हिरः ॐ ॥

िववं िवणुवर्षकारो भूत भय भवभुः।

Past (What happened? Why? Reactive) Designed Batch/Static Data

Reports, Standards, Data Harmonization.

Descriptive and Diagnostic

Present (What is happening?)

Organic Unstructured Streaming/Real-time Data Statistical Analysis, Anomalies, Alerts

Future (What will happen? Pro-active) Predictive Forecast, Optimize

Make it happen!

Prescriptive (most difficult)

AI/Analytics can convert data to knowledge to wisdom.

िशवकुमार சிவகுமார் भारतीय पौयोिगकी संथान मुंबई

(45)

What next?

िचतनीया िह िवपदां आदावेव पितिकया

न कूपखननं युतं पदीते विहना गृहे

The effect of disasters should be thought of beforehand. It is not appropriate to start digging a well when the house is ablaze with fire.

आचायार्त ्पादमादते पादं िशयः वमेधया ।

सबमचािरयः पादं पादं कालकमेण च ॥

one fourth from the teacher,

one fourth from own intelligence,

one fourth from classmates,

and one fourth only with time.

References

Related documents

Sivakumar சிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान मुंबई (IIT Bombay) siva@iitb.ac.in Cyber Crimes and Internet Security...

िशवकुमार சிவகுமார் भारतीय ौोिगकी संान मुंबई.. Hype or Real?. In the Big Data Analytics context consider

Sivakumar சிவகுமார் Computer Science and Engineering भारतीय ौोिगकी संान मुंबई (IIT Bombay) siva@iitb.ac.in Computer and

Web 2.0 is the network as platform, spanning all connected devices; delivering software as a continually-updated service that gets better the more people use it, consuming and

Sivakumar சிவகுமார் Computer Science and Engineering भारतीय ौोिगकी संान मुंबई (IIT Bombay) siva@iitb.ac.in Cyber Crime

Sivakumar வ மா Computer Science and Engineering भारतीय ौ ोिगक सं थान मुंबई (IIT Bombay) siva@iitb.ac.in Cyber Crime and Internet

World liquids consumption for energy in the industrial sector, which was projected to increase by 1.1 percent per year from 2005 to 2030 in the IEO2008 reference case, increases by

The purpose of this study is to contribute to the discussion regarding the integration of biodiversity conservation aspects into the cross-cutting issue of reducing emissions from