Beyond Intrusion Detection
Written by Cheryl Gerber
MIT 2010 Volume: 14 Issue: 11 (December)
Blocking relentless attacks on military networks requires
constantly updated, multi-faceted, integrated vigilance.
Although network intrusion detection systems can prevent most of the relentless attempts to attack military networks today, the technology cannot stop every shot. To catch the majority requires constantly updated, multi-faceted, integrated vigilance.
“The truth is that there is no such thing as a 100 percent secure network,” said Jim Granger, director of capabilities and readiness, Navy Cyber Defense Operations Command (NCDOC), Norfolk, Va. “The problem is not knowing where all the networks are that we are supposed to protect, not knowing whether we have sensors on all of them, and not having central management where we can see every node on the network.”
“We can see every sensor, but not every node. We do not have automated visibility into every Navy network, such as the MWR, commercial provider networks and some legacy networks,” Granger said, referring to the morale, welfare and recreation networks used to provide theater and sports tickets as well as Internet cafĂ© access.
A network node is a redistribution point, a connection point or an endpoint in the network. Sensors are placed in various locations in networks to monitor and analyze incoming and outgoing traffic to detect and prevent intrusion. “Global Network Operations in Norfolk, San Diego and Hawaii can view the entire NMCI [Navy Marine Corps Intranet] for example, but cannot view CANES,” Granger noted.
Consolidated Afloat Network Enterprise Services (CANES) is the network being developed by the Navy for ships at sea. “It’s just the nature of how the networks were built. They were all funded and fielded differently. NMCI and CANES, for example, fall under different commands.”
Sensor Strategy
To achieve network intrusion detection and prevention, NCDOC’s network sensor strategy covers six capabilities within its expansive sensor grid: strategic sensors, which provide overall intrusion prevention; tactical sensors, which target specific threats with deep packet inspection; Web content filtering; log aggregation and analysis (data files); host-based security; and out-of-band management grid, for command and control of all sensors.
Cyber-attacks are growing persistently more sophisticated and easier to produce, as novices now can learn more easily from the Web how to create and launch an attack. The malicious Stuxnet Trojan worm, for example, was designed to infiltrate computer systems surreptitiously by disguising itself as a safe application. It spread from USB thumb drive memory devices by exploiting a vulnerability in the Windows operating system. That has been resolved, but it served to demonstrate how new threats are increasingly learning how to bypass firewalls and intrusion detection systems.
Popular technologies also pose significant threats to the network. “The new concerns are Web 2.0, social networking sites and access to commercial e-mail. There’s no guaranteed security in third-party developers’ applications in Facebook, for example. And unless you’ve got Web content filtering, people can download content with malware that can damage a network,” Granger warned.
To counter the constant cyber-threats to networks, NCDOC developed Prometheus, a fusion of many different products and data elements from myriad sensors in a centralized security monitoring system that detects and prevents network intrusions. Among the many technologies used in Prometheus is Novell’s Security and Event Management (SIEM) front-end tool, called Sentinel, and the SAS Intelligence Platform as the data warehouse at the back end. These two products work together to monitor tens of thousands of network events per day.
“Prometheus is a system of systems we use to collect, aggregate, correlate, fuse, analyze, display and visualize information. It’s a dashboard that makes sense of the sensor grid. It takes in all the information from all the sensors to let our operators defend the network,” Granger said.
“Sentinel’s primary job is to collect information in real time from the other products the Navy has deployed, such as intrusion prevention systems [IPS], vulnerability scanners and firewalls, and normalize the data or translate the different data formats into one universally understood format,” said Brian Singer, Novell solution marketing manager, security management. “Once the data is normalized, Sentinel runs correlation rules against the normalized data, looking for anomalies that exist across the different systems.”
There is good reason why comprehensive network security requires so many divergent products working together at once. “The information coming out of one system, such as a firewall log, might not be enough to detect an attack. But when Sentinel pairs it with the information coming out of an IPS, for example, it paints a broader picture that allows the Navy to detect cyber-attacks that would be difficult to detect if the data was in silos,” said Singer. “Once Sentinel collects, normalizes and correlates the data, it moves the data to the SAS back-end data warehouse, where the Navy runs deeper analytics on the normalized data.”
The Navy awarded Hewlett Packard a continuity of services contract in July to transition the IT services provided by NMCI to the Next Generation Enterprise Network (NGEN). HP Enterprise Services leads a team of more than 200 companies currently operating all aspects of NMCI.
The exorbitant number of attack attempts on the NMCI illustrates the scale of the problem today. “NMCI investigates 78 million intrusion attempts per month and detects an average of 800 new viruses per month,” noted Al Kinney, director, cyber-security capability at HP Enterprise Services.
HP has continuously developed and refined highly scalable and secure, integrated intrusion detection and prevention systems. The company’s TippingPoint IPS detects, alerts and proactively blocks attacks before they reach network systems.
“A number of other HP products support the HP TippingPoint IPS, including the Core Controller, which balances network traffic between several IPS products, offering faster security scanning without hindering network performance,” said Will Gragido, HP product line manager for HP Digital Vaccine Labs, the HP group that writes the continuously updated security filters for IPS.
In addition, HP’s SSL (Secure Sockets layer) Appliance decrypts SSL traffic to be scanned by the IPS, then re-encrypts the traffic once it has been deemed safe, and sends it along to its destination. The security management system (SMS) provides a dashboard to view which network filters are turned on and how they are set.
Cyber C2
Network intrusion detection and prevention remains the Department of Defense’s top priority to assure reliable, safe service. However, the ability to use the NMCI flexibly for situational awareness is spurring current technology development. “The leading technical concerns in the military are disruption of service, the flexibility of content coverage and the ability to customize content when necessary,” said Gragido.
While network intrusion detection and prevention remains a top Department of Defense network priority, flexibility and the ability to customize content is also emerging as a prerogative. As a result, HP is building technology which addresses a balance of the two. “HP is developing a Cyber-Security Command and Control product that will address situational awareness, but it’s not out yet,” said Kinney.
Kinney described the HP product under development. “C2 ties events to relevant mission activities,” Kinney said. “It filters and correlates seemingly unrelated event patterns and identifies disparate cyber-attack signatures, as well as the technical and mission impacts of incidents,” Kinney explained. “C2 applies rule sets for pattern recognition and data correlation. It recommends immediate courses of action to take to respond to an incident and enables predictive analysis to prevent future attacks.”
HP’s TippingPoint Virtual Controller (vController) addresses the problem of virtualization security as the virtualization inherent in cloud computing grows on networks. The vController includes integrated management capabilities that are compatible with VMWare and allow network operators to inspect virtual traffic alongside traditional network traffic in the HP TippingPoint IPS. The VController is also inspected and filtered with DV Labs service through its connection with IPS.
The HP vController is part of TippingPoint’s Security Virtualization Framework, which enforces security policies at the enterprise level by grouping virtual machines into so-called trust zones on the network that keep sensitive data isolated in virtual environments. Network and security administrators concurrently maintain visibility into such virtual environments to see how virtual networks are configured and what types of traffic are crossing them.
Everything’s Addressable
Cisco technologies continuously evolve to meet the growing use of networks and the growing challenge of dealing with cybercriminals. “Network cyber-attacks have changed significantly in recent years with the emergence of network dependencies, new types of connected devices and widespread use of Web applications. It seems that everything is becoming network addressable. With every challenge emerges new opportunity for malicious actors to inject themselves,” said Kevin Manwiller, Cisco federal manager, borderless networks.
Manwiller emphasized the growing sophistication of cyber-criminals and the relative ease with which they attempt to invade networks. “While modern organizations wait and assess the use of innovative technologies, cyber-criminals are using technological innovation to their advantage. They exploit the gap between how quickly they can profit from vulnerabilities and the speed with which organizations deploy advanced technologies to counter the threat,” he said. “Cisco breaks down the complex environment surrounding cyber-security into three focus areas--trust, visibility and resilience.”
Cisco Systems offers many network intrusion detection and prevention systems from the Cisco Secure Access Control System, a policy platform for identity and network access control, Network Admission Control (NAC) appliances, and the IronPort C-series appliances for e-mail and Web security.
The Cisco Secure Access Control System provides central management of access policies for device administration. The NAC appliance evaluates whether machines are compliant with security policies and enforces those policies by blocking, isolating and repairing noncompliant machines. It also audits and reports who is on the network and supports posture assessment for guest users. The IronPort C-series appliances provide a single interface for managing the reporting and auditing of Web and e-mail security systems.
IBM offers an intrusion detection appliance, the Proventia IPS GX116, which evaluates network packets continually looking for any signs of a breach. The appliance is used with the IBM Proventia Network Security Controller for high-end network traffic that moves at 10 Gigabits per second.
NCDOC uses McAfee’s network security platform and host-based solution for the DoD-wide program, the Host-Based Security System (HBSS). “The McAfee network security platform comprises devices that sit at the gateways between networks, while the HBSS sits on desktops or servers as the last line of defense protecting the individual systems or servers,” said Tom Conway, director of federal business development for McAfee. “The combination of the two provides bidirectional protection.”
Global threat intelligence (GTI) information is contained in both the McAfee network security platform and the HBSS. “Prometheus collects huge amounts of data. We generate much of it; then Prometheus absorbs it and does advanced analytics and visualization of the data. We assign GTI reputation scores for IP addresses, URLs and executable files to determine historical patterns of bad behavior, much like credit scores,” Conway said.
Although military reliance is growing, DoD remains cautious about the use of wireless in its networks. “The Navy does very little wireless. It has to be approved by a designated approval authority. Generally, we look for wired solutions rather than wireless because of the vulnerabilities of wireless,” Granger said.
To protect against wireless intrusion attempts, Marine Corps officials at Quantico, Va., pioneered a tool called the Secure Configuration Remediation Initiative Wireless Discovery Device/Flying Squirrel, which detects unauthorized wireless networks. ♦
Cyber-Crime Forensics
To address the growth of cyber-crime, Dell Computer is gearing up to launch the mobile version of its Dell Digital Forensics Solution on the fully rugged Latitude XFR laptop running Secure Collector technology.
Based on a product called Spektor from Evidence Talks, a British company specializing in computer forensics, the solution examines PCs, Macs, USB and Firewire devices such as MP3 players, external hard disks and memory cards. It also scans cell phones, laptops and digital cameras. “The software determines the relevance of the data and whether the information it finds could be exploited,” said Joe Trickey, director, public marketing, rugged mobility and Dell digital forensics.
The Dell solution can plug into 900 different types of mobile phones to determine the time and location of calls and the cell phone tower used to transmit the call.
“As soon as the laptop is connected to the suspect digital device, the evidentiary data is immediately write-protected and given an encrypted hash algorithm so nothing can be added or changed. Then it is put into common formats that digital forensics analysts can use,” he said.
The mobile version of the Dell Digital Forensics Solution provides a single user interface to a forensic software suite that includes onsite as well as remote analysis and review. The forensics solution provides centralized management of the evidence with data leakage protection, back-up recovery and archiving and disaster recovery capabilities.
The software was customized to speed up triage, which is on-the-spot, real-time assessment and prioritization of useable data. “It ingests, stores, analyzes, archives and searches information relevant to the situation, while quickly disregarding irrelevant data,” Trickey said. “It is not necessary to have a forensics analyst in the field. Through secure communication, the information can be transmitted back to an analyst in a secure location.
“Dell’s work with Evidence Talks resulted from a need to move out of the crime lab directly to the scene of the crime,” said Trickey. “The software includes full audit trails once you have copied the information.”
The Diva or the Data?
A Lady Gaga CD is one of the last things one would expect to cause what many consider the worst network intrusion and insider threat this year. But that’s what investigators say happened when a 22-year old intelligence analyst, Bradley Manning, allegedly copied documents from a classified system while pretending to play the pop diva’s music in a disc drive.
The security breach could have been prevented, some analysts say, if the organization had been using the File Sanitization Tool (FiST) from Tresys Technology, which filters, disinfects and does deep content inspection of removable media such as USB drives, CDs, DVDs and files in mission critical environments. FiST also stores whatever malicious hidden content it might find for future forensic analysis.
“If the guards at the desk had checked the CD through FiST first, the technology would have caught the breach. Since FiST checks the nature of content, it would have revealed that the Lady Gaga CD was really blank,” said Bob Stalick, Tresys managing director of products.
For comprehensive data leakage protection, Tresys integrated FiST with ITT’s PuriFile content inspection application this fall. “PuriFile was designed to detect information not caught in the process of reliable human review,” said John Ivory, director of ITT innovation and commercialization.
FiST identifies malicious code, viruses, Trojans, rootkits (which intentionally obscure a system compromise), malformed software and steganography (Greek for “concealed writing”). Unlike cryptography, steganography is the science of writing hidden messages that are so subtle as not to appear to be encrypted messages. One example would be adjusting the color of every 50th pixel in an image to correspond to a letter in the alphabet.
FiST removes the code in question, rendering the media safe for use and preventing it from infecting DoD systems. FiST and PuriFile provide support for many file types, including various Microsoft products, NX PowerLite, a compression tool, as well as IronKey and MXI, which provides hardware-based government-approved encryption. “PuriFile verifies that FiST really did clean everything out. It’s the final seal of approval,” Stalick said.
“FiST is designed to pass only known good content, as opposed to scanning only known bad content, which is what virus scanners do. Most of the changes we made to the latest version, FiST 4.0, were the result of field testing in theater,” said Stalick.
“FiST was designed to deal with removable media as a mechanism for introducing subversive code into networks,” Stalick said. FiST makes use of core Assured File Transfer (AFT) technology, a cross domain solution used to allow authorized users at a higher security classification domain to share files such as Microsoft Office, XML, .pdf and imagery file formats securely with a lower security classification domain and the reverse. AFT provides the ability for domains of differing security classifications to clean files before sending them to one another by enforcing and authenticating file transfer security policies through the use of anomaly detection, pattern analysis and event logging, for example.
The Tresys security product is a dedicated system that comprises software and a Dell laptop with hardware specifications customized specifically for enhanced security. “FiST is sold as an integrated system to ensure that all of the attributes of the hardware are correctly implemented and the software is securely configured for the hardware,” said Stalick.
MXI Security also integrated its technology into Tresys FiST this year. MXI offers military-grade solutions to protect network access from the problem of removable media. The MXI Stealth Processor is a dedicated, portable security processor for USB devices available in the FIPS 140-2, Level 3 standard with AES-256 hardware encryption and multifactor authentication.
In the event of a breach or for fast intelligence gathering and forensics operations, Harris Corp. recently released out a USB thumb drive that locates and extracts targeted data from computers quickly. Called Blackjack, the product was created for use by military, intelligence and law enforcement cyber-security missions. The device boots in a few seconds, then instantly scans and copies data by using prioritized search criteria. LED indicators confirm whether the targeted data is present in order to determine quickly whether the computer of interest is of any value. ♦
