This session sounded very interesting, but unfortunately was presented by someone who didn't seem to be very versed in the details. Every question I asked he went to his tablet to search for the answer, and eventually I gave up trying to understand, figuring out that I may as well go to wikipedia myself instead of having him intermediate it for me. I haven't had a chance to do that quite yet, so this is a rather brief summary of the little I understood:
Most cyber defenses today are reactive. But are there proactive measures we can take to improve our defenses against cyber threats?
The traditional cyber defense relies on these four pillars: Prevention, Detection, Reaction, Recovery; but it primarily consists of building a moat around my assets. The problem is that all the elements that are used to build the moat are based on the same underlying platform components: Linux, firewall, etc. Hackers know these components well, including all their weaknesses and vulnerabilities. Furthermore, while the defenses are stationary, the attackers are a moving target - it's hard to anticipate where they might strike from. The way we map our network elements is static - IPs and DNS lookup tables - these present stationary targets. How can you get around this structured defense problem?
A new field of cyber defense is called moving target defense. The idea is to constantly change the environment in some way, to deprive the attacker of the advantage of consistency. Conceptually, this is like frequency hopping in communication: it forces the attackers to spend a lot more time and resources to find a pattern they can attack.
Four areas of research were discussed:
- Anti Return Oriented Programming (Anti-ROP), researched by IBM (Haifa, so an Israeli Idea. also, a similar solution is provided commercially by an Israeli company called Morphisec): One common attack form hackers use exploits the fact that code libraries used in attacked computers are frequently publicly available and can be studied. Attackers can use this knowledge to use the code out of order, by jumping around in the memory to areas they know in advance will contain certain commands they want to be able to use. What Anti-ROP does is to mix up and randomize the order of the code in memory, so an attacker won't know where to find what they are looking for. A nice little video explaining how this works can be found here.
- Network attribute randomization, researched by Sandia labs: As mentioned above, one of the weaknesses of a static network is that if attackers are able to gain even limited access to it, they can observe it over time and map its structure, looking for weak points. Network attribute randomization constantly changes the network attributes, such that it's very hard to map it, and even if mapped the map very quickly becomes obsolete. This makes attacks much harder, as you can't pinpoint the weak elements. The paper Sandia labs published can be found here.
- Self adaptive system: this was presented more as a concept than a concrete solution. A self adaptive system is a system that uses some form of AI to constantly evaluate its own behavior to see if it is accomplishing its goals, and if not, change itself to adapt. This general concept can be applied to cyber security, but no details were given as to how.
- Host Identity Protocol: This one I understood the least, but generally speaking, today a client accessing a server looks up the server name in a DNS server and gets the server IP. Once it has the IP, it can easily find the server again. Host identity protocol is an enhancement to internet protocol that adds host identity as an additional layer, which intermediates between namespace and IP. That is to say, the DNS returns the host ID, which is encrypted, and the client makes the call to the host ID instead of to the IP. This separates the transport layer from the internet layer. To be honest I'm not sure I understand how this helps, but you can read more about it here and here. If you figure it out, let me know. By the way, this is a proposal only, it's not implemented anywhere.
So that's that. Certainly an interesting topic, but unfortunately not well delivered.
No comments:
Post a Comment