The Response Continuum
description
Transcript of The Response Continuum
The Response Continuum
Sergio Caltagirone ([email protected])
University of Idaho
Deborah Frincke ([email protected])
Pacific Northwest National Laboratory
Previous Responses… Clifford Stoll v. German Hackers (1986)
C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497.
DoD v. Electronic Disturbance Theater (1998)http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/
Conxion v. E-Hippies (2000)http://www.nwfusion.com/research/2000/0529feat2.html
FBI v. Russian Hackers (2001) a.k.a. ‘Invita’ Casehttp://www.wired.com/news/politics/0,1283,47650,00.htm
Where Is Everybody?
Where Is Everybody?
Primary focus to reduce system vulnerability and/or accurately/rapidly detect misuse
Difficult to experiment with extreme or novel forms of response
Folded in as part of detection Response == Advocacy of Vigilantism No reason to study response since
detection cannot be done reliably
Where We’re At…
Design Protect Detect Forensics?
Where We Want To Be…
Design Protect Detect Respond Forensics
Goals
Develop a framework to discuss response actions– Definition– Taxonomy– Summary of Challenges– Response Process Model
Elements of a Definition Time-bound
– Subjective Purposeful
– Not for retribution or revenge, but to return to a previous secure state
Limited– Threat mitigation not elimination
Controllable and Deliberate Sequence of Actions Technologically Independent
A Definition: Active ResponseAny action sequence deliberately performed
by an individual or organization between the time an attack is detected and the time it
is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s
negative effects upon a particular asset set.
Active does not modify response, but rather describes the state of the attack
Taxonomy of Responses 8 Types
– No Action– Internal Notification– Internal Response– External Cooperative Response– Non-cooperative Intelligence Gathering– Non-cooperative ‘Cease and Desist’– Counter-Strike (Direct vs. Passive)– Preemptive Defense
Challenges of Active Response Legal
– Civil, Criminal, Domestic, International Ethical
– Teleological, Deontological Technical
– Traceback, Reliable IDS, Confidence Value, Real Time
Risk Analysis– Measure ethical, legal risk effectively?
Unintended Consequences– Attacker Action, Collateral Damage, Own
Resources
Response Process Model
Future Work
Increased Public Discussion Competitive Co-Evolution to Determine
New Strategies Continue to Develop Response Models Increased Research in Response
Technologies and Approaches
Conclusions
A Need for Response– More Discussion– Greater Understanding
A Definition Taxonomy Summary of Challenges Process Model