Mon, 4 Apr 2016

Exposing Cracks in the National Network Shield

cyber iron dome

Why the concept of a giant intrusion prevention system will not work like missile dome defence

In discussing the ways to strengthen Singapore's cyber security defences, one idea that has been floated is that of a National Network Shield analogous to an Iron Dome.

The Iron Dome is an Israeli missile defence system used to intercept and destroy short-range artillery shells and mortars in order to protect civilian areas in their path. In a similar vein, the National Network Shield has been conceptualised as a giant intrusion prevention system (IPS) installed by telcos at Internet gateways to detect and eliminate Distributed Denial-of-Service (DDoS) and other forms of malware. It would be an extension of the clean pipe and other anti-DDoS commercial service offerings, albeit restructured as a much larger national security service offering to the Singapore Government.

There are some merits to incorporating national level cyber security traffic scrubbers in a centralised fashion. They will be able to track some types of known bad traffic and possibly neutralise known malware command and control centres. Freshly discovered indicators of compromise (IOCs) can also be loaded as new signatures to provide a basic level of IPS protection.

However, the concept of a National Network Shield remains flawed on several fronts.

1. Evasion is easy in the virtual world

One noticeable crack in the National Network Shield concept is the fact that intrusion prevention is difficult if we do not know who the intruders are, what they look like, or how they will launch their attack. Unlike missiles, cyber weapons are virtual and attackers will be taking steps to ensure that their weapons are not signature-detectable.

They will also be exploiting security vulnerabilities to launch hitherto unknown or zero day attacks. The Stuxnet attack on an Iranian uranium enrichment plant, which was uncovered in 2010, involved four zero days. Even if the attack vectors are known, attackers have at their disposal advanced evasion techniques (AETs) that combine unknown evasion techniques and other tricks to create literally millions of new packet permutations which will not be recognised by any IPS, big or small.

2. Malware detection is hindered by encryption

Encryption is turning out to be a double-edged sword in the cyber security world. On one hand, security has been enhanced with the proliferation of strong crypto. Today, we are approaching a state of an estimated 50% encrypted network traffic. There is TLS/SSL for popular domains like Google, Microsoft and many e-commerce sites, and almost all cloud systems such as iCloud will soon be strongly encrypted, as will be a growing proportion of mobile apps.

The flip side of this is that with end-to-end encryption, it has become virtually impossible to carry out man-in-the-middle inspection on payloads to find out if they are carrying malware. Even a password-protected Zip file will defeat the inspection capabilities of a cyber Iron Dome, not to mention S/MIME (Secure/Multipurpose Internet Mail Extensions) and Identity-Based Encryption techniques designed to support email privacy protection and prevent emails from being read by Internet Service Providers (ISPs).

3. Borders are inherently porous

Cyber security borders are inherently porous. This fact was driven home during the cyber attacks on Estonia in 2007, when websites of the country's parliament, banks, ministries, newspapers and broadcasters were overwhelmed by DDoS attacks. Any attempt by ISPs to block external traffic was easily circumvented by attackers regrouping to launch new attacks from within the country's borders. The bypass could have cost as little as a postage stamp needed to mail a microSD with advanced malware into the country. Mobile phones could have been used to carry attack software and execute them directly via agents inside the country. It would also have been easy for perpetrators to set up in-country commercial servers or capture internal servers to launch attacks.

4. ISPs will be shackled by legal and technical constraints

Net neutrality - the principle that ISPs and governments should apply the same treatment to all data on the Internet regardless of user, content, site, platform, application or mode of communication - limits the right of ISPs to capture or delay Internet traffic.

Even if they were able to do so, the chances of detecting an advanced persistent threat are slim. It will take considerable malware scanning capabilities to intercept a file download and determine if its payload is malicious, and the success rate in doing this is only about 50%.

The introduction of a sandbox to test code for malware will not resolve this either, as it can be easily bypassed using sandbox evasion techniques. Furthermore, sandbox inspections degrade all downloads, impacting streaming services and on-demand video and causing an overall deterioration in the user experience.

Whatever the technique employed to detect threats, there is also a high possibility of false positives. All executable upgrading, including updates from companies like Microsoft, are now encrypted end-to-end, and their inspection will certainly result in many false positives. This could have legal implications - the ISPs could be held liable if users' workflow and business processes are impeded when good files are blocked.

5. Privacy challenges are formidable

In the past few years, there have been growing concerns over privacy with more and more countries enacting legislation to protect personal data. Against these prevailing sentiments, the concept of a National Network Shield with its centralised IPS is likely to trigger fears of Big Brother and concerns that intercepted data could be abused by the ISPs. Users will respond by turning on encryption to prevent snooping and this, in turn, will block the network monitoring that is necessary for the National Network Shield to provide effective cybersecurity protection.

Any move by ISPs to circumvent this through SSL decoding could lead to all kinds of data privacy and technology issues. For example, attempts to decode encrypted traffic may result in the exposure of legitimate confidential transactions and user credentials. This will be seen as a severe violation of data privacy and goes contrary to Singapore's stance on personal data protection.

From a technical standpoint, techniques such as SSL decoding will require massive computing overheads and introduce inefficiencies that will penalise all transactions on the Internet.

6. Network scrubbing is ineffective against application-level attacks

The clean pipe approach where traffic is examined, scrubbed of known malware and returned clean to the websites may be effective against well-known volumetric DDoS attacks, but it is defenceless against targeted and stealthy application vulnerability attacks as these are executed at a level higher than what the clean pipe can see.

Typically, network scrubbers will not even be effective against an SQL injection from a script kiddie, much less attacks that target protocol vulnerabilities and new application library vulnerabilities or trigger backend compute or memory overload. These will not be caught because they involve the retention and management of much more 'state' information and code that the clean pipe has capacity for.

Certis CISCO Terms of Use Privacy Policy © 2017 Quann
Back to top