Cyber attacks are a major problem plaguing IT infrastructure .The famous Titan Rain which named after a series of breaches of U.S. government computers that occurred between 2003 and 2005 and may have captured sensitive information about military readiness by Chinese . In response to this chronic cyber threat MIT Researchers Develop a software tool to identify potential avenues of attack in computer networks called NetSpa(PDF).
Features:
1)NetSpa uses information about networks and the individual machines and programs running on them to create a graph that shows how hackers could break the network rules.
2)Analyzes the graph and offers recommendations about how to quickly fix the most important weaknesses.
3)NetSPA relies on vulnerability scanners, such as Nessus, to identify known vulnerabilities in network accessible programs that might allow an unauthorized person access to a machine.
4)Analyze complex firewall and router rules to determine which vulnerabilities can actually be reached and exploited by attackers and how attackers can spread through a network by jumping from one vulnerable host to another.
Approach :
1)Patch the critical host first instead of patching or fixing or blocking a thousand hosts.The software finds the most critical weaknesses by combining information from vulnerability scanners with firewall rules used to allow and block access and information about the physical structure of the network.
2)Firewalls may have rules that treat a number of different machines on the same network in the same way. Rather than modeling each of those machines individually, the software uses the same model for all of them, saving significant computing time. The researchers have also developed new types of attack graphs and efficient algorithms to compute these graphs.
3)In examining firewall rules, NetSPA also has the potential to discover unforeseen avenues of attack. For example, a network might have had to share data with an outside vendor several years ago, so the system administrator would have added a rule to allow access from that vendor’s IP address. That long-forgotten permission could be exploited by someone forging that address.
Drawbacks:
This insight sounds obvious, but applying it to real systems can be a huge challenge. A network comprising thousands of computers may have dozens of filtering devices such as firewalls and routers, and each device may have 200 or more different filtering rules. The multitudinous combinations of possibilities are far too many to track down by hand, and are even very complex for a computer algorithm to compute. The original version of NetSPA, in fact, could handle networks of only about 17 machines before the modeling complexities made it too slow to be useful.
Future
These guys have received one patent for the first type of attack graph they developed, called a “predictive” graph, and have one patent pending for a much more efficient and recurrent type called a “multiple prerequisite” attack graph. They’re testing NetSPA on different networks and developing ways to make it easier to use. A group of MIT students created a business plan for a proposed company called CyberAnalytix that could commercialize NetSPA (Lippmann and Ingols are technical advisors). This plan won $10,000 in the MIT $100K Entrepreneurship Competition in May.
People Involved :
Richard Lippmann, a senior staff member in Lincoln Laboratory’s Information Systems Technology Group
Kyle Ingols, a computer scientist at MIT
Seth Webster (who is focusing on ways to make the system more automated)
Leevar Williams MIT graduate student (whose master’s thesis is on visualizing attack graph data).
