Project Title: Prototype of APT (Advanced Persistent Threat) on PlanetLab
We are building a prototype of an Advanced Persistent Threat (APT) attack scenario based on fast flux attacks. This attack is based on the Storm worm attack that was launched in 2007. We incorporate several context based detection mechanisms that will demonstrate defense against botnet attacks that use the fast flex property.
We are using PlanetLab test bed to implement this prototype. The objective of this prototype to provide a proof of concept that demonstrates how the fast flux attacks could be used by APT attackers in order to breach the privacy of users and systems. Fast flux attacks provide a mechanism that makes attackers more evasive. The real attackers will hide themselves behind a layer of compromised fast flux service networks which acts as proxy redirectors. The proxy nodes are controlled by botnets and mother ship nodes. This scheme is based on exploiting DNS server's flexibility to make an ever changing layer of obfuscation in front of real attackers. To make our scenarios more realistic we use root kits or Trojans that can report back the local private information to the mother ship servers in a fast flux attack.
The next phase of this experimental study requires extending the prototype to incorporate defense mechanisms against these types of APT attacks. One solution is the use of active bundle to make the data secure. In active bundle idea we will use disclosure policies with data that gives us an advanced way of achieving privacy for Personal Identification Identifier (PII). Another implementation will use a DNS aware defense mechanisms that can detect the fast flux attacks (fast flux service network) and generates suitable warning events. These warning events would be used to implement preemptive actions and prevent a fast flux and an APT to succeed.
Proactive security and early detection of APT attacks in a key to make the corporate systems more secure. We will implement the context (history/timing, etc) to increase the effectiveness of solutions and cyber situational awareness.
The major objective of this prototype is to integrate the APT, privacy, and cyber situational awareness in one demonstration. This will give a holistic view on how these different security concepts are related to each other in a concrete way.
[1] ICANN Security and Stability Advisory Committee (SSAC). SSAC Advisory on Fast Flux Hosting and DNS, http://www.icann.org/en/committees/security/sac025.pdf, 2008
[2] ICANN Technique Report, Initial Report of the GNSO Fast Flux Hosting Working Group,http://gnso.icann.org/issues/fast-flux-hosting/fast-flux-initial-report-26jan09.pdf, 2009
[3] P. Phillip, S. Hassen and V. Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm, 2007. http://www.cyber-ta.org/pubs/StormWorm/