6man Working Group T. Macaulay Internet-Draft 2Keys Security Solutions Intended status: Informational D. McMahon Expires: December 1, 2012 Bell Canada E. Doron Radware P. Jungck Cloudshield May 30, 2012 Internet reputation intelligence: Problem Statement draft-macaulay-6man-reputation-intelligence-00 Abstract This draft represent the initial public discussion of the value of proactive, reputation intelligence on the Internet and some of the challenges associated with these services that may be partially addressed through novel use of IPv6 features and functions. This document is intended to outline the concept of Internet reputation intelligence, the benefits it brings to network elements and endpoints. This draft also addresses the challenges associated with legacy security systems based on threat-signatures, and some of the current weaknesses of reputation management systems. Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 1, 2012. Macaulay, et al. Expires December 1, 2012 [Page 1] Internet-Draft Internet reputation intelligence May 2012 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Use cases . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9 6.2. Informative References . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . . . 11 Macaulay, et al. Expires December 1, 2012 [Page 2] Internet-Draft Internet reputation intelligence May 2012 1. Introduction Threats on the public Internet in forms such as malware (malicious software) and phishing have reached new levels of efficiency and effectiveness, where vulnerabilities are routinely discovered and exploited faster than vendors can release patches. Similarly, the time between system penetration (when the attack succeeds), and exploitation (when the asset is utilized in a manner unauthorized by the owner) can be very small. This situation is creating a major burden for risk managers. On the business side, increased vulnerabilities and associated system exploitations lead to increased regulation and legislative sanctions. On the technical side, ever more security tools, products and vendors are required to keep even basic IT services "reasonably" secure, raising overall costs and complexity. Security resources inside organizations are frequently overworked, and are often limited to reactive measures. Enterprises are looking towards a variety of service-providers (carriers, ISPs, managed security service providers - MSSPs) to provide them with proactive capabilities. Some service providers now create and maintain reputation information, and use existing trusted, business relationships with organizations to deliver this intelligence through novel a variety of means; the challenge becomes the effective and efficient delivery of this intelligence. IPv6 may offer some useful abilities to deliver reputational information in-band, in near-real-time, through the use of features such as the flow label or headers extensions. IPv6 headers may be formatted with reputation scores such that network elements or end- points could read the reputations and apply organizational security policy on inbound or outbound packets and flows. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . 3. Background Internet based threats in the form of malware and the agents that control this software (organized crime, spies, hacktivists) have surpassed the abilities of signature-based security systems to remain up to date and provide timely mitigations. Whether they be: on the Macaulay, et al. Expires December 1, 2012 [Page 3] Internet-Draft Internet reputation intelligence May 2012 enterprise perimeter in elements such as firewalls and proxies, in elements such as Intrusion Detection Services (IDS) within the organizational network, at the endpoint points in the form of anti- virus or host-IDS, or as managed services in the form of anti-virus/ spam "in the cloud", a signature-based system needs supplementary support from reputation-based systems. Signature-based security systems all rely upon malware being detected, isolated, dissected, and templated into unique hash- identifiers or regular expression filters, which are then distributed far and wide as information-bases containing hundreds of thousands if not millions of malware "signatures". In order to utilize these signature bases, perimeter, network or end-point security elements must typically assemble data payloads and hash the contents looking for matches with the signature base. Some security systems try to enhance or supplement signature-based approach with heuristic-based analysis, looking for patterns in network traffic or packet contents as indicators of malware or malicious activity. Signature-based systems are highly effective for known malware, but they don't know what they don't know. Meanwhile, heuristic based systems make intelligence guesses, but are subject to desensitizing false- positives. All these systems represent resource-intensive infrastructure and administration. The sensitivity of IP networks continues to grow as a new generation of "smart" devices is enabled with Internet Protocol. These devices include those using both fixed line and wireless networks for remote operation and networking highly dispersed devices. The range of these devices makes this situation new and exceptional in a security context: control devices and sensors represent the interface between the logic world of networks and software applications, and the physical world where affects are kinetic in nature. This diverse collections of IP-based assets is coming to be known as the Internet of Things (IOT). In response to the accelerating threats and elevating consequences associated with incidents, the security vendor community and various non-profit entities have developed products and services integrated with forms of reputation intelligence. This intelligence enables proactive security controls to supplement signature-based and heuristic systems, and better protect logical systems. Reputation intelligence typically consists of IP addresses and domains (associated with IP addresses through DNS), which have been observed engaged in either attack or victim-behaviours such as: inappropriate messaging and traffic volumes, suspicious domain name management, Botnet command-and-control traffic, attempts to send or relay malware and other indicators of either malicious intent or compromise.[REF 2] IP addresses may also end up on a security Macaulay, et al. Expires December 1, 2012 [Page 4] Internet-Draft Internet reputation intelligence May 2012 reputation list if they are identified as compromised through vendor- specific signature-based processes. The proactive element of the reputation intelligence lies in the ability for hosts to be forewarned of the reputation of addresses on the Internet. The overall effect is a new layer of security which can be applied within, on, or beyond the organizational perimeter. For instance, security managers could configure perimeter access control services to escalate authentication based on reputation, or instruct upstream service providers or carriers to not route packets below a certain reputation to organizational gateways. Security reputation intelligence can be derived from a multiple sources. It can come from security vendors or other analytics organizations who trace active malware attack-vectors and publish them to open and closed subscriber-lists. Another reputation source is security or network-management infrastructure within a carrier or service provider network, or vendor security products located on customer premises. In these instances reputation may be learnt through analytics aggregated on ambiguous data from many devices after attacks. At this time, security reputation intelligence from closed and open sources is typically made available to perimeter and end-point products through both standards-based and proprietary queries to on- line information bases. In many cases, this reputation intelligence is distributed over the open Internet and relies on subscriber "pull" requests for batched downloads of large or incremental info-bases, or individual queries on source IPs attempting to connect to a given host. [REF 3] This system of using proactive, security reputation intelligence has many benefits, specifically: 1. provides an additional layer of security based on empirical observations otherwise beyond the visibility of most organizations 2. is proactive in natures, allowing threats to be managed at the network level before the payload is delivered at the application level 3. facilitates the conservation of application-layer security and associated resource (processing, storage, licensing, administration, power) 4. is flexible, and can be applied at different locations in the subscriber infrastructure, from upstream of the perimeter to deep in the internal network 5. is applicable to a variety of different communications elements and end-points, from organizational messaging infrastructure to remote, embedded sensors and controllers Macaulay, et al. Expires December 1, 2012 [Page 5] Internet-Draft Internet reputation intelligence May 2012 Conversely, proactive, reputation intelligence has current challenges. Specifically: 1. the "pull" distribution model is subject to direct attack/denial of service at Internet distribution points 2. is often proprietary to vendor products and not interoperable, requiring independent administration of elements 3. can create network-layer processing overhead on communications elements and endpoints 4. introduces flow latency while reputation queries are sent, received and processed 5. introduces intelligence latency as reputation lists will be inevitably cached and periodically refreshed by subscribers 3.1. Use cases The following are example use-cases for a security controls based upon proactive reputation intelligence systems. Cloud-based (Upstream) Use-case: Traffic to a user (a subscriber) of reputation intelligence is routed through a proxy-type device off premises (in the service-provider "cloud") configured to compare source IPs of flows to the reputation intelligence. The proxy-type device applies a policy established by the subscriber. For instance, according to reputation score, drop the packets, quarantine the packet for more inspection, issue alarms, or pass the packets and associated flows to escalated-authentication systems, or do nothing. Perimeter-based (subscriber-premises) Use-case: Security elements on the subscriber perimeter or within the DMZ such as firewalls, IDS, proxies, DNS, SMTP server and other assets are enabled to compare source IPs of flows to reputation intelligence. The security element applies a policy established by the subscriber according to the reputation score. For instance, drop the packets, quarantine the packet for more inspection, issue alarms, or pass the packets and associated flows to escalated-authentication systems, or do nothing. Internal network (subscriber-premises) Use-case: The objective is to detect outbound communications to sites with a degraded reputation, potentially indicating that the internal device has been compromised. Security elements inside the subscriber enterprise such as zone- firewalls, routers, IDS, proxies, DNS, SMTP servers and other assets are enabled to compare destination IPs of flows to reputation intelligence. For instance, a vulnerable internal device is attempting to download a botnet malware payload from a known malware drop-site domain (IE, malware.example.com); in response, the internal security element may drop the packets, quarantine the packet for more inspection, or issue alarms. Macaulay, et al. Expires December 1, 2012 [Page 6] Internet-Draft Internet reputation intelligence May 2012 End-point Use-case: Subscriber end-points, such as desktops, servers, phones, physical security (door strikes, cameras), automation and control devices, environmental sensors and other elements are enabled with reputation intelligence. These elements compare source or destination IPs of flows to reputation intelligence. The subscriber end-point applies a policy established by the subscriber according to reputation score and possibly differentiated by the type of end- point. Given that end-points may be very simple or low-power devices, using the appropriate intelligence delivery systems may make the policy-enforcement options comparably simple; for instance, drop the packets. Coarse-grade refinement: Organizations which possess independent reputation capabilities may choose to also procure upstream or cloud- based reputation services, which are used as adjuncts. For instance, an organization operating a global network for internal communications supporting thousands of servers and desktops will have access to an internal reputation and intelligence base with unique reputational insights. Such organizations may wish to receive reputation intelligence from a third party to support further processing on the perimeter, the internal network and/or end-points. 4. Security Considerations The creation of a reputation intelligence is complex, and requires the ability to collect large volumes of ambiguous network, sensor and end-point system information. This information must then be normalized, aggregated, weighted and correlated using sophisticated intelligence algorithms. The first task of collecting information is hard, but already accomplished by many carriers, service providers and vendors as part of existing operations. It is the development and application of intelligence algorithms to the large, ambiguous data sets that creates reputation intelligence and adds novel and unique value, and a proactive security potential. Reputation intelligence algorithms are necessarily used by all suppliers of reputation information to create some sort of relative score or degree of positive or negative reputation. Frequently, reputation algorithms are unpublished. As a result, the quality of the intelligence can be difficult to assess and compare. For instance, the following elements could be considered as functions within a reputation algorithm that may influence the accuracy of the intelligence: o A function to account for large Internet portals with many, independent URLs with good reputations, but also some proportion of dangerous (bad reputation) URLs sharing the same IP address Macaulay, et al. Expires December 1, 2012 [Page 7] Internet-Draft Internet reputation intelligence May 2012 o A function to account for the distance in time between the last observed suspicious or illicit behavior and the present o A function to account for the reputations of adjacent IP addresses or domains o A function to account for the original, per-processed source of the intelligence (open source, closed source, domain of control, uncontrolled domain) o A function to account for the volume or velocity of suspicious or illicit behavior (IE. High spam rate or low n' slow data exfiltration) o A function to account for the duration of suspicious or illicit behaviour (IE. Sustained spam or infrequent beaconing) o A function to account for lifetime of domain to source IP associations (IE. Newly minted domain names or previously un- observed/un-assigned addresses o A function to account for the proportion of traffic from this source which is benign versus demonstrably illicit o A function to account of the nature of the suspicious or illicit behavior (automated port scanning versus malware-drop) o other? Even given the assumption that reputation algorithms among suppliers of reputation intelligence are somehow comparable, the issue of common scales effects interoperation and security management. For instance, reputation scores can be expressed in many manners: o As a positive or negative score above or below a benign score or a score for which no reputation information is available o A negative score relative to a completely trusted class of IP o A positive score relative to the least trusted IP addresses o as a quantitative metric o as a qualitative metric Some reputation systems will start with un-processed activity logs under the direct control of the intelligence supplier but also logs submitted from a variety of sources. The degree to which the input sources of intelligence are controlled has a baring on the potential resistance of the intelligence to poisoning (injected with mis- information to ruin good reputations and make bad reputations appear better). For instance, a (presumably open-source) volunteer- maintained form of reputation intelligence may be more prone to poisoning than a carefully authenticated, closed-source of reputation intelligence. Similarly, reputation intelligence derived from sources physically outside the domain of control of the service provider is more susceptible to poisoning than intelligence from sources that control physically and logically control the log and data sources. Finally, under certain circumstances the management or application of Macaulay, et al. Expires December 1, 2012 [Page 8] Internet-Draft Internet reputation intelligence May 2012 reputation intelligence may come with some form of legal or regulatory burden. As a result, the calculation of reputation intelligence may need to be distinct from the delivery of reputation intelligence and yet again from the enforcement, in order to mitigate legal or regulatory risks. 5. Acknowledgements The authors wish to acknowledge the guidance and support of Michael Richardson. 6. References 6.1. Normative References [REF1] Bradner, S., Ed., "The Internet Standards Process - Revision 3", October 1996. 6.2. Informative References [REF2] Macaulay, T., Ed., "Upstream Intelligence: anatomy, architecture, case studies and use-cases.", Information Assurance Newsletter, DOD , Aug to Feburary 2010 to 2011. [REF3] Wikipedia, W., "Reputation Black List (RBLS)", May 2012. Authors' Addresses Tyson Macaulay 2Keys Security Solutions 1550 Laperriere Ave - Suite 202 Ottawa, Ontario Canada Email: tmacaulay@2keys.ca David McMahon Bell Canada 160 Elgin Street - Floor 5 Ottawa, Ontario Canada Email: dave.mcmahon@bell.ca Macaulay, et al. Expires December 1, 2012 [Page 9] Internet-Draft Internet reputation intelligence May 2012 Ehud Doron Radware Email: ehudd@Radware.com Peder Jungck Cloudshield Email: peder@cloudshield.com Macaulay, et al. Expires December 1, 2012 [Page 10] Internet-Draft Internet reputation intelligence May 2012 Full Copyright Statement Copyright (C) The IETF Trust (2012). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Macaulay, et al. Expires December 1, 2012 [Page 11]