IPv6 Security Talk mit Joe Klein
1 like779 views
The document presents Joe Klein's extensive background in cybersecurity and technology, emphasizing the importance of implementing IPv6 standards in procurement to ensure readiness for this complex transition. It discusses cybersecurity challenges, including the defender's dilemma and strategies for enhancing detection and response capabilities against intruders. The paper also highlights past research on IPv6 scanning and the relevance of addressing technical debt in cybersecurity measures.
IPv6 Security Talk mit Joe Klein
- 1. Joe Klein, CISSP Cybersecurity Fellow, IPv6 Forum Consultant, Researcher & Trainer, Longboat, LLC May 2018 Observations from the lab, field & executive suite 1
- 2. About me: Joe Klein <many certs> • Spoken at: DefCon, Black Hat, Torcon, SecTor, Security Days, Hackers on Planet Earth, SANS, IEEE, IoT,… • Roles: Photographer, Electronics Engineer, Robotics Engineer, Entrepreneur, CEO, CTO, CSO, ISP, Security Architect, Developer, Pentester, Incident Handler, Professor, Policy Writer, Auditor, Assure, Firewall/Network Engineer, Integrator, Data Scientist, ML experimenter, Threat Intel, Computer Scientist, Hacker • Timeline: • 70’s: Electronics, Radios, Gamer, Magic, Mainframe & Micro Computers, First ‘Hack’ • 80’s: BBS’s, Game Hacker, Robots, Unix/c/FORTH/Basic/ COBOL/LISP/c++, DEC, SNA Networks, Internet connected, CyberForensics, Routers/Switches • 90’s: ISP, IPv6, Penetrations Testing, Network Defender, Web Developer, Teaching Internet/Web Dev, IETF • 2000’s: CSO, Linux, Audits, Assessments, Car/IOT/ Building Controls, SCADA Hacking, Teaching Cybersecurity + SANS, Patents, International Speaking • 2010’s: DARPA, Policies, Startup, Honeypots, Deception Networks, IPv6 Fellow, GoLang, IEEE, Sprint Triathlon Recent Focus: Attacked Forced Time Scoped D&D 2
- 3. How to Prepare To Implement IPv6! It’s Complex… 3
- 4. Observation 1 - Establish your IPv6 Standard for all Procurement! • Why? • Establish a baseline of technology standards, during technology refresh • Ensure you are ready to move to IPv6, without big purchases! • How? 1. Can the Product vender support IPv6? “Eating their own dog Food!” • Internet Facing Services (Dual Stack) https://ip6.nl/# • IPv6 only clients behind 6xlt & NAT64/DNS64 https://nat64check.ipv6- lab.net/v6score 4
- 5. Observation 1 - Establish your IPv6 standard for all Procurement! • How? 1. The Supplier's Declaration of Conformity (SDOC) • Product suppliers declare product capabilities to buyers, as advertised • Buyer is responsible for providing specifications • Seller is responsible to fix, if it does not meet specifications • https://www-x.antd.nist.gov/usgv6/sdoc.html 5
- 6. IPv6 Standards Touch Every Protocol! 6
- 7. What does IPv6 compliant mean to me? IPv6 Standard 86 (RFC 8200) First Order Dependencies Current IPv6 Standard Changes to Path MTU References from Newer standards (12) Updates to older standards (29) 7
- 8. IPv6 Standard 86 (RFC 8200) First & Second Order Path MTU Dependencies • October 1989 - Updated - Requirements for Internet Hosts -- Communication Layers • November 1990 - Path MTU Discovery • November 1996 - Path MTU Discovery for IP version 6 - Obsoleted by 8201 July 2017 • November 1997 - Key words for use in RFCs to Indicate Requirement Levels • September 2000 - TCP Problems with Path MTU Discovery • March 2006 - Datagram Congestion Control Protocol (DCCP) • March 2006 - Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification - Obsoletes RFC 2463 • March 2007 - Packetization Layer Path MTU Discovery • September 2007- Neighbor Discovery for IP version 6 (IPv6)- Obsoletes 2461 • May 2007- Neighbor Discovery for IP version 6 (IPv6)- Obsoletes 2461 • September 2007 - Stream Control Transmission Protocol- Obsoletes 2960. 3309 • December 2007 - Deprecation of Type 0 Routing Headers in IPv6 - Obsoletes 2960 • July 2012 - TCP Options and Maximum Segment Size (MSS) • March 2015- Network File System (NFS) Version 4 Protocol- Obsoletes 3530 • May 2016- RFC Streams, Headers, and Boilerplates - Obsoletes 5741 • March 2017 - UDP Usage Guideline - Obsoletes 5405 • March 2017 - Path MTU Discovery for IP version 6 - Obsoletes 1981 IPv6 Standard July 2017 Updates to older standards (17))8
- 9. IPv6 will not solve cybersecurity problems, right? 9
- 10. Fundamental of Cyber Security & Privacy ❖ “Remote-access, multi-user resource- sharing computer system” ❖ Attackers Exploit ❖ Systems ❖ Hardware|Software|Data ❖ Networks ❖ People ❖ Users ❖ Operators ❖ Systems Programmers ❖ Maintenance Man (Person) April 1967 Reference: https://www.rand.org/pubs/authors/w/ware_willis_h.html 10
- 11. First Cybersecurity Threats Diagram Willis H. Ware, RAND Corporation April 1967 Reference: https://www.rand.org/pubs/authors/w/ware_willis_h.html 11
- 12. SO why is this happening? Technical Supply-Chain Debt — The real problem! Technical Debt Powerpoint 12
- 13. What Does Winning Defender Look Like? 13
- 14. Defender's Dilemma “The intruder only needs to exploit one of the victims in order to compromise the enterprise.” Intruder's Dilemma “The defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.” Reference: https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html 14
- 15. The Intruder Game Tactic - Technical goal of the intruder Technique - How intruder achieves the goal The Intruder Chooses Time and Goal, Not You! The Defender Choose Confidence level of the Detection! 15
- 16. How do I Remove the Noise to Find the Attackers and increase confidence levels? Reduce False Positives and Negatives! 16
- 17. Defenders Game: ATT&CK: Deconstructs the Lifecycle Freely available, curated knowledge based on observed adversary behavior Higher fidelity on right-of-exploit, post-access phases Describes behavior and not adversary tools Built for the “Public Good” Right of the Boom! 17
- 18. MITRE Pre-ATT&CK Adversarial Tactics, Techniques & Common Knowledge • Blacklist IP, Hash Domains are fungible, quickly replaceable • Pre-compromise activities are largely executed outside the enterprise’s field of view • Data Brokers (Free and for pay), • Websites (Partners, Yours, Government), • Search Engines and Bots • Social Network Bots Left-of-the-Boom 18
- 19. MITRE ATT&CK Enterprise Perimeter Defense • Items in yellow are the only attributes detectable by tuned perimeter security • Items in red, address requirements on hosts and first hop networks. • Conclusion: • Perimeter security has minimal visibility into attackers insider your environment • IT slows the attacker, but this is not measurable • Tuning the security perimeter security to detect and alert on pre & post attack items are critical to catch attackers. 19
- 20. The Defenders Goal • Strong trusted alerts • Behavior tracking • Automated response 20
- 21. More Detail? 21
- 22. Open Source - MITRE Resources • Interactive Attack Navigator: • ATT&CK Enterprise: https://mitre.github.io/attack-navigator/enterprise/ • ATT&CK Mobile: https://mitre.github.io/attack-navigator/mobile/ • Source Code: https://github.com/mitre/attack-navigator • Attacker Groups: https://attack.mitre.org/pre-attack/index.php/Groups • Attacker Group Tactics: https://attack.mitre.org/pre-attack/index.php/Tactics • Unfetter Project - Discover and analyze gaps in your security posture • https://nsacyber.github.io/unfetter/ https://github.com/unfetter-discover/unfetter • Caldera - An automated adversary emulation system (validate alerts) • https://github.com/mitre/caldera 22
- 23. I understand there is no way of scanning the IPv6 Internet, is that true? 23
- 24. History of Scanning Internet-Facing IPv6 Devices • 2^64 or 2^128 - Brute Force - Fails in IPv6! • May 2005, Marc “van Huser” Heuse, Attacking the IPv6 Protocol Suite, THC-IPv6 toolkit (1) • May 2007, Joe Klein, “Scanning and Microsoft Mobile compromise via 6to4 on SPRINT”, Responsible Disclosure Notice to Microsoft, Sprint and US CERT, HOPE 2008 (2) • March 2008, IETF, RFC 5157, “IPv6 Implications for Network Scanning” (3) • May 2012, NMAP for IPv6, version 6 (4) • March 2016, IETF, RFC 7707, “Network Reconnaissance in IPv6 Networks” (5) • December 2018, Joe Klein, “Outbound Initiated Requests for Passive Scanning of IPv6” (6) • December 2018, Joe Klein, “Passive IPv6 Scanning using Certificate Transparency process” (7) 24
- 25. So we are safe? Attackers have not used IPv6 in the past? 25
- 27. Microsoft Phones are not on IPv6 in 2007 27
- 28. Attacks on IPv6 , First DDOS , Botnet C&C 28
- 29. Are their engineering things I can do, to improved detection and reduce operational complexity? 29
- 30. It’s not just 96 more bits 30
- 31. It’s not just 96 more bits 31
- 32. How long have systems been compromise via IPv6? 32
- 34. The opportunity to re-engineer our part of the Global Internet only happens once in a lifetime! Ensure it is operational and security! 34