Windows 7’s auditing system can provide a rich source of information to detect and analyze a wide range of threats against computer systems. Unfortunately few people know this auditing system exists much less how to turn it on and configure it. This paper provides step-by-step instructions to configure a simple audit policy useful for understanding how data was exfiltrated from the computer.

In the paper "Why Anomaly Detection Sucks" we looked at an alert to an unexpected event (an anomaly) on one of our systems. To our frustration, we could not identify the underlying cause of the event, and we were left with many lost hours and a very uncomfortable feeling that something might be wrong but we could do nothing about it. This report follows our continuing quest to identify the underlying cause of the alert. Having exhausted the leads using the original alert, we set up a system to allow the apparent attack to continue. This activity led us back search for new evidence on the original host - some dating back a year and a half. Eventually we traced down the cause of the alert, and it was not from any attack.

The techniques used by intrusion detection systems are often described as signature-based or anomaly-based. In this overly simplified view, signature-based techniques detect specific and known attacks or attacks against known vulnerabilities, and anomaly-based techniques detect unexpected activity (presumably an intrusion would be unusual). Anomaly-based detection generally has a longer history and has had more extensive government sponsored funding than signature-based detection. Anomaly-based techniques also hold the promise of detecting a wider range of misuse than signature-based based techniques, including misuse by insiders that do not exploit any vulnerabilities and previously unknown attacks against unknown vulnerabilities. However, despite these apparent advantages that anomaly-based techniques have over signature-based techniques, signature-based techniques have enjoyed considerably more operational success than anomaly techniques. This paper addresses, in part, why this is the case through a real-world example we had to endure.

As originally envisioned, the Environment Aware Security project would consume detailed information about a network (e.g., vulnerabilities and topology) and a (potentially hypothetical) adversary's capability and produce (1) a set of systems that can be penetrated by the adversary and (2) a prioritized list of changes to the network (e.g., patches to specific systems) to maximally disrupt the adversary's ability to move through the network. The prioritized list of changes, referred to as Network Tasking Orders (NTOs), was envisioned as the primary way network and system administrators would interact with the system. This document describes the future directions for the ARDA sponsored Environment Aware Security project.

In an ideal world, system and network administrators would keep all of their systems fully patched all the time. Unfortunately, for a variety of reasons few sites have the luxury of such an approach. Given that administrators cannot apply all possible countermeasures (e.g., patches), our next best strategy is to identify an ordering of countermeasures that will provide the optimal level of security for a given amount of changes to the network. This paper presents an approach that takes advantage of simple filtering capabilities in commodity routers that partially addresses the limitation of the attack graph strategy. Furthermore, in at least one problem, dealing with unknown vulnerabilities, the simple strategy presented in this paper can produce better results than the attack graph approach.

One of the biggest threats facing the Internet and large organizations are self-propagating attacks (e.g., worms), and of special concern are so-called zero-day worms targeting previously unknown vulnerabilities. The automatic signature generation project is designed to quickly generate a signature for a previously unknown attack, and when used in conjunction with intrusion prevention devices (IPDs) can provide a rapid countermeasure to a newly discovered attack. By properly using the filtering capability of commodity routers we create a defense in depth capability that allows us to contain and stop a zero-day worm.

Automated attack-graph tools show how individual vulnerabilities in a system can be composed to create meta-vulnerabilities or how individual sensor alerts can be joined to describe a multi-stage scenario attacks. In recent years many organizations have developed attack-graph type systems, but because these organizations often do not clearly define their terms, consistently use terms such as "attack-graph" explain their assumptions, or identify their limitations, comparing the various efforts is difficult at best. This paper describes our efforts to establish a taxonomic foundation for comparing and contrasting attack-graph approaches, and we use the taxonomy to compare several important efforts in the field.

This is the final report for the Network Radar project, Phase I, performed by Net Squared, Inc. for the United States Air Force's Rome Labs under an STTR contract. The Network Radar project encompasses a broad range of network monitoring technologies which together provide a comprehensive surveillance capability over an organization's computer networks. This report provides an overview of network monitoring, including several challenges that the Network Radar technology is designed to address. Next, the report summarizes the research conducted and the technology developed for this project. Next, documentation for each of the Network Radar tools is provided. And finally, transcripts of the Network Radar tools is shown.

This paper presents an analysis of a class of attacks we call address spoofing. Fundamentals of internetwork routing and communication are presented, followed by a discussion of the address spoofing class. The attack class is made concrete with a discussion of a well known incident. We conclude by dispelling several myths of purported security solutions including the security provided by one-time passwords.

This paper addresses the problem of tracing intruders who obscure their identity by logging through a chain of multiple machines. After discussing previous approaches to this problem, we introduce thumbprints which are short summaries of the content of a connection. These can be compared to determine whether two connections contain the same text and are therefore likely to be part of the same connection chain. An algorithm to compute good thumbprints is presented as well as experimental results of an implementation running on a local area network.