Upgrade to Pro — share decks privately, control downloads, hide ads and more …

About an Immune System Understanding for Cloud-native Applications . Biology Inspired Thoughts to Immunize the Cloud Forensic Trail

Nane Kratzke
February 19, 2018

About an Immune System Understanding for Cloud-native Applications . Biology Inspired Thoughts to Immunize the Cloud Forensic Trail

Presentation for 9th International Conference on Cloud Computing, GRIDS, and Virtualization (CLOUD COMPUTING 2018) in Barcelona, Spain, 2018.

There is no such thing as an impenetrable system, although the penetration of systems does get harder from year to year. The median days that intruders remained undetected on victim systems dropped from 416 days in 2010 down to 99 in 2016. Perhaps because of that, a new trend in security breaches is to compromise the forensic trail to allow the intruder to remain undetected for longer in victim systems and to retain valuable footholds for as long as possible. This paper proposes an immune system inspired solution which uses a more frequent regeneration of cloud application nodes to ensure that undetected compromised nodes can be purged. This makes it much harder for intruders to maintain a presence on victim systems. Basically the biological concept of cell-regeneration is combined with the information systems concept of append-only logs. Evaluation experiments performed on popular cloud service infrastructures (Amazon Web Services, Google Compute Engine, Azure and OpenStack) have shown that between 6 and 40 nodes of elastic container platforms can be regenerated per hour. Even a large cluster of 400 nodes could be regenerated in somewhere between 9 and 66 hours. So, regeneration shows the potential to reduce the foothold of undetected intruders from months to just hours.

Nane Kratzke

February 19, 2018
Tweet

More Decks by Nane Kratzke

Other Decks in Technology

Transcript

  1. About an Immune System Understanding for Cloud-native Applications Biology Inspired

    Thoughts to Immunize the Cloud Forensic Trail Nane Kratzke 9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018); Barcelona, Spain, 2018 Some observations from a cloud user (a non- security-expert)
  2. The next 20 minutes are about ... • Some scary

    considerations on zero-day exploits • Cyber attack life cycle model • What can be learned about cloud applications after more than 10 years of cloud computing • The idea to (permanently) jangle attackers nerves • Some evaluation results • Conclusions and open issues Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 2 Paper URL Presentation URL Speaker Deck
  3. Some scary considerations for introduction • In principle attackers can

    establish footholds in our systems whenever they want (zero-day exploits) • Cloud application security engineering efforts focus to harden the fortress walls. • Cloud applications rely on their defensive walls but seldom attack intruders actively. Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 3
  4. We need a reactive component as well Biological systems are

    different. Defensive “walls” can be breached at several layers. An additional active defense system is needed to attack potential successful intruders - an immune system. Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 4
  5. How long can presence be maintained? Prof. Dr. rer. nat.

    Nane Kratzke Computer Science and Business Information Systems 5 Answer: Surprisingly long!
  6. One basic idea Prof. Dr. rer. nat. Nane Kratzke Computer

    Science and Business Information Systems 6 Play god, break this loop at arbitrary times at your will!
  7. We need some guidance ... ClouNS – Cloud-native Application Reference

    Stack Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 7 [KP2016] Kratzke, N., & Peinl, R. (2016). ClouNS - a Cloud-Native Application Reference Model for Enterprise Architects. In 2016 IEEE 20th International Enterprise Distributed Object Computing Workshop (EDOCW) (pp. 1–10). [QK2018a] Quint, P.-C., & Kratzke, N. (2018). Towards a Lightweight Multi-Cloud DSL for Elastic and Transferable Cloud-native Applications. In Proceedings of the 8th Int. Conf. on Cloud Computing and Services Science (CLOSER 2018, Madeira, Portugal).
  8. We use this very basic model ... Prof. Dr. rer.

    nat. Nane Kratzke Praktische Informatik und betriebliche Informationssysteme 8 Operate application on current provider. Scale cluster into prospective provider. Shutdown nodes on current provider. Cluster reschedules lost container. Migration finished. Quint, P.-C., & Kratzke, N. (2016). Overcome Vendor Lock-In by Integrating Already Available Container Technologies - Towards Transferability in Cloud Computing for SMEs. In Proceedings of CLOUD COMPUTING 2016 (7th. International Conference on Cloud Computing, GRIDS and Virtualization). … mainly, to avoid Vendor Lock-In: • Make use of elastic container platforms to operate elastic services being deployable to any IaaS cloud infrastructure. • Transfer of these services from one private or public cloud infrastructure to another at runtime. Kratzke, N. (2017). Smuggling Multi-Cloud Support into Cloud-native Applications using Elastic Container Platforms. In Proceedings of the 7th Int. Conf. on Cloud Computing and Services Science (CLOSER 2017) (pp. 29–42).
  9. Most systems rely on their defence walls and just wait

    to be attacked Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 9 Successfully breached node (lateral movement)
  10. Let us make the game more challenging for the attacker

    Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 10 We can create a race between a manual (time-intensive) breach and a fully automatic (and fast) regeneration. Regenerated node (randomly chosen at some point in time) Successfully breached node (lateral movement)
  11. Sadly, the approach is limited Prof. Dr. rer. nat. Nane

    Kratzke Computer Science and Business Information Systems 11
  12. Regeneration evaluation: Runtime to regenerate one node Prof. Dr. rer.

    nat. Nane Kratzke Computer Science and Business Information Systems 12 Request a replace node Adjust Security Groups Join Replace Node Adjust Security Group Terminate Old Node
  13. Runtime to regenerate one node Prof. Dr. rer. nat. Nane

    Kratzke Computer Science and Business Information Systems 13 Request a node Adjust Security Groups Join Node 0 100 200 300 400 500 600 700 AWS OpenStack GCE Azure Runtimes (median values in seconds) Creation Secgroup Joining Termination Adjust Security Group Terminate Node Remember: The median time being undetected in 2016 was 99 DAYS 1 minute 10 minutes
  14. Open issues and limitations • Can we reduce regenerations? •

    Can we identify suspect nodes automatically? • Limited to applications on CAMM Level 2 and above … (state management) • How to handle data-as-code dependencies and code injection vulnerabilities? • What is about exploits/attacks that are adaptable to bio-inspired systems? • How to protect the regeneration mechanism against attackers? • Large scale evaluation needed Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 14
  15. Conclusion Prof. Dr. rer. nat. Nane Kratzke Computer Science and

    Business Information Systems 15 • The presented approach means for attackers that their time being „undetected“ drops from months down to minutes. • However, biology inspired solutions come with downsides like • fever (too many nodes in regeneration at the same time, system runs hot) • auto-immune disease (healthy nodes are attacked too often) • Further research needed how to integrate • append-only logging systems • suspect node detection • avoidance of immune-system downsides like fever and auto- immune diseases • Several experts remarked independently that the basic idea is so „intruiging“, that it should be considered more consequently.
  16. Acknowledgement • Virus: Pixabay (CC0 Public Domain) • Fortress: Pixabay

    (CC0 Public Domain) • Bowman: Pixabay (CC0 Public Domain) • Definition: Pixabay (CC0 Public Domain, PDPics) • Railway: Pixabay (CC0 Public Domain, Fotoworkshop4You) • Air Transport: Pixabay (CC0 Public Domain, WikiImages) Prof. Dr. rer. nat. Nane Kratzke Computer Science and Business Information Systems 16 Picture Reference This research is partly funded by German Federal Ministry of Education and Research (13FH021PX4). Paper URL Presentation URL Speaker Deck
  17. About Prof. Dr. rer. nat. Nane Kratzke Computer Science and

    Business Information Systems 17 Nane Kratzke CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke Blog: http://www.nkode.io Twitter: @NaneKratzke GooglePlus: +NaneKratzke LinkedIn: https://de.linkedin.com/in/nanekratzke GitHub: https://github.com/nkratzke ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke SlideShare: http://de.slideshare.net/i21aneka