Upgrade to Pro — share decks privately, control downloads, hide ads and more …

About an Immune System Understanding for Cloud-native Applications . Biology Inspired Thoughts to Immunize the Cloud Forensic Trail

Nane Kratzke
February 19, 2018

About an Immune System Understanding for Cloud-native Applications . Biology Inspired Thoughts to Immunize the Cloud Forensic Trail

Presentation for 9th International Conference on Cloud Computing, GRIDS, and Virtualization (CLOUD COMPUTING 2018) in Barcelona, Spain, 2018.

There is no such thing as an impenetrable system, although the penetration of systems does get harder from year to year. The median days that intruders remained undetected on victim systems dropped from 416 days in 2010 down to 99 in 2016. Perhaps because of that, a new trend in security breaches is to compromise the forensic trail to allow the intruder to remain undetected for longer in victim systems and to retain valuable footholds for as long as possible. This paper proposes an immune system inspired solution which uses a more frequent regeneration of cloud application nodes to ensure that undetected compromised nodes can be purged. This makes it much harder for intruders to maintain a presence on victim systems. Basically the biological concept of cell-regeneration is combined with the information systems concept of append-only logs. Evaluation experiments performed on popular cloud service infrastructures (Amazon Web Services, Google Compute Engine, Azure and OpenStack) have shown that between 6 and 40 nodes of elastic container platforms can be regenerated per hour. Even a large cluster of 400 nodes could be regenerated in somewhere between 9 and 66 hours. So, regeneration shows the potential to reduce the foothold of undetected intruders from months to just hours.

Nane Kratzke

February 19, 2018
Tweet

More Decks by Nane Kratzke

Other Decks in Technology

Transcript

  1. About an Immune System Understanding
    for Cloud-native Applications
    Biology Inspired Thoughts to Immunize the Cloud
    Forensic Trail
    Nane Kratzke
    9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018); Barcelona, Spain, 2018
    Some observations from
    a cloud user (a non-
    security-expert)

    View full-size slide

  2. The next 20 minutes are about ...
    • Some scary considerations on zero-day
    exploits
    • Cyber attack life cycle model
    • What can be learned about cloud applications
    after more than 10 years of cloud computing
    • The idea to (permanently) jangle attackers
    nerves
    • Some evaluation results
    • Conclusions and open issues
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    2
    Paper URL
    Presentation URL
    Speaker Deck

    View full-size slide

  3. Some scary considerations for introduction
    • In principle attackers can establish footholds in our
    systems whenever they want (zero-day exploits)
    • Cloud application security engineering efforts focus to
    harden the fortress walls.
    • Cloud applications rely on their defensive walls but
    seldom attack intruders actively.
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    3

    View full-size slide

  4. We need a reactive component as well
    Biological systems are
    different.
    Defensive “walls” can be
    breached at several layers.
    An additional active defense
    system is needed to attack
    potential successful intruders -
    an immune system.
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    4

    View full-size slide

  5. How long can presence be maintained?
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    5
    Answer:
    Surprisingly long!

    View full-size slide

  6. One basic idea
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    6
    Play god, break this
    loop at arbitrary times
    at your will!

    View full-size slide

  7. We need some guidance ...
    ClouNS – Cloud-native Application Reference Stack
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    7
    [KP2016] Kratzke, N., & Peinl, R. (2016). ClouNS - a Cloud-Native Application Reference Model for Enterprise Architects. In 2016
    IEEE 20th International Enterprise Distributed Object Computing Workshop (EDOCW) (pp. 1–10).
    [QK2018a] Quint, P.-C., & Kratzke, N. (2018). Towards a Lightweight Multi-Cloud DSL for Elastic and Transferable Cloud-native
    Applications. In Proceedings of the 8th Int. Conf. on Cloud Computing and Services Science (CLOSER 2018, Madeira, Portugal).

    View full-size slide

  8. We use this very basic model ...
    Prof. Dr. rer. nat. Nane Kratzke
    Praktische Informatik und betriebliche Informationssysteme
    8
    Operate application on current provider.
    Scale cluster into prospective provider.
    Shutdown nodes on current provider.
    Cluster reschedules lost container.
    Migration finished.
    Quint, P.-C., & Kratzke, N. (2016). Overcome Vendor Lock-In by
    Integrating Already Available Container Technologies - Towards
    Transferability in Cloud Computing for SMEs. In Proceedings of CLOUD
    COMPUTING 2016 (7th. International Conference on Cloud Computing,
    GRIDS and Virtualization).
    … mainly, to avoid Vendor Lock-In:
    • Make use of elastic container
    platforms to operate elastic
    services being deployable to any
    IaaS cloud infrastructure.
    • Transfer of these services from one
    private or public cloud infrastructure
    to another at runtime.
    Kratzke, N. (2017). Smuggling Multi-Cloud Support into Cloud-native
    Applications using Elastic Container Platforms. In Proceedings of the 7th
    Int. Conf. on Cloud Computing and Services Science (CLOSER
    2017) (pp. 29–42).

    View full-size slide

  9. Most systems rely on their defence walls
    and just wait to be attacked
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    9
    Successfully breached node (lateral movement)

    View full-size slide

  10. Let us make the game more challenging
    for the attacker
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    10
    We can create a race between
    a manual (time-intensive)
    breach and a fully automatic
    (and fast) regeneration.
    Regenerated node (randomly chosen at some point in time)
    Successfully breached node (lateral movement)

    View full-size slide

  11. Sadly, the approach is limited
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    11

    View full-size slide

  12. Regeneration evaluation:
    Runtime to regenerate one node
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    12
    Request a
    replace
    node
    Adjust
    Security
    Groups
    Join
    Replace
    Node
    Adjust
    Security
    Group
    Terminate
    Old Node

    View full-size slide

  13. Runtime to regenerate one node
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    13
    Request a
    node
    Adjust
    Security
    Groups
    Join
    Node
    0
    100
    200
    300
    400
    500
    600
    700
    AWS OpenStack GCE Azure
    Runtimes (median values in seconds)
    Creation Secgroup Joining Termination
    Adjust
    Security
    Group
    Terminate
    Node
    Remember: The median time
    being undetected in 2016 was
    99 DAYS
    1
    minute
    10
    minutes

    View full-size slide

  14. Open issues and limitations
    • Can we reduce regenerations?
    • Can we identify suspect nodes
    automatically?
    • Limited to applications on CAMM Level
    2 and above … (state management)
    • How to handle data-as-code
    dependencies and code injection
    vulnerabilities?
    • What is about exploits/attacks that are
    adaptable to bio-inspired systems?
    • How to protect the regeneration
    mechanism against attackers?
    • Large scale evaluation needed
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    14

    View full-size slide

  15. Conclusion
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    15
    • The presented approach means for attackers that their time being
    „undetected“ drops from months down to minutes.
    • However, biology inspired solutions come with downsides like
    • fever (too many nodes in regeneration at the same time, system
    runs hot)
    • auto-immune disease (healthy nodes are attacked too often)
    • Further research needed how to integrate
    • append-only logging systems
    • suspect node detection
    • avoidance of immune-system downsides like fever and auto-
    immune diseases
    • Several experts remarked independently that the basic idea is so
    „intruiging“, that it should be considered more consequently.

    View full-size slide

  16. Acknowledgement
    • Virus: Pixabay (CC0 Public Domain)
    • Fortress: Pixabay (CC0 Public Domain)
    • Bowman: Pixabay (CC0 Public Domain)
    • Definition: Pixabay (CC0 Public Domain, PDPics)
    • Railway: Pixabay (CC0 Public Domain, Fotoworkshop4You)
    • Air Transport: Pixabay (CC0 Public Domain, WikiImages)
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    16
    Picture Reference
    This research is partly funded by German Federal Ministry of
    Education and Research (13FH021PX4).
    Paper URL
    Presentation URL
    Speaker Deck

    View full-size slide

  17. About
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    17
    Nane Kratzke
    CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke
    Blog: http://www.nkode.io
    Twitter: @NaneKratzke
    GooglePlus: +NaneKratzke
    LinkedIn: https://de.linkedin.com/in/nanekratzke
    GitHub: https://github.com/nkratzke
    ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke
    SlideShare: http://de.slideshare.net/i21aneka

    View full-size slide