Wednesday, April 1, 2015

Research Spotlight: Project FTR


Intro


Historically, networks have always been at risk for new, undiscovered threats. The risk of state sponsored hackers or criminal organizations utilizing 0-day was a constant, and the best defense was simply to keep adding on technologies to maximize the odds of detecting the new threat - like adding more locks to the door if you will. Here at Cisco Talos we’re constantly pushing the envelope. Recently after some thinking juice we started brainstorming ways to better address the constant threat of attacker utilizing unknown 0-day. Today, we’re happy to inform our customer base about our new inspection technology code name project Faster Than Realtime, or FTR. Project FTR is the next generation of detection technology, that which will truly revolutionize the industry.

Project FTR


To mitigate the ever-growing threat of new and unknown attacks we simply decided to add a few options to our existing inspection infrastructure. Snort's new Quantum Pre-Detection (QPD) leverages Predictive Attack Detection (PAD) by putting packets into an Ethereally-Buffered Capture (EBC) file.  Snort then reads the .ebc via PAD so that QPD can tell you that you are under attack before you're even under attack.


Example


alert ip any any -> any any (msg:"FASTER-THAN-REALTIME you are about to be under attack!"; flow:stateless; isdataat:-1; classtype:pre-attack-detection;)

Real World Results


Here is an example QPD technology addressing exploit kits making use of CVE-2016-0401:

image01


As you can see from the graph above even the low-end devices, which are just capable of running at a depth of -1 or -2 at the most, can be very valuable defensive tools. If you purchase the larger license on the high-end appliances the defensive gains are even more impressive.

Here’s a diagram of that shows the prototype for QPD technology. “Our technology scans your current time line both in the past AND the future at the same time detecting threats before they are created.”

image03



“So when Professor Tsvi Piran of the Hebrew University of Jerusalem tested the arrival times of photons from a gamma-ray burst (GRB) seven billion light-years away, he didn't know what he would find. According to one attempt to reconcile the success of general relativity and quantum theory on very different scales, spacetime has a “foamy” structure rather than being continuous. The hypothesized bubbles are billions of times too small to observe (of the order 10-35m), but it has been suggested that they would affect the transmission of light in a much more subtle version of what occurs in glass or water.”

QPD-based technology uses chaos theory mathematics to determine the malicious intent of future foamy data structures based on likelihood function and discrete probability distribution of malicious intent of future 0-days yet to be written. In much the way that the bubbles in the above study on timespace affect the transmission of light, the predictive nature of Cisco’s QPD-based technology analyzes future malicious intent and creates coverages based on the changes to data transmission that the forthcoming 0-day produce. 

Open Source


Giving back to and collaborating with the open source community is always important. Talos has put together some preliminary documentation on the Quantum Pre-Detection feature within Snort. Please note that this documentation is subject to change as it is still in the process of being finalized. The code behind this advance is about to enter the final Q&A phase. We look forward to releasing it to the public.
ftr-pig

Conclusion


When we initially started pursuing project FTR there were some minor technological hurdles. As the work progressed we were able to address these issues and find a way to apply the technology to better protect Cisco customers. As anyone can see, Project FTR has resulted in a technological game changer. QPD-based detection may have already revolutionized the industry as we know it. That said, as the defenders evolve so will the attackers. While QPD-based technology will give the defenders a lead it is still important to apply defenses in depth and advanced threat protection in order to maximize detection.

10 comments:

  1. ;) and all it detects is browser plugins.

    ReplyDelete
  2. You wouldn't believe it, but the detection really kicks into overdrive when network throughput reaches 88GB/s.

    ReplyDelete
  3. Christopher MarshallApril 1, 2015 at 3:46 AM

    What the hell is a GB?

    ReplyDelete
  4. ...the math checks out.

    ReplyDelete
  5. Please tell me again tomorrow. It is April Fools day today.

    ReplyDelete
  6. Somehow snort devs weren't aware... :)

    ReplyDelete

Post a Comment