Know thy Enemy : Understand and Control Particle ... - IDEMA
Cyber Adversary Characterization Know thy enemy!.
Transcript of Cyber Adversary Characterization Know thy enemy!.
![Page 1: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/1.jpg)
Cyber Adversary Characterization
Know thy enemy!
![Page 2: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/2.jpg)
Introduction and Background
• Cyber Adversary Characterization workshop in 2002
• Research discussions continued via email
• Briefings to Blackhat and Defcon to introduce concept and obtain feedback
• Future workshops planned for October 2003
• Slides will be on both conference web sites
![Page 3: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/3.jpg)
Why characterize?
• Theoretical: To gain understanding of and an ability to anticipate an adversary in order to build improved threat models.
• Practice: Improved profiling of attackers at post attack and forensic levels.
![Page 4: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/4.jpg)
Point Scoring: Rating-the-Hacker
Toby Miller
![Page 5: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/5.jpg)
Point Scoring: Why?
• No “standard” system to help rate the attacker
• No system to help with the threat level
• Help management in the decision making process
![Page 6: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/6.jpg)
Point Scoring: The Categories
• Passive Fingerprinting
• Intelligence
• The Attack
• The Exploit
• Backdoors | Cover up
• Other
![Page 7: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/7.jpg)
Example Score Metric
Linux 3
FreeBSD 4
OpenBSD 6
IRIX 4
Windows 3
![Page 8: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/8.jpg)
Point Scoring: Past, Present, Future
• Originally posted on incidents.org
• Currently on rev2
• Soon to release rev 3
• www.ratingthehacker.net
![Page 9: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/9.jpg)
Tool characterizations, Disclosure Patterns and
Technique scoring.
Tom Parker – Pentest Limited (UK)
![Page 10: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/10.jpg)
The Hacker Pie
• Representative of characterization metrics which build the final characterization.
• Available elements dependant upon scenario.
• Does not rely solely upon IDS/attack signature data.
![Page 11: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/11.jpg)
The Hacker Pie (continued)
• Pie reliant upon the results of multiple metrics which are, in many cases inter-related, strengthening the likelihood of an accurate characterization.
• Relationships between key metrics and key data enable accurate assumptions to be made regarding unobserved key information.
![Page 12: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/12.jpg)
The Pie Explained
Metric One Metric ThreeMetric Two
Key Data Key Data Key Data Key Data Key Data
Characterization
Metric Four
021
2
![Page 13: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/13.jpg)
Point Scoring Systems (Continued)
• Attempt to characterize an adversary based on attack information captured from the wild.
• Attempt to characterize adversary based upon “technique classification model”
• Attempt to characterize adversary based upon “tool classification model”
![Page 14: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/14.jpg)
Tool classification model
• Availability of application
• Origins of application
• Ease of use– Requires in-depth knowledge of vulnerability to
execute?– Other mitigating factors
![Page 15: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/15.jpg)
Example Exploit ClassificationWeb App Flaw Public PrivateProprietary Application Penetration Via SQL Injection 3 4Open Source Application Penetration Via SQL Injection 3 4Proprietary Application Penetration Via Arbitrary Script Injection 2 3Open Source Application Penetration Via Arbitrary Script Injection 2 3Proprietary Application Penetration Via OS command execution using SQL Injection (MS SQL)
3 5
Proprietary Application Penetration Via OS command execution using SQL Injection (other)
4 7Proprietary Application Penetration Via SQL Injection (MS SQL) 5 6Proprietary Application Penetration Via SQL Injection (other) 4 7
![Page 16: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/16.jpg)
Disclosure Food Chain Characterization
• All tools have a story
• Often years before dissemination into public domain.
• Social demeanour often key to placing in disclosure disclosure chain.
• “Pyramid” metric.
![Page 17: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/17.jpg)
Exploit Development
Vendor Coordination
Public Disclosure
Exploit Reverse Engineered / Vulnerability Research
Honey Pot Capture
Exploit Usage In Wild
Exploit TradingType title here
Vendor Patch Released
Public Disclosure
Vendor Coordination
Public Disclosure Vendor Fix Released
Further Research
Disclosure to Security Company
Information shared further throughout grey hat communities
Information shared with fellow researchers (Exploit Development)
Vulnerability Discovery
The Disclosure “Food Chain”
![Page 18: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/18.jpg)
2 Approaches to Modeling the Cyber Adversary: Offender Profiling & Remote Assessment
Dr. Eric D. Shaw
Consulting & Clinical Psychology, [email protected]
![Page 19: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/19.jpg)
Offender Profiling
• Roots in Law enforcement & intelligence community (criminal event or incident analysis)—intensive review of past offenders
• Insider Computer Crimes, 1998-present– 50 cases– 10 in-depth case studies from companies or gov’t. contractors
• Products– Typology of actors: motivation, psychological characteristics, actions– Critical pathway—process of interactions w/environment (personal and
professional) leading to attack– At-risk characteristics– Organizational vulnerabilities & Insights into prevention, deterrence,
detection, management
![Page 20: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/20.jpg)
Offender Profiling Headlines
• The Termination Problem
• Actor subtypes—the Proprietor & Hacker
• The Tracking Problem
• Organizational Vulnerabilities
• Detection Issues
• Intervention Challenges
• Hacker Overview
![Page 21: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/21.jpg)
Attacks: The Termination Problem • Simple termination of Disgruntled Insider is not
the answer—80% attack after termination (4 hours-2 months)
• 70% attack from remote locations vs. inside—termination did not impact access
• Attack types:– DOS to disrupt business
– Destruction & corruption of data
– Theft of Proprietary data
– Time bombs
– Extortion
– Attack on reputations
![Page 22: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/22.jpg)
Attackers
• Hackers—40%: affiliated with and active in hacking community, brings hacking practices to worksite
• Proprietors—40%: defend system as belonging to them, resist efforts to dilute control
• Avengers—20%: attack impulsively in response to perceived injustice
![Page 23: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/23.jpg)
Prevention: Screening & Selection
The Tracking Problem
• Screening & Selection Problems in 60% of cases—no or delayed background, nepotism, failure to detect risk factors
• 30% had prior felony convictions
• 30% had high-profile hacker activity
![Page 24: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/24.jpg)
Organizational Issues
• 80% of cases occur during periods of high organizational stress or change at the highest to supervisory levels
• Lack of policies contributed to disgruntlement or facilitated attack in 60% of cases
• Lack of policy enforcement contributed to disgruntlement of facilitated attack in 70% of cases
![Page 25: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/25.jpg)
Detection Problems
• 80% of attackers used operational security to protect attack planning or identity
• Time disgruntled to attack: 1-48 months with a mean of 11.3 months
• Time active problems (probation) to attack: 0-76 weeks with a mean of 26 weeks
Forget the “big bang” theory of the sudden, unforeseen attack
![Page 26: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/26.jpg)
Intervention Problems
• Management intervention initially exacerbated problems in 80% of cases (ignore, placate or tolerate problems, negotiate then cut-off, terminate poorly)
• Problems with termination process in 80% of cases (esp. failure to terminate access)
• Multidisciplinary risk assessment prior to termination
![Page 27: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/27.jpg)
Hardcore Hackers: Not Script Kiddies
AgeMean=25.5
Tech
Capability
Prior
Offenses50%
Acted with
Others75%
Status in Hacker Community
Oquendo 29 High Yes Yes High
Zezev 30 High No Yes Unknown
Carpenter 20 High Yes No Low
Demostenis 23 Low No Yes Low
![Page 28: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/28.jpg)
Remote Assessment Using WarmTouch(patent pending)
![Page 29: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/29.jpg)
Why Use WarmTouch Software to Detect Disgruntlement or Psych Change
on-line?
• Communication has moved on-line
• Loss of visual & auditory cues on-line
• Failure of other systems to detect violations: technical noise, supervisor & peer reporting
• Protects Privacy
• Provides Objectivity
![Page 30: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/30.jpg)
VulnerableCITI
Minor Infraction
Moderate Infraction
MajorAct
Personal Stressors
Professional Stressors
Mounting Stress and Frustration
Person-Situation Interaction:Detect Psychological “Leakage”
![Page 31: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/31.jpg)
“Software” Components• Psychological Profiling Algorithms
– Emphasis on measuring emotional state• Anger• Anxiety• Depression
– Changes in emotional state from baseline
• Psychological characteristics: decision-making and personal relations– Loner/team player– plans/reacts– Rigid/flexible– Sensitivity to environment
• Alert Phrases-key words– Threats– Victimization– Employment Problems
• Communication Characteristics– To, From, Time, Length, etc.
![Page 32: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/32.jpg)
WarmTouch “Software” Overview
• WarmTouch origins in IC, 1986-present • Use of WarmTouch with Insider Communications
– Khanna at Bank– Threat Monitoring– Sting operations & negotiations– Suspect identification– Hanssen
• Other WarmTouch Applications
![Page 33: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/33.jpg)
Case Example: Financial Proprietor
• Well paid systems administrator • Personality Traits-Proprietor
– Entitlement– Manipulative– Devaluing of others– Padded OT
• Context: Supervisor Change
![Page 34: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/34.jpg)
Email from Boss
• Asked to train back-up
• “You seem to have developed a personal attachment to the System Servers. These servers and the entire system belong to this institution not to you…”
![Page 35: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/35.jpg)
Email 1: April
• (Asked to train his back-up, subject refuses) “His experience was ZERO. He does not know ANYTHING about ...our reporting tools.”
• “Until you fire me or I quit, I have to take orders from you…Until he is a trained expert, I won’t give him access...If you order me to give him root access, then you have to permanently relieve me of my duties on that machine. I can’t be a garbage cleaner if someone screws up….I won’t compromise on that.”
![Page 36: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/36.jpg)
Email 3: July
• “Whether or not you continue me here after next month (consulting, full-time, or part-time), you can always count on me for quick response to any questions, concerns, or production problems with the system. As always, you’ll always get the most cost-effective, and productive solution from me.”
![Page 37: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/37.jpg)
Email 4: July
• “I would be honored to work until last week of August.”
• “As John may have told you, there are a lot of things which at times get “flaky” with the system front-end and back-end. Two week extension won’t be enough time for me to look into everything for such a critical and complex system.”
• “Thanks for all your trust in me.”
![Page 38: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/38.jpg)
The Event
• On last day of work, subject disables the computer network’s two fileservers.
• Company executives implore subject to help them fix the problems, but he refuses.
• Independent consulting firm hired to investigate problems, discovers sabotage.
• Timing: deception to cover plotting.
![Page 39: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/39.jpg)
WarmTouch Challenge
• Detect deterioration in relationship with supervisor
• Detect Deception
![Page 40: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/40.jpg)
The April Email Profile
![Page 41: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/41.jpg)
July Email Profile
• August
![Page 42: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/42.jpg)
Detecting Deception
![Page 43: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/43.jpg)
Covert vs. Overt Hostility in Email Prior to Attack
Three MonthsPrior
Two MonthsPrior
Two Weeks Prior
Attack
Overt Hostility
Covert Hostility
![Page 44: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/44.jpg)
Zezev vs. Bloomberg: Managing his Psychological State
• Task: to lure him to London for the bust – must manage his anger and anxiety at delays and
manipulations– satisfy his dependency—need for $ & job
• Warmtouch help:– Objectively highlight and help manage
psychological states– Objectively measure success
![Page 45: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/45.jpg)
Support to Sting Ops/Negotiations: Levels of Anger in Zezev’s emails to
BloombergIndicators of Anger (+)
0
50
100
150
200
250
300
350
400
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Evaluators -
Evaluators +
Feelings -
Feelings +
Direct Ref.
Negatives
Me
We
I
![Page 46: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/46.jpg)
Zezev’s Use of “Me”passive/dependent mode
Me
0
0.5
1
1.5
2
2.5
3
3.5
1 3 5 7 9 11 13 15 17 19
![Page 47: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/47.jpg)
Zezev’s Use of RetractorsAnxiety
Retractors
0
1
2
3
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
![Page 48: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/48.jpg)
Robert Hanssen
• 8 Communications with Soviet Handlers
• Between October 1985 & November 2000
• Challenge for Software:– Detect signs of emotional stress associated with
spying, disgruntlement and “affair” as documented in public records
![Page 49: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/49.jpg)
Hansen: Anger over Time
![Page 50: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/50.jpg)
Hansen: Changes over Time
0
5
10
15
20
Number of Words
10/1/1985 9/8/1987 6/8/2000
Date
Psycholinguistic Measures of Anger
NegativesMe
![Page 51: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/51.jpg)
Hansen: Changes Over Time
05
101520253035404550
Number of Words
10/1/1985 11/8/1985 6/13/1988 6/8/2000
Date
Emotional Vulnerability
Adv Intensifiers
Direct Ref
Feelings
I
![Page 52: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/52.jpg)
Hansen: Changes over Time
0
2
4
6
8
10
12
14
Number of Words
10/1/1985 11/8/1985 6/13/1988 6/8/2000
Date
Psycholinguistic Measures: Anxiety
Explainers
Retractors
![Page 53: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/53.jpg)
Other WarmTouch Applications
• Communications Manager– Analyze state of relationship
– Assess characteristics of persons in relationship
– Help modify language to improve/modify relationship
– Track success/changes over time
• Media Monitoring– Attitude of Egyptian press toward U.S.
– Attitude of customers toward product or service
![Page 54: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/54.jpg)
Internet Threat Actors
Marcus H. SachsDirector, Internet Storm Center
The SANS Institutehttp://isc.sans.org
![Page 55: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/55.jpg)
• US national information networks have become more vulnerable—and therefore more attractive as a target
• Growing connectivity among secure and insecure networks creates new opportunities for unauthorized intrusions into sensitive or proprietary computer systems
• The complexity of computer networks is growing faster than the ability to understand and protect them
• The prospects for a cascade of failures across US infrastructures are largely unknown
The Cyber Threat to the United States
![Page 56: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/56.jpg)
• Hacker/Script Kiddies/Hobbyist• Disgruntled Employee• Insider aiding others• Hacktivist• Industrial Espionage• Foreign Espionage• Terrorist• State Sponsored Attack
Cyber Threats to the Critical Infrastructure
![Page 57: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/57.jpg)
Low High
High
Low
PotentialDamage
Probability of occurrence
2003
2004
2005
Source: 1997 DSB Summer Study
HackerCriminal
Espionage
Terrorist
State Sponsored
The Threat is Increasing
![Page 58: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/58.jpg)
• Internet was not built to be secure• “Secure” (i.e., obscure) software being replaced by
commercial products in infrastructures• Software development focused on “Slick, Stable,
Simple” (not “Secure”)• System administrators lack training• Leaders rarely see computer security as part of the
“bottom line”• User awareness is low
Why are we so Vulnerable?
![Page 59: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/59.jpg)
• The real threat to the Critical Infrastructure is not the hacker, but the structured state-sponsored organization
• However...– Sometimes it’s hard to tell the difference - both use the same tools– Growing sophistication and availability of tools increases concern– Must assume the worst until proven wrong
• So...– The government takes seriously all unauthorized activity– They will use all technical and law enforcement tools to respond ... and
deter– They will seek legal prosecution where appropriate
Why The Feds are Concerned About Hackers
![Page 60: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/60.jpg)
http://www.whitehouse.gov/homeland/
New Homeland Security Strategies
![Page 61: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/61.jpg)
National Strategy to Secure Cyberspace
• Nation fully dependent on cyberspace
• Range of threats: script kiddies to nation states
• Fix vulnerabilities, don’t orient on threats
• New vulnerabilities require constant vigilance
• Individual vs. national risk management
• Government alone cannot secure
cyberspace
![Page 62: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/62.jpg)
• Enhance law enforcement’s capabilities for preemption, prevention, and prosecution
• Secure the mechanisms of the Internet including improving protocols and routing
• Foster trusted digital control systems/ supervisory control and data acquisition systems
• Reduce and remediate software vulnerabilities• Improve physical security of cyber
and telecommunications systems
Priority IIA National Cyberspace Security
Threat and Vulnerability Reduction Program
![Page 63: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/63.jpg)
Inside the Internet Storm CenterData Collection
DShield Users
Analysis Dissemination
DShield.org
![Page 64: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/64.jpg)
Typical Residential Cable Modem Log
Pop-up ads
(Spam)
FTP attempt
s
Pop-up ads
(Spam)
FTP attempt
s
![Page 65: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/65.jpg)
Internet Storm Center Web Page
http://isc.sans.org
![Page 66: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/66.jpg)
Port Report
![Page 67: Cyber Adversary Characterization Know thy enemy!.](https://reader036.fdocuments.net/reader036/viewer/2022062409/56649c9e5503460f9495da96/html5/thumbnails/67.jpg)
2002 Top 20 ListTop Vulnerabilities to Windows Systems
W1 Internet Information Services (IIS) W2 Microsoft Data Access Components (MDAC) -- Remote Data Services W3 Microsoft SQL Server W4 NETBIOS -- Unprotected Windows Networking Shares W5 Anonymous Logon -- Null Sessions W6 LAN Manager Authentication -- Weak LM Hashing W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords W8 Internet Explorer W9 Remote Registry Access W10 Windows Scripting Host
Top Vulnerabilities to Unix Systems
U1 Remote Procedure Calls (RPC) U2 Apache Web Server U3 Secure Shell (SSH) U4 Simple Network Management Protocol (SNMP) U5 File Transfer Protocol (FTP) U6 R-Services -- Trust Relationships U7 Line Printer Daemon (LPD) U8 Sendmail U9 BIND/DNS U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords
www.sans.org/top20