Transcript Cyber Terrorism - Analysis Parameters

Keren Elazari,
TAU, 17 May 2012

Introduction

Cyber Threat Landscape

Basic Terminology, Why distinguish threats

Cyber Terrorism & Hacktvism

Comparative Analysis Framework

Norms & Thresholds - The future?



10+ years in cyber security, CISSP
June 2012 : Teaching Fellow – Security at
Singularity University
Speaker at security conferences, including:
 Y2Hack, Y2Hack04 & ILHack09 in Tel Aviv
 Keynote - ITBN 2007 Security Day, Budapest
 Co-Chair IDC Herzelya Cyber Terrorism Workshop
 Keynote NATO International Conference on Cyber Conflict,
June 2011
 Technical workshop at NATO CyCon , June 2012



Cyber Crime
Cyber Terrorism
Cyber Warfare
 Cyber Espionage ?

Cyber Conflict ?
 Cyber Terrorism
 Cyber Warfare
1998, Center for Strategic
and International Studies
(Washington, D.C.)
Phishing,
Keylogger,
Malware,
DDoS, Website Trojans
Defacement
Cyber Crime
Cyber Terrorism
APT/
attack on
Critical
Systems
Cyber Warfare
Cyber Crime
Criminal activity
in cyber space
Hacktivism
Espionage
Cyber Terrorism
Cyber Warfare
State
Sponsored
Cyber
Terrorism
using
Cyber
crime tools





April 27th, 2007 - preparations to remove Bronze Soldier in Talinn,
World War 2 monument to Russian soldiers.
Russian forums publishing tools to carry out DDoS and defacement
attacks on gov sites : Estonian President, Prime Minister, Parliament
April 30th, coordinated attack including DDoS - attacks used
Botnets from all around the world, and shifted on random intervals
to make it difficult to defend against.
May 3rd, the botnets began attacking private sites and servers.
Banks in Estonia were shut down, as well as major news sites .
May 9th - Climax of the attacks happens on,
Russian anniversary of the end of World War 2
1998, Center for Strategic
and International Studies
(Washington, D.C.)





What is Cyber ?
General electronic or computer-related prefix
What is Terror?
“violence deliberately used against civilians in
order to achieve political goals”.
What is Cyber Terrorism?
“government agencies responsible for
responding to cyber attacks have each created
their own definitions.”
 " One man's terrorist in another's freedom
fighter“
▪ D.Denning's "Activism, Hacktivism, and
Cyberterrorism"
▪ International treaties and conventions
▪ "cyber terrorism“ = blowing things up remotely? ??
▪ “Hacktivsm”= virtual graffiti/ vandalism? ???
“cyberterrorism, refers to
the convergence of
An example would be
cyberspace and
penetrating an air
terrorism.
traffic control system
It covers politically
and causing two planes
to collide.
motivated hacking
operations intended to
cause grave harm such
as loss of life or severe
economic damage.
“Cyber terrorism is the
convergence of
cyberspace and
terrorism.
It refers to unlawful
attacks and threats of
attacks against
computers, networks
and the information
stored therein when
done to intimidate or
coerce a government or
its people in
furtherance of political
or social objectives.

Further, to qualify as cyber terrorism, an
attack should result in violence against
persons or property, or at least cause enough
harm to generate fear.”

Cyber terrorism : the use of Internet based
attacks in terrorist activities, including acts
of deliberate, large-scale disruption of
computer networks, especially of personal
computers attached to the Internet, by the
means of tools such as computer viruses.
Hacktivism
Cyber Terrorism
Hacktivism is the nonviolent use of illegal
or legally ambiguous digital tools in
pursuit of political ends. These tools
include web site
defacements, redirects, denial-of-service
attacks, information theft, web
site parodies, virtual sit-ins,
virtual sabotage, and software
development.” promoting
expressive politics, free speech, human
rights, or information ethics.
The use of information technology by
terrorist groups and individuals to further
their agenda. This can include attacks
against networks, computer systems and
telecommunications infrastructures, or for
exchanging information or making threats
electronically. Examples are hacking into
computer systems, introducing viruses to
vulnerable networks, web site
defacing, Denial-of-service attacks, or
terroristic threats made via electronic
communication.
Common Asymmetric
Advantages
Little, or no expense
Little, or no risk to perpetrator
Few participants = big media impact
Potential for damage to a nation’s
resilience, stability and safety
 Non lethal attacks = less back lash









Network connected critical infrastructures
(Brazil?)
Disruption of ISP/CSP operational networks
Civilian/commercial information systems –
ELAL, Tel Aviv Stock Exchance
Defacement of government/national web sites
Publishing data from sensitive databases to
cause embarrassment, confusion and panic
 “Saudi hacker 0xOmar”
Cyber Terrorism & Global
Hacktivism - examples
Amounts of Website Defacements in 2008-2009
517,459.000
544,409.000
Year 2008
Year 2009
250,000
200,000
150,000
Year2008
Year2009
100,000
50,000
0
Revenge against
that website
Patriotism
Political reasons Not available
As a challenge Heh just forfun! I just want to be
the best defacer






“I am a hacker, enter my world...”
“rushing through the phone line like heroin through an
addict's veins, an electronic pulse is sent out….”
“This is our world now... the world of the electron
and the switch, the beauty of the baud”
Information wants to be free!
Hack the planet!
My crime is that of curiosity…
Most-wanted computer criminal in the United States.
Kevin Mitnik, arrested 1995
 Solar Sunrise 1998 - the Analyzer hacks US DOD


Y2Hack : Captain Crunch & Phreaks ( John Draper)




International groups of Hacktivists
Started on 4chan & evolved to global scale
Represents a new & chaotic internet force
Targets: Epileptics, Scientologists, Pedophiles,
PayPal, US GOV, IL GOV, HBGary, the Pope?




International groups of Hacktivists
Started on 4chan & evolved to global scale
Represents a new & chaotic internet force
Targets: Epileptics, Scientologists, Pedophiles,
PayPal, US GOV, IL GOV, HBGary, the Pope?



WikiLeaks founded 2006 by Julian Assange
published secret and classified media from
anonymous sources, leaks, whistleblowers
2010 : “Cable Gate”, Anonymous –
“Operation PayBack”





Ping Flood, Ping of Death, EvilPing
Winsmurf, QuickFire, Defend
HTTP bomber 1.001b
Mail Bomber
Anonymous favorite – Low Orbit Ion Canon
(LOIC) is an open source network stress
testing and denial-of-service
attack application, written in C#
See Also : JS LOIC, Low Orbit Web Cannon
Cyber Threat Analysis Framework

Know your Enemy - not just technically

Attribution of Attack remains a key problem

Intelligence , Investigation tools and models

Mitigation – just block the IP range?

Investigation

Prosecution – Estonia & NATO for exmaple

Attribution & Retribution - who do we target

Deterrence?
STUXNET
DDoS via Botnet
1.
Impact
2.
Ideology
3.
Technical threshold
4.
Participation threshold
5.
Operational threshold
6.
Visibility
1.
2.
3.
4.
5.
6.
Impact on civilians & collateral damage
Ideological / Political motivation e.g.:
Jihad, Green Hacktivism, White
Supremacist , “LolzSec” etc
Technical threshold : R&D, Complexity
Participation threshold : entry price
Operational threshold:
Recon, Persistency, Evasion
Public Aspect : Is Responsibility claimed?




Impact on civilians & collateral damage
Terror according to ICT = ?
Almost all Cyber Attacks harm “innocents”
Unnecessary attack on civilian targets could
be considered as war crime, when done by
state

Ideological / Political motivation:
 Jihad
 Green Hacktivism
 Neo Nazi/White Supremacist Hactivism
 Anonymous

Participation threshold : entry price
 Easy as ping 1.2.3.4 –t –w = DDoS participation
 Can be done from anywhere in the world, anytime
Compare with launching an APT or attack of CI:
 Hard : infiltrate & exploit ISP, Military or Civilian
Critical Infrastructure
 may need inside access,
 Use unique targeting tools (e.g. for SCADA)

Technical threshold : R&D, Complexity
 Use of Zero Day Exploits requires strong R&D
base, funding
 For complex attacks (APT) in depth technical
knowledge of the target is required

Operational threshold:
 Reconnaissance phases
 Persistency
 Evasion techniques
 Post mortem and lesson learning

Public Aspect : Is Responsibility claimed?








Perpetrated by
Intended Target / Victim
Goal of attack
Consequence scope
“Visibility”
R&D Threshold :
Required budget, tools
and know how
Goal of attack
Participation in the
attack

National security & Cyber Jihad

Cyber Terrorism - Strategic or Tactical?

Cyber crime and cyber terrorism together

State sponsored cyber terrorism




Retribution threshold – what makes an
attack revenge worthy? Who decides?
Is Deterrence in cyberspace even possible?
Cyber threats from Non-state actors – rules
of engagement?
Is a global Treaty, or Norm even possible?

On the national scale:
 Criminal prosecution of attackers - according to




various Computer Fraud and Abuse Act
LEA need authority, know how , and tools to collect
digital evidence and conduct investigation across
country border
Nation-wide regulation to protect Cis and CSPs
Attacked organizations : sector specific regulation,
e.g. Energy Sector, Finanical sector , mandated
reporting to CERT/ISAC
End users / Victims : increase “Cyber Hygene”

International Treaties & Norms
 European Convention on Cyber Crime
▪ Legal framework for criminal law standards
▪ Cooperation framework for computer crime
investigation
▪ Procedural framework for cross-country cease &
investigate digital evidence
 (The future) conventions on cyber warfare?

“At least for now, hijacked vehicles, truck
bombs, and biological weapons seem to pose
a greater threat than cyber terrorism.
However, just as the events of September 11
caught us by surprise, so could a major cyber
assault. We cannot afford to shrug off the
threat.”
Prof. Dorothy Denning, November 1, 2001

The definition of Terror itself is contended

The line between Cyber Terrorism and
Hacktivism is blurry, grey and crossed often

Analysis of each attack and incident ?

A new breed of “Cyber analysts” is born



Proceedings of the IDC Herzelya Cyber
Terrorism Workshop , November 2010
Dorothy E. Denning,"Activism, Hacktivism,
and Cyberterrorism: The Internet as a Tool
for Influencing Foreign Policy, Georgetown
University June 8, 2001
Trachtman, Joel P., 2004. ‘Global
Cyberterrorism, Jurisdiction, and
International Organization’,
http://ssrn.com/abstract=566361.