Transcript Cyber Adversary Characterization Know thy enemy! Introduction and Background • Cyber Adversary Characterization workshop in 2002 • Research discussions continued via email • Briefings to.

Cyber Adversary Characterization
Know thy enemy!
Introduction and Background
• Cyber Adversary Characterization
workshop in 2002
• Research discussions continued via email
• Briefings to Blackhat and Defcon to
introduce concept and obtain feedback
• Future workshops planned for October 2003
• Slides will be on both conference web sites
Why characterize?
• Theoretical: To gain understanding of and
an ability to anticipate an adversary in order
to build improved threat models.
• Practice: Improved profiling of attackers at
post attack and forensic levels.
Point Scoring: Rating-the-Hacker
Toby Miller
[email protected]
Point Scoring: Why?
• No “standard” system to help rate the
attacker
• No system to help with the threat level
• Help management in the decision making
process
Point Scoring: The Categories
•
•
•
•
•
•
Passive Fingerprinting
Intelligence
The Attack
The Exploit
Backdoors | Cover up
Other
Example Score Metric
Linux
3
FreeBSD
4
OpenBSD
6
IRIX
4
Windows
3
Point Scoring: Past, Present,
Future
•
•
•
•
Originally posted on incidents.org
Currently on rev2
Soon to release rev 3
www.ratingthehacker.net
Tool characterizations,
Disclosure Patterns and
Technique scoring.
Tom Parker – Pentest Limited (UK)
The Hacker Pie
• Representative of characterization metrics
which build the final characterization.
• Available elements dependant upon
scenario.
• Does not rely solely upon IDS/attack
signature data.
The Hacker Pie (continued)
• Pie reliant upon the results of multiple metrics
which are, in many cases inter-related,
strengthening the likelihood of an accurate
characterization.
• Relationships between key metrics and key data
enable accurate assumptions to be made regarding
unobserved key information.
The Pie Explained
Characterization
2
Metric One
Key Data
Key Data
1
Metric Two
Key Data
0
2
Metric Three
Key Data
Key Data
Metric Four
Point Scoring Systems
(Continued)
• Attempt to characterize an adversary based
on attack information captured from the
wild.
• Attempt to characterize adversary based
upon “technique classification model”
• Attempt to characterize adversary based
upon “tool classification model”
Tool classification model
• Availability of application
• Origins of application
• Ease of use
– Requires in-depth knowledge of vulnerability to
execute?
– Other mitigating factors
Example Exploit Classification
Web App Flaw
Public
3
3
2
2
3
Private
4
4
3
3
5
Proprietary Application Penetration
Via OS command execution using
SQL Injection (other)
4
7
Proprietary Application Penetration
Via SQL Injection (MS SQL)
5
4
6
7
Proprietary Application Penetration
Via SQL Injection
Open Source Application Penetration
Via SQL Injection
Proprietary Application Penetration
Via Arbitrary Script Injection
Open Source Application Penetration
Via Arbitrary Script Injection
Proprietary Application Penetration
Via OS command execution using
SQL Injection (MS SQL)
Proprietary Application Penetration
Via SQL Injection (other)
Disclosure Food Chain
Characterization
• All tools have a story
• Often years before dissemination into public
domain.
• Social demeanour often key to placing in
disclosure disclosure chain.
• “Pyramid” metric.
The Disclosure “Food Chain”
Exploit Development
Vulnerability Discovery
Information shared with fellow researchers (Exploit Development)
Exploit Trading
Type title here
Exploit Usage In Wild
Honey Pot Capture
Exploit Reverse Engineered / Vulnerability Research
Vendor Coordination
Public Disclosure
Information shared further throughout grey hat communities
Public Disclosure
Disclosure to Security Company
Vendor Patch Released
Further Research
Vendor Coordination
Public Disclosure
Vendor Fix Released
2 Approaches to Modeling the Cyber Adversary: Offender
Profiling & Remote Assessment
Dr. Eric D. Shaw
Consulting & Clinical Psychology, Ltd.
[email protected]
Offender Profiling
• Roots in Law enforcement & intelligence community (criminal event
or incident analysis)—intensive review of past offenders
• Insider Computer Crimes, 1998-present
– 50 cases
– 10 in-depth case studies from companies or gov’t. contractors
•
Products
– Typology of actors: motivation, psychological characteristics, actions
– Critical pathway—process of interactions w/environment (personal and
professional) leading to attack
– At-risk characteristics
– Organizational vulnerabilities & Insights into prevention, deterrence,
detection, management
Offender Profiling Headlines
•
•
•
•
•
•
•
The Termination Problem
Actor subtypes—the Proprietor & Hacker
The Tracking Problem
Organizational Vulnerabilities
Detection Issues
Intervention Challenges
Hacker Overview
Attacks: The Termination Problem
• Simple termination of Disgruntled Insider is not
the answer—80% attack after termination (4
hours-2 months)
• 70% attack from remote locations vs. inside—
termination did not impact access
• Attack types:
–
–
–
–
–
–
DOS to disrupt business
Destruction & corruption of data
Theft of Proprietary data
Time bombs
Extortion
Attack on reputations
Attackers
• Hackers—40%: affiliated with and active in
hacking community, brings hacking
practices to worksite
• Proprietors—40%: defend system as
belonging to them, resist efforts to dilute
control
• Avengers—20%: attack impulsively in
response to perceived injustice
Prevention: Screening &
Selection
The Tracking Problem
• Screening & Selection Problems in 60% of
cases—no or delayed background,
nepotism, failure to detect risk factors
• 30% had prior felony convictions
• 30% had high-profile hacker activity
Organizational Issues
• 80% of cases occur during periods of high
organizational stress or change at the highest to
supervisory levels
• Lack of policies contributed to disgruntlement or
facilitated attack in 60% of cases
• Lack of policy enforcement contributed to
disgruntlement of facilitated attack in 70% of
cases
Detection Problems
• 80% of attackers used operational security
to protect attack planning or identity
• Time disgruntled to attack: 1-48 months
with a mean of 11.3 months
• Time active problems (probation) to attack:
0-76 weeks with a mean of 26 weeks
Forget the “big bang” theory of the sudden,
unforeseen attack
Intervention Problems
• Management intervention initially
exacerbated problems in 80% of cases
(ignore, placate or tolerate problems,
negotiate then cut-off, terminate poorly)
• Problems with termination process in 80%
of cases (esp. failure to terminate access)
• Multidisciplinary risk assessment prior to
termination
Hardcore Hackers: Not Script
Kiddies
Age
Mean=25.5
Tech
Capability
Prior
Offenses
Acted with
Others
50%
75%
Status in
Hacker
Community
Oquendo
29
High
Yes
Yes
High
Zezev
30
High
No
Yes
Unknown
Carpenter
20
High
Yes
No
Low
Demostenis
23
Low
No
Yes
Low
Remote Assessment Using WarmTouch
(patent pending)
Why Use WarmTouch Software to
Detect Disgruntlement or Psych Change
on-line?
• Communication has moved on-line
• Loss of visual & auditory cues on-line
• Failure of other systems to detect violations:
technical noise, supervisor & peer reporting
• Protects Privacy
• Provides Objectivity
Person-Situation Interaction:
Detect Psychological “Leakage”
Personal Stressors
Vulnerable
CITI
Minor
Infraction
Moderate
Infraction
Mounting Stress and Frustration
Professional Stressors
Major
Act
“Software” Components
•
Psychological Profiling Algorithms
– Emphasis on measuring emotional state
• Anger
• Anxiety
• Depression
– Changes in emotional state from baseline
•
Psychological characteristics: decision-making and personal relations
– Loner/team player
– plans/reacts
– Rigid/flexible
– Sensitivity to environment
•
Alert Phrases-key words
– Threats
– Victimization
– Employment Problems
•
Communication Characteristics
– To, From, Time, Length, etc.
WarmTouch “Software” Overview
• WarmTouch origins in IC, 1986-present
• Use of WarmTouch with Insider Communications
–
–
–
–
–
Khanna at Bank
Threat Monitoring
Sting operations & negotiations
Suspect identification
Hanssen
• Other WarmTouch Applications
Case Example: Financial
Proprietor
• Well paid systems administrator
• Personality Traits-Proprietor
–
–
–
–
Entitlement
Manipulative
Devaluing of others
Padded OT
• Context: Supervisor Change
Email from Boss
• Asked to train back-up
• “You seem to have developed a personal
attachment to the System Servers. These
servers and the entire system belong to this
institution not to you…”
Email 1: April
• (Asked to train his back-up, subject refuses) “His
experience was ZERO. He does not know
ANYTHING about ...our reporting tools.”
• “Until you fire me or I quit, I have to take orders
from you…Until he is a trained expert, I won’t
give him access...If you order me to give him root
access, then you have to permanently relieve me
of my duties on that machine. I can’t be a garbage
cleaner if someone screws up….I won’t
compromise on that.”
Email 3: July
• “Whether or not you continue me here after
next month (consulting, full-time, or parttime), you can always count on me for
quick response to any questions, concerns,
or production problems with the system. As
always, you’ll always get the most costeffective, and productive solution from me.”
Email 4: July
• “I would be honored to work until last week
of August.”
• “As John may have told you, there are a lot of
things which at times get “flaky” with the
system front-end and back-end. Two week
extension won’t be enough time for me to
look into everything for such a critical and
complex system.”
• “Thanks for all your trust in me.”
The Event
• On last day of work, subject disables the
computer network’s two fileservers.
• Company executives implore subject to help
them fix the problems, but he refuses.
• Independent consulting firm hired to
investigate problems, discovers sabotage.
• Timing: deception to cover plotting.
WarmTouch Challenge
• Detect deterioration in relationship with
supervisor
• Detect Deception
The April Email Profile
# of Negatives
20
17
15
10
7
5
0
Anger Scores on 4/10 Versus Mean--# of words/email
# of words per email
# of Negatives on 4/10 versus Mean
600
500
400
300
200
100
0
1
1
4/10 versus Mean
4/10 versus Mean
40
35
30
25
20
15
10
5
0
35
18
# of Alert Phrases on 4/10 versus Mean
Number of Alert Phrases
# of Evaluators
# of Evaluators on 4/10 versus Mean
8
7
6
5
4
3
2
1
0
7
2.75
1
1
4/10 Versus Mean
4/10 versus mean
July Email Profile
Changes In Anger Variables Peak Disgruntlement to
Attack Planning(4/11 versus 7/12)--# of Negatives
6
• August
7
4
3
2
0
# of Words per email
# of Negatives
8
Changes In Anger Variables From Time of Peak
Disgruntlement Until Attack Planning(4/11 TO 7/12)--#
of Words per e-mail
200
141
100
0
1
4/11 versus 7/12
4/11 VERSUS 7/12
29
8
Changes in Anger Variables--Peak Disgruntlement to
Attack Planning(4/11 versus 7/12)--# of Alert Phrases
# of alert phrases
# of evaluators
312
300
1
Changes in Anger Variables--peak disgruntlement to
attack planning(4/11 to 7/12)--# of evaluators
35
30
25
20
15
10
5
0
400
5
4
4
3
2
1
0
0
1
1
4/11 versus 7/12
4/11 versus 7/12
Detecting Deception
Covert Hostility Toward Supervisor-Psychological Distance Score by E-Mail Date
Psychological Distance Score
4
3.28
3.5
4/10
4/11
3.4
6/14
Dates of E-Mail: 4/10, 4/11, 6/14, 7/12
7/12
Covert vs. Overt Hostility in Email
Prior to Attack
Overt Hostility
Covert Hostility
Zezev vs. Bloomberg: Managing his
Psychological State
• Task: to lure him to London for the bust
– must manage his anger and anxiety at delays
and manipulations
– satisfy his dependency—need for $ & job
• Warmtouch help:
– Objectively highlight and help manage
psychological states
– Objectively measure success
Support to Sting Ops/Negotiations:
Levels of Anger in Zezev’s emails to
Bloomberg
Evaluators -
Indicators of Anger (+)
Evaluators +
400
Feelings -
350
Feelings +
300
Direct Ref.
250
Negatives
200
Me
150
We
100
I
50
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Zezev’s Use of “Me”
passive/dependent mode
Me
3.5
3
2.5
2
1.5
1
0.5
0
1
3
5
7
9
11
13
15
17
19
Zezev’s Use of Retractors
Anxiety
Retractors
5
4
3
2
1
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Robert Hanssen
• 8 Communications with Soviet Handlers
• Between October 1985 & November 2000
• Challenge for Software:
– Detect signs of emotional stress associated with
spying, disgruntlement and “affair” as
documented in public records
Hansen: Anger over Time
Psycholinguistic Measures of Anger: Words
600
500
400
Words
300
200
100
0
10
/1
/1
98
5
10
/1
0/
19
85
11
/8
/1
98
5
9/
8/
19
87
6/
13
/1
98
8
3/
14
/2
00
0
6/
8/
20
00
11
/1
5/
20
0
Number of Words
700
Date
Hansen: Changes over Time
P s y c h o l i n g u i s ti c M e a s u re s o f A n g e r
20
15
N um ber of
10
W o rd s
N e g a tiv e s
Me
5
0
1 0 /1 /1 9 8 5
9 /8 /1 9 8 7
D a te
6 /8 /2 0 0 0
Hansen: Changes Over Time
Emotional Vulnerability
50
45
40
35
30
Number of Words 25
20
15
10
5
0
10/1/1985 11/8/1985 6/13/1988
Date
Adv Intensifiers
Direct Ref
Feelings
I
6/8/2000
Hansen: Changes over Time
Psycholinguistic Measures: Anxiety
14
12
10
Number of 8
Words
6
4
2
0
10/1/1985
Explainers
Retractors
11/8/1985
6/13/1988
Date
6/8/2000
Other WarmTouch Applications
• Communications Manager
–
–
–
–
Analyze state of relationship
Assess characteristics of persons in relationship
Help modify language to improve/modify relationship
Track success/changes over time
• Media Monitoring
– Attitude of Egyptian press toward U.S.
– Attitude of customers toward product or service
Internet Threat Actors
Marcus H. Sachs
Director, Internet Storm Center
The SANS Institute
http://isc.sans.org
The Cyber Threat to the
United States
• US national information networks have become more
vulnerable—and therefore more attractive as a target
• Growing connectivity among secure and insecure
networks creates new opportunities for unauthorized
intrusions into sensitive or proprietary computer systems
• The complexity of computer networks is growing faster
than the ability to understand and protect them
• The prospects for a cascade of failures across US
infrastructures are largely unknown
Cyber Threats to the
Critical Infrastructure
• Hacker/Script Kiddies/Hobbyist
• Disgruntled Employee
• Insider aiding others
• Hacktivist
• Industrial Espionage
• Foreign Espionage
• Terrorist
• State Sponsored Attack
The Threat is Increasing
High
2005
State Sponsored
Potential
Damage
2004
2003
Terrorist
Espionage
Criminal
Low
Hacker
Low
Source: 1997 DSB Summer Study
Probability of occurrence
High
Why are we so
Vulnerable?
• Internet was not built to be secure
• “Secure” (i.e., obscure) software being replaced by
commercial products in infrastructures
• Software development focused on “Slick, Stable,
Simple” (not “Secure”)
• System administrators lack training
• Leaders rarely see computer security as part of the
“bottom line”
• User awareness is low
Why The Feds are Concerned
About Hackers
• The real threat to the Critical Infrastructure is not the hacker,
but the structured state-sponsored organization
• However...
– Sometimes it’s hard to tell the difference - both use the same tools
– Growing sophistication and availability of tools increases concern
– Must assume the worst until proven wrong
• So...
– The government takes seriously all unauthorized activity
– They will use all technical and law enforcement tools to respond ... and
deter
– They will seek legal prosecution where appropriate
New Homeland Security
Strategies
http://www.whitehouse.gov/homeland/
National Strategy to
Secure Cyberspace
• Nation fully dependent on cyberspace
• Range of threats: script kiddies to nation states
• Fix vulnerabilities, don’t orient on threats
• New vulnerabilities require constant vigilance
• Individual vs. national risk management
• Government alone cannot secure
cyberspace
Priority II
A National Cyberspace Security
Threat and Vulnerability Reduction
Program
• Enhance law enforcement’s capabilities for
preemption, prevention, and prosecution
• Secure the mechanisms of the Internet including
improving protocols and routing
• Foster trusted digital control systems/ supervisory
control and data acquisition systems
• Reduce and remediate software vulnerabilities
• Improve physical security of cyber
and telecommunications systems
Inside the Internet Storm Center
Data Collection
DShield Users
Analysis
DShield.org
Dissemination
Typical Residential
Cable Modem Log
FTP
attempt
s
Pop-up
ads
(Spam)
Internet Storm Center Web Page
http://isc.sans.org
Port Report
2002 Top 20 List
Top Vulnerabilities to Windows Systems
W1 Internet Information Services (IIS)
W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W3 Microsoft SQL Server
W4 NETBIOS -- Unprotected Windows Networking Shares
W5 Anonymous Logon -- Null Sessions
W6 LAN Manager Authentication -- Weak LM Hashing
W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords
W8 Internet Explorer
W9 Remote Registry Access
W10 Windows Scripting Host
Top Vulnerabilities to Unix Systems
www.sans.org/top20
U1 Remote Procedure Calls (RPC)
U2 Apache Web Server
U3 Secure Shell (SSH)
U4 Simple Network Management Protocol (SNMP)
U5 File Transfer Protocol (FTP)
U6 R-Services -- Trust Relationships
U7 Line Printer Daemon (LPD)
U8 Sendmail
U9 BIND/DNS
U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords
Questions?
• Contact:
[email protected]
[email protected]
[email protected]
[email protected]