Cyber Adversary Characterization

Cyber Adversary Characterization

Cyber Adversary Characterization Know thy enemy! Introduction and Background Cyber Adversary Characterization workshop in 2002 Research discussions continued via email Briefings to Blackhat and Defcon to introduce concept and obtain feedback Future workshops planned for October 2003 Slides will be on both conference web sites Why characterize? Theoretical: To gain understanding of and an ability to anticipate an adversary in order

to build improved threat models. Practice: Improved profiling of attackers at post attack and forensic levels. Point Scoring: Rating-the-Hacker Toby Miller [email protected] Point Scoring: Why? No standard system to help rate the attacker No system to help with the threat level Help management in the decision making process

Point Scoring: The Categories Passive Fingerprinting Intelligence The Attack The Exploit Backdoors | Cover up Other

Example Score Metric Linux 3 FreeBSD 4 OpenBSD 6 IRIX

4 Windows 3 Point Scoring: Past, Present, Future Originally posted on incidents.org Currently on rev2

Soon to release rev 3 www.ratingthehacker.net Tool characterizations, Disclosure Patterns and Technique scoring. Tom Parker Pentest Limited (UK) The Hacker Pie Representative of characterization metrics which build the final characterization. Available elements dependant upon scenario. Does not rely solely upon IDS/attack signature data.

The Hacker Pie (continued) Pie reliant upon the results of multiple metrics which are, in many cases inter-related, strengthening the likelihood of an accurate characterization. Relationships between key metrics and key data enable accurate assumptions to be made regarding unobserved key information. The Pie Explained Characterization 2 Metric One Key Data

Key Data 1 Metric Two Key Data 0 2 Metric Three Key Data Key Data

Metric Four Point Scoring Systems (Continued) Attempt to characterize an adversary based on attack information captured from the wild. Attempt to characterize adversary based upon technique classification model Attempt to characterize adversary based upon tool classification model Tool classification model Availability of application Origins of application

Ease of use Requires in-depth knowledge of vulnerability to execute? Other mitigating factors Example Exploit Classification Web App Flaw Public Proprietary Application Penetration Via SQL Injection 3 Open Source Application Penetration Via SQL Injection 3 Proprietary Application Penetration Via Arbitrary Script Injection

2 Open Source Application Penetration Via Arbitrary Script Injection 2 Proprietary Application Penetration Via OS command execution using 3 SQL Injection (MS SQL) Private 4 4 3 3 5

Proprietary Application Penetration Via OS command execution using SQL Injection (other) 4 7 Proprietary Application Penetration Via SQL Injection (MS SQL) 5 4

6 7 Proprietary Application Penetration Via SQL Injection (other) Disclosure Food Chain Characterization All tools have a story Often years before dissemination into public domain. Social demeanour often key to placing in disclosure disclosure chain. Pyramid metric.

The Disclosure Food Chain Exploit Development Vulnerability Discovery Information shared with fellow researchers (Exploit Development) Exploit Trading Type title here Exploit Usage In Wild Honey Pot Capture Exploit Reverse Engineered / Vulnerability Research Vendor Coordination Public Disclosure Information shared further throughout grey hat communities

Public Disclosure Disclosure to Security Company Vendor Patch Released Further Research Vendor Coordination Public Disclosure Vendor Fix Released 2 Approaches to Modeling the Cyber Adversary: Offender Profiling & Remote Assessment

Dr. Eric D. Shaw Consulting & Clinical Psychology, Ltd. [email protected] Offender Profiling Roots in Law enforcement & intelligence community (criminal event or incident analysis)intensive review of past offenders Insider Computer Crimes, 1998-present 50 cases 10 in-depth case studies from companies or govt. contractors Products Typology of actors: motivation, psychological characteristics, actions

Critical pathwayprocess of interactions w/environment (personal and professional) leading to attack At-risk characteristics Organizational vulnerabilities & Insights into prevention, deterrence, detection, management Offender Profiling Headlines

The Termination Problem Actor subtypesthe Proprietor & Hacker The Tracking Problem Organizational Vulnerabilities Detection Issues Intervention Challenges Hacker Overview Attacks: The Termination Problem Simple termination of Disgruntled Insider is not the answer80% attack after termination (4 hours-2 months) 70% attack from remote locations vs. inside termination did not impact access Attack types:

DOS to disrupt business Destruction & corruption of data Theft of Proprietary data Time bombs Extortion Attack on reputations Attackers

Hackers40%: affiliated with and active in hacking community, brings hacking practices to worksite Proprietors40%: defend system as belonging to them, resist efforts to dilute control Avengers20%: attack impulsively in response to perceived injustice Prevention: Screening & Selection The Tracking Problem Screening & Selection Problems in 60% of casesno or delayed background, nepotism, failure to detect risk factors

30% had prior felony convictions 30% had high-profile hacker activity Organizational Issues 80% of cases occur during periods of high organizational stress or change at the highest to supervisory levels Lack of policies contributed to disgruntlement or facilitated attack in 60% of cases Lack of policy enforcement contributed to disgruntlement of facilitated attack in 70% of cases Detection Problems 80% of attackers used operational security

to protect attack planning or identity Time disgruntled to attack: 1-48 months with a mean of 11.3 months Time active problems (probation) to attack: 0-76 weeks with a mean of 26 weeks Forget the big bang theory of the sudden, unforeseen attack Intervention Problems Management intervention initially exacerbated problems in 80% of cases (ignore, placate or tolerate problems, negotiate then cut-off, terminate poorly) Problems with termination process in 80% of cases (esp. failure to terminate access)

Multidisciplinary risk assessment prior to termination Hardcore Hackers: Not Script Kiddies Age Mean=25.5 Tech Capability Prior Offenses Acted with

Others 50% 75% Status in Hacker Community Oquendo 29 High

Yes Yes High Zezev 30 High No

Yes Unknown Carpenter 20 High Yes No Low

Demostenis 23 Low No Yes Low Remote Assessment Using WarmTouch (patent pending)

Why Use WarmTouch Software to Detect Disgruntlement or Psych Change on-line? Communication has moved on-line Loss of visual & auditory cues on-line Failure of other systems to detect violations: technical noise, supervisor & peer reporting Protects Privacy Provides Objectivity Person-Situation Interaction: Detect Psychological Leakage Personal Stressors

Vulnerable CITI Minor Infraction Moderate Infraction Mounting Stress and Frustration Professional Stressors Major Act

Software Components Psychological Profiling Algorithms Emphasis on measuring emotional state Anger Anxiety Depression Changes in emotional state from baseline Psychological characteristics: decision-making and personal relations Loner/team player

plans/reacts Rigid/flexible Sensitivity to environment Alert Phrases-key words Threats Victimization Employment Problems Communication Characteristics To, From, Time, Length, etc.

WarmTouch Software Overview WarmTouch origins in IC, 1986-present Use of WarmTouch with Insider Communications Khanna at Bank Threat Monitoring Sting operations & negotiations Suspect identification Hanssen

Other WarmTouch Applications Case Example: Financial Proprietor Well paid systems administrator Personality Traits-Proprietor Entitlement Manipulative Devaluing of others

Padded OT Context: Supervisor Change Email from Boss Asked to train back-up You seem to have developed a personal attachment to the System Servers. These servers and the entire system belong to this institution not to you Email 1: April (Asked to train his back-up, subject refuses) His experience was ZERO. He does not know ANYTHING about ...our reporting tools.

Until you fire me or I quit, I have to take orders from youUntil he is a trained expert, I wont give him access...If you order me to give him root access, then you have to permanently relieve me of my duties on that machine. I cant be a garbage cleaner if someone screws up.I wont compromise on that. Email 3: July Whether or not you continue me here after next month (consulting, full-time, or parttime), you can always count on me for quick response to any questions, concerns, or production problems with the system. As always, youll always get the most costeffective, and productive solution from me.

Email 4: July I would be honored to work until last week of August. As John may have told you, there are a lot of things which at times get flaky with the system front-end and back-end. Two week extension wont be enough time for me to look into everything for such a critical and complex system. Thanks for all your trust in me. The Event On last day of work, subject disables the computer networks two fileservers.

Company executives implore subject to help them fix the problems, but he refuses. Independent consulting firm hired to investigate problems, discovers sabotage. Timing: deception to cover plotting. WarmTouch Challenge Detect deterioration in relationship with supervisor Detect Deception The April Email Profile July Email Profile August

Detecting Deception Covert vs. Overt Hostility in Email Prior to Attack Overt Hostility Covert Hostility Three Months Prior Two Months Prior Two Weeks

Prior Attack Zezev vs. Bloomberg: Managing his Psychological State Task: to lure him to London for the bust must manage his anger and anxiety at delays and manipulations satisfy his dependencyneed for $ & job Warmtouch help: Objectively highlight and help manage psychological states Objectively measure success

Support to Sting Ops/Negotiations: Levels of Anger in Zezevs emails to Bloomberg Evaluators - Indicators of Anger (+) Evaluators + 400 Feelings - 350

Feelings + 300 Direct Ref. 250 Negatives 200 Me 150

We 100 I 50 0 1 2 3

4 5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 Zezevs Use of Me passive/dependent mode Me 3.5 3 2.5 2 1.5 1 0.5 0

1 3 5 7 9 11 13 15

17 19 Zezevs Use of Retractors Anxiety Retractors 5 4 3 2 1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Robert Hanssen 8 Communications with Soviet Handlers Between October 1985 & November 2000 Challenge for Software: Detect signs of emotional stress associated with spying, disgruntlement and affair as documented in public records Hansen: Anger over Time Hansen: Changes over Time Psycholinguistic Measures of Anger 20

15 Number of Words 10 Negatives Me 5 0 10/1/1985 9/8/1987 Date

6/8/2000 Hansen: Changes Over Time Emotional Vulnerability 50 45 40 35 30 Number of Words 25 20 15 10

5 0 10/1/1985 11/8/1985 Adv Intensifiers Direct Ref Feelings I 6/13/1988 Date 6/8/2000 Hansen: Changes over Time Psycholinguistic Measures: Anxiety

14 12 10 Number of Words 8 6 4 2 0 10/1/1985 Explainers

Retractors 11/8/1985 6/13/1988 Date 6/8/2000 Other WarmTouch Applications Communications Manager

Analyze state of relationship Assess characteristics of persons in relationship Help modify language to improve/modify relationship Track success/changes over time Media Monitoring Attitude of Egyptian press toward U.S. Attitude of customers toward product or service Internet Threat Actors Marcus H. Sachs Director, Internet Storm Center The SANS Institute http://isc.sans.org

The Cyber Threat to the United States US national information networks have become more vulnerableand therefore more attractive as a target Growing connectivity among secure and insecure networks creates new opportunities for unauthorized intrusions into sensitive or proprietary computer systems The complexity of computer networks is growing faster than the ability to understand and protect them The prospects for a cascade of failures across US infrastructures are largely unknown Cyber Threats to the Critical Infrastructure

Hacker/Script Kiddies/Hobbyist Disgruntled Employee Insider aiding others Hacktivist Industrial Espionage Foreign Espionage Terrorist State Sponsored Attack The Threat is Increasing High 2005 State Sponsored

Potential Damage 2004 2003 Terrorist Espionage Criminal Low Low Source: 1997 DSB Summer Study

Probability of occurrence Hacker High Why are we so Vulnerable? Internet was not built to be secure Secure (i.e., obscure) software being replaced by commercial products in infrastructures Software development focused on Slick, Stable, Simple (not Secure) System administrators lack training

Leaders rarely see computer security as part of the bottom line User awareness is low Why The Feds are Concerned About Hackers The real threat to the Critical Infrastructure is not the hacker, but the structured state-sponsored organization However... Sometimes its hard to tell the difference - both use the same tools Growing sophistication and availability of tools increases concern Must assume the worst until proven wrong So... The government takes seriously all unauthorized activity

They will use all technical and law enforcement tools to respond ... and deter They will seek legal prosecution where appropriate New Homeland Security Strategies http://www.whitehouse.gov/homeland/ National Strategy to Secure Cyberspace Nation fully dependent on cyberspace Range of threats: script kiddies to nation states Fix vulnerabilities, dont orient on threats New vulnerabilities require constant vigilance

Individual vs. national risk management Government alone cannot secure cyberspace Priority II A National Cyberspace Security Threat and Vulnerability Reduction Program Enhance law enforcements capabilities for preemption, prevention, and prosecution Secure the mechanisms of the Internet including improving protocols and routing Foster trusted digital control systems/ supervisory control and data acquisition systems Reduce and remediate software vulnerabilities

Improve physical security of cyber and telecommunications systems Inside the Internet Storm Center Data Collection DShield Users Analysis DShield.org Dissemination Typical Residential

Cable Modem Log FTP attempt s Pop-up ads (Spam) Internet Storm Center Web Page http://isc.sans.org Port Report 2002 Top 20 List

Top Vulnerabilities to Windows Systems W1 Internet Information Services (IIS) W2 Microsoft Data Access Components (MDAC) -- Remote Data Services W3 Microsoft SQL Server W4 NETBIOS -- Unprotected Windows Networking Shares W5 Anonymous Logon -- Null Sessions W6 LAN Manager Authentication -- Weak LM Hashing W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords W8 Internet Explorer W9 Remote Registry Access W10 Windows Scripting Host Top Vulnerabilities to Unix Systems U1 Remote Procedure Calls (RPC)

U2 Apache Web Server U3 Secure Shell (SSH) U4 Simple Network Management Protocol (SNMP) U5 File Transfer Protocol (FTP) U6 R-Services -- Trust Relationships U7 Line Printer Daemon (LPD) U8 Sendmail U9 BIND/DNS U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords www.sans.org/top20 Questions? Contact: [email protected]

[email protected] [email protected] [email protected]

Recently Viewed Presentations

  • Special Topics in Genomics

    Special Topics in Genomics

    (a) Analysis of the HepG2 RNA library using Alta-Cyclic. The absolute number of additional fully correct reads (in addition to those generated by the Illumina base caller) is indicated by the red line; the fold change of the improvement is...
  • Ecology - Mrs.Farmer's Science Buzz

    Ecology - Mrs.Farmer's Science Buzz

    Ecology - Mrs.Farmer's Science Buzz ... ecology
  • The world never looked the same again  RKM

    The world never looked the same again RKM

    Times New Roman AvantGarde Bk BT Arial Default Design PowerPoint Presentation Fact File When and what? PowerPoint Presentation PowerPoint Presentation PowerPoint Presentation Three Cubists Pablo Picasso 1881- 1973 PowerPoint Presentation Georges Braque 1882- 1963 Juan Gris 1887 - 1927 Why...
  • Psychometrics and Incremental Validity of the AAQ-II among ...

    Psychometrics and Incremental Validity of the AAQ-II among ...

    Hexaflex. Acceptance: enables the individual to engage the experiences more fully with an attitude of curiosity, to learn from them, and to make room for their occurrence. ... Psychometrics and Incremental Validity of the AAQ-II among Chinese Samples
  • Mobile Device Apps: What to Have at Your Fingertips

    Mobile Device Apps: What to Have at Your Fingertips

    Mobile Device Apps: What to Have at Your Fingertips. Ryan B. Jacobsen, PharmD, BCPS. Clinical Pharmacy Specialist & Clinical Coordinator. Clinical Assistant Professor. University of Iowa Hospitals & Clinics and College of Pharmacy
  • Teaching literacy and mathematics in Y3 - lancsngfl.ac.uk

    Teaching literacy and mathematics in Y3 - lancsngfl.ac.uk

    Possible Text Types Recount: letter autobiography diary or journal newspaper report magazine article science experiment Discussion newspaper editorial non-fiction book on an 'issue' write up of a debate formal essay leaflet or article giving balanced account of an issue Planning...
  • Climate Change and Arizona: A brief overview Mike

    Climate Change and Arizona: A brief overview Mike

    Cold Spells. Less frequent. Just as cold (NCA-SW 2013) SOUTHWEST REPORT - CHAPTER 7. NOVEMBER-MARCH is the season measured. In other words, cold outbreaks occur when temperature drops below the local levels defining the coldest 5% of winter days or...
  • Persuasion - Winston-Salem/Forsyth County Schools

    Persuasion - Winston-Salem/Forsyth County Schools

    Persuasion (2 types) Logical Emotional Persuasion - Logic/Reason Uses a chain of reasoning to establish the validity of a proposed argument Particular examples to a general conclusion, general to the specific Evidence includes research, statistics, expert witnesses, etc. Persuasion -...