© 2002 carnegie mellon universityattackers: 1 attackers and defenders
TRANSCRIPT
© 2002 Carnegie Mellon University Attackers: 1
Attackers and Defenders
© 2002 Carnegie Mellon University Attackers: 2
Overview
• Hackers/Crackers
• Defenders
© 2002 Carnegie Mellon University Attackers: 3
References
http://www.cert.org
InfoWar:
http://infowar.freeservers.com/index.html
http://www.nmrc.org/links/
Culture: http://www.eff.org/pub/Net_culture/
Terrorism: http://www.terrorism.com/terrorism/links.shtml
Books :
Sterling - The Hacker Crackdown
Stoll - The Cuckoo’s Egg
Honeynet Project – Know Your Enemy
© 2002 Carnegie Mellon University Attackers: 4
Attackers• National Security
– Critical National Infrastructure
– Cyber-Warfare
• Computer Crime– Organized Crime
– Hackers/Crackers
– Identity Theft
– Extortion
– Fraud
• Non-State Actors– Terrorists
– Political Activists
© 2002 Carnegie Mellon University Attackers: 5
Transnational Virtual Crime
Organizedcrime
Hacktivism
Insidercrime
Hackers/Crackers
Cyber-crime
© 2002 Carnegie Mellon University Attackers: 6
Hackers/Crackers
• Old-Line Hackers
• Scr1pt Kiddiez
• Tool Writers / Virus Writers
• Reverse Engineers / Vulnerability finders
• Social Engineers
• Hacktivists
© 2002 Carnegie Mellon University Attackers: 7
Attack Sophistication vs.Intruder Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Cross site scripting
Stagedattack
© 2002 Carnegie Mellon University Attackers: 8
AdvancedIntrudersDiscover NewVulnerability
CrudeExploit Tools
Distributed
Novice IntrudersUse Crude
Exploit Tools
AutomatedScanning/ExploitTools Developed
Widespread Use of Automated Scanning/Exploit Tools
Intruders Begin Using New Types of Exploits
Vulnerability Exploit Cycle
© 2002 Carnegie Mellon University Attackers: 9
Service Shifts
0
20
40
60
80
100
120
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01
DNSHTTPFTPRPCemailIRC
© 2002 Carnegie Mellon University Attackers: 10
Incident Data•Profile of 2 six-month periods– Sept 1, 2000 – Feb 1, 2001: 1027 incidents – Sept 1, 2001 – Feb 1, 2002: 997 incidents
•Examined “damaging” incidents, excluding:• Simple probes & scans
• Information Requests
• Hoaxes
• False Alarms
• Overly vague reports
© 2002 Carnegie Mellon University Attackers: 11
Method of Attack
0
10
20
30
40
50
60
70
80
9/1/2001
9/8/2001
9/15/2001
9/22/2001
9/29/2001
10/6/2001
10/13/2001
10/20/2001
10/27/2001
11/3/2001
11/10/2001
11/17/2001
11/24/2001
12/1/2001
12/8/2001
12/15/2001
12/22/2001
12/29/2001
1/5/2002
1/12/2002
1/19/2002
1/26/2002
2/2/2002
VirusRoot CompromiseReconnDenial of ServiceUser CompromiseMisuse of ResourcesWeb CompromiseSocial EngineeringTrojan HorseOther
0
10
20
30
40
50
60
70
80
90
100
9/2
/2
00
0
9/9
/2
00
0
9/1
6/2
00
0
9/2
3/2
00
0
9/3
0/2
00
0
10
/6
/2
00
0
10
/1
3/2
00
0
10
/2
0/2
00
0
10
/2
7/2
00
0
11
/4
/2
00
0
11
/1
1/2
00
0
11
/1
8/2
00
0
11
/2
5/2
00
0
12
/2
/2
00
0
12
/9
/2
00
0
12
/1
6/2
00
0
12
/2
3/2
00
0
12
/3
0/2
00
0
1/6
/2
00
1
1/1
3/2
00
1
1/2
0/2
00
1
1/2
7/2
00
1
2/3
/2
00
1
Root CompromiseVirusWeb CompromiseDenial of ServiceReconnMisuse of ResourcesWormUser CompromiseTrojanSocial EngineeringVaried
© 2002 Carnegie Mellon University Attackers: 12
Reporter
0
10
20
30
40
50
60
70
80
90
100
9/2/2000
9/9/2000
9/16/2000
9/23/2000
9/30/2000
10/6/2000
10/13/2000
10/20/2000
10/27/2000
11/4/2000
11/11/2000
11/18/2000
11/25/2000
12/2/2000
12/9/2000
12/16/2000
12/23/2000
12/30/2000
1/6/2001
1/13/2001
1/20/2001
1/27/2001
2/3/2001
govcomintlusereduisporgfink12miscother
0
10
20
30
40
50
60
70
9/1/2001
9/8/2001
9/15/2001
9/22/2001
9/29/2001
10/6/2001
10/13/2001
10/20/2001
10/27/2001
11/3/2001
11/10/2001
11/17/2001
11/24/2001
12/1/2001
12/8/2001
12/15/2001
12/22/2001
12/29/2001
1/5/2002
1/12/2002
1/19/2002
1/26/2002
2/2/2002
comusergovintleduorgispk12unknownmisc
© 2002 Carnegie Mellon University Attackers: 13
Impact at Reporting Site
0
10
20
30
40
50
60
70
80
9/1/2001
9/8/2001
9/15/2001
9/22/2001
9/29/2001
10/6/2001
10/13/2001
10/20/2001
10/27/2001
11/3/2001
11/10/2001
11/17/2001
11/24/2001
12/1/2001
12/8/2001
12/15/2001
12/22/2001
12/29/2001
1/5/2002
1/12/2002
1/19/2002
1/26/2002
2/2/2002
DistortDisruptDisclosureDestructDeception
0
10
20
30
40
50
60
70
80
90
100
8/2
6/2
00
0
9/2
/2
00
0
9/9
/2
00
0
9/1
6/2
00
0
9/2
3/2
00
0
9/3
0/2
00
0
10
/6
/2
00
0
10
/1
3/2
00
0
10
/2
0/2
00
0
10
/2
7/2
00
0
11
/4
/2
00
0
11
/1
1/2
00
0
11
/1
8/2
00
0
11
/2
5/2
00
0
12
/2
/2
00
0
12
/9
/2
00
0
12
/1
6/2
00
0
12
/2
3/2
00
0
12
/3
0/2
00
0
1/6
/2
00
1
1/1
3/2
00
1
1/2
0/2
00
1
1/2
7/2
00
1
DistortDisruptdisclosureDestructDeceptionUnknown
© 2002 Carnegie Mellon University Attackers: 14
Pace of Attack - 1999• Out-of-the-box Linux PC hooked to Internet, not announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised: Administrative access obtained Event logging selectively disabled System software modified to suit intruder Attack software installed PC actively probing for new hosts to intrude
Clear the disk and try again!
© 2002 Carnegie Mellon University Attackers: 15
Organized Crime Individual crime may be difficult to differentiate from organized crime:
– Distribution and Coordination tools – Mass exploitation methods
Organized crime exploitation of Information technologies in various ways
– Enhanced efficiencies – on-line management of illegal gambling schemes
– Intelligence tool for risk management – Cali organization in 1995 had state of the art equipment
– Force multiplier – GPS for sea drops
New channels and new targets for crime
© 2002 Carnegie Mellon University Attackers: 16
European Union Bank
Fraud on Line Russian organized crime figures Offshore banking – Antigua Solicited deposits on-line Warnings form various sources Bank collapsed
© 2002 Carnegie Mellon University Attackers: 17
Chinese ActivitiesWhat We Have Observed:
• A series of activities over 3 years from similar network locations
•A series of attack tools in last 1.5 yearsQAZ, Red Lyon, Code Red
•Political timingWhat We Surmise:
• Diverse team with resources
• Using hackers/loose ISP for cover
• Keeping attacks below threshold
• Studying reaction/defense
© 2002 Carnegie Mellon University Attackers: 18
Cracker Team Structure
• ISTJ personality
• Ephemeral teams
• Little team structure
• Internal and external friction
• Occasional persistency
© 2002 Carnegie Mellon University Attackers: 19
Staged Attack
1
2
3
© 2002 Carnegie Mellon University Attackers: 20
Auto-Coordinated Attack
Probe
Victim2
Identity
Victim
Compromise & Coopt
Probe
• Remote, fast-acting
• Adapts existing tools
• Limited deployment
• Sophisticated reporters
© 2002 Carnegie Mellon University Attackers: 21
• Defaced Health-care web site in India • "This site has been hacked by ISI ( Kashmir is ours),
we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat
• Post-dates activity by Pakistani Hackers Club• Linked to G-Force Pakistan• Part of larger pattern of influenced
hacker activity (3Q99 - 4Q01)– Differing expertise– Multiple actors/teams– Transnational collaborations
Hacker to Terrorism?
© 2002 Carnegie Mellon University Attackers: 22
Pakistani/Indian Defacements
10/99 7/00
4/00
1/00
10/00 4/01
1/01
Well written Juvenile
No mention of terrorist organizations
Mentions terrorist organizations
More…
Sources: attrition.org, alldas.de
© 2002 Carnegie Mellon University Attackers: 23
Cyber Terrorism
• Cyberterror is still emerging– Evolving threat– Integrating critical missions with general Internet– Increasing damage/speed of attacks– Continued vulnerability of off-the-shelf software
• Much confusion of descriptions and definitions
• Widely viewed as critical weakness of Western nations
© 2002 Carnegie Mellon University Attackers: 24
Hacktivism
• Hacking for politics– Primarily websites– High publicity / calls for public participation
• Examples:– WTO 1999/2000/…– Monsanto / Genetic Engineering of plants
© 2002 Carnegie Mellon University Attackers: 25
Cyber-Intifada
• Prolonged campaign– Palestinian hackers/web defacers– Targeting Israeli and Israel-supporting
organizations– Low innovation level
• Counter-campaigns– Publicity– Counter-hacking: 2xS.co.il
© 2002 Carnegie Mellon University Attackers: 26
Insiders
•Most cyber-crime will be perpetrated by individuals rather than criminal organizations per se
•Individuals, including insiders, are becoming quick to exploit the transnational nature of the Internet
© 2002 Carnegie Mellon University Attackers: 27
Insiders – The Prouty CaseAmerican Express – the largest network intrusion and credit card fraud activity in its history – actual losses $8 million – potential losses $20 million
– David Prouty worked for POS company providing credit card equipment to restaurants.
– August 1999 to January 2001 compromised computer networks of 10 restaurants
– Used employment and subsequently social engineering skills (PC Anywhere) and then a “bust out” company to process card numbers
© 2002 Carnegie Mellon University Attackers: 28
Cyber Warriors•Sociology of warriors vs. hackers
– Morale– Organization– Vigilance vs. assumed invulnerability
• Motivation of warriors vs. hackers– Accountability vs. anarchy– Delayed vs. immediate gratification– Internal vs. external gratification
• Preparation of warriors vs. hackers– Training– Tool selection– Intelligence
•Strategy
© 2002 Carnegie Mellon University Attackers: 29
Defenders
• System / Network Administrators
• White-hat Hackers
• Red Teams/Tiger Teams
• Vulnerability / Risk Analysts
• Intrusion Response Teams
© 2002 Carnegie Mellon University Attackers: 30
Defense FlowAnalysis & Assessment
Remediation
Indications & Warnings
Mitigation
Response
Reconstitution
Threshold?
No
Yes
© 2002 Carnegie Mellon University Attackers: 31
Internet Growth 1988-1998
BS and MS Degrees in Computer and
Information Sciences 1988-1998
1988 1998
0
40,000,000
Source: Digest of Education Statistics 1997, US Office of Educational Research and Improvement, Washington DC, publisher: US Superintendent of Document, 1997
Source: Internet Domain Survey by Network Wizards, WWW.ww.com/zone
50,000
0
1988 1998
© 2002 Carnegie Mellon University Attackers: 32
Intrusion Response teams
• Types:– Automated– Local dedicated or volunteer team– Contracted team
• Why?– Single-point of contact for fast response– Provide for consistent response– Provide for collateral relationships
• Problems:– Resources– Authorization to act– Trust
© 2002 Carnegie Mellon University Attackers: 33
Summary
• Increasingly diverse threat
• Ongoing challenge to track, trend, pursue
• Who may be as important as what