© 2002 carnegie mellon universityattackers: 1 attackers and defenders

© 2002 Carnegie Mellon University Attackers: 1

Attackers and Defenders


Overview

• Hackers/Crackers

• Defenders


References

http://www.cert.org

InfoWar:

http://infowar.freeservers.com/index.html

http://www.nmrc.org/links/

Culture: http://www.eff.org/pub/Net_culture/

Terrorism: http://www.terrorism.com/terrorism/links.shtml

Books :

Sterling - The Hacker Crackdown

Stoll - The Cuckoo’s Egg

Honeynet Project – Know Your Enemy


Attackers• National Security

– Critical National Infrastructure

– Cyber-Warfare

• Computer Crime– Organized Crime

– Hackers/Crackers

– Identity Theft

– Extortion

– Fraud

• Non-State Actors– Terrorists

– Political Activists


Transnational Virtual Crime

Organizedcrime

Hacktivism

Insidercrime

Hackers/Crackers

Cyber-crime


Hackers/Crackers

• Old-Line Hackers

• Scr1pt Kiddiez

• Tool Writers / Virus Writers

• Reverse Engineers / Vulnerability finders

• Social Engineers

• Hacktivists


Attack Sophistication vs.Intruder Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack


AdvancedIntrudersDiscover NewVulnerability

CrudeExploit Tools

Distributed

Novice IntrudersUse Crude

Exploit Tools

AutomatedScanning/ExploitTools Developed

Widespread Use of Automated Scanning/Exploit Tools

Intruders Begin Using New Types of Exploits

Vulnerability Exploit Cycle


Service Shifts

0

20

40

60

80

100

120

Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01

DNSHTTPFTPRPCemailIRC


Incident Data•Profile of 2 six-month periods– Sept 1, 2000 – Feb 1, 2001: 1027 incidents – Sept 1, 2001 – Feb 1, 2002: 997 incidents

•Examined “damaging” incidents, excluding:• Simple probes & scans

• Information Requests

• Hoaxes

• False Alarms

• Overly vague reports


Method of Attack

0

10

20

30

40

50

60

70

80

9/1/2001

9/8/2001

9/15/2001

9/22/2001

9/29/2001

10/6/2001

10/13/2001

10/20/2001

10/27/2001

11/3/2001

11/10/2001

11/17/2001

11/24/2001

12/1/2001

12/8/2001

12/15/2001

12/22/2001

12/29/2001

1/5/2002

1/12/2002

1/19/2002

1/26/2002

2/2/2002

VirusRoot CompromiseReconnDenial of ServiceUser CompromiseMisuse of ResourcesWeb CompromiseSocial EngineeringTrojan HorseOther

0

10

20

30

40

50

60

70

80

90

100

9/2

/2

00

0

9/9

/2

00

0

9/1

6/2

00

0

9/2

3/2

00

0

9/3

0/2

00

0

10

/6

/2

00

0

10

/1

3/2

00

0

10

/2

0/2

00

0

10

/2

7/2

00

0

11

/4

/2

00

0

11

/1

1/2

00

0

11

/1

8/2

00

0

11

/2

5/2

00

0

12

/2

/2

00

0

12

/9

/2

00

0

12

/1

6/2

00

0

12

/2

3/2

00

0

12

/3

0/2

00

0

1/6

/2

00

1

1/1

3/2

00

1

1/2

0/2

00

1

1/2

7/2

00

1

2/3

/2

00

1

Root CompromiseVirusWeb CompromiseDenial of ServiceReconnMisuse of ResourcesWormUser CompromiseTrojanSocial EngineeringVaried


Reporter

0

10

20

30

40

50

60

70

80

90

100

9/2/2000

9/9/2000

9/16/2000

9/23/2000

9/30/2000

10/6/2000

10/13/2000

10/20/2000

10/27/2000

11/4/2000

11/11/2000

11/18/2000

11/25/2000

12/2/2000

12/9/2000

12/16/2000

12/23/2000

12/30/2000

1/6/2001

1/13/2001

1/20/2001

1/27/2001

2/3/2001

govcomintlusereduisporgfink12miscother

0

10

20

30

40

50

60

70

9/1/2001

9/8/2001

9/15/2001

9/22/2001

9/29/2001

10/6/2001

10/13/2001

10/20/2001

10/27/2001

11/3/2001

11/10/2001

11/17/2001

11/24/2001

12/1/2001

12/8/2001

12/15/2001

12/22/2001

12/29/2001

1/5/2002

1/12/2002

1/19/2002

1/26/2002

2/2/2002

comusergovintleduorgispk12unknownmisc


Impact at Reporting Site

0

10

20

30

40

50

60

70

80

9/1/2001

9/8/2001

9/15/2001

9/22/2001

9/29/2001

10/6/2001

10/13/2001

10/20/2001

10/27/2001

11/3/2001

11/10/2001

11/17/2001

11/24/2001

12/1/2001

12/8/2001

12/15/2001

12/22/2001

12/29/2001

1/5/2002

1/12/2002

1/19/2002

1/26/2002

2/2/2002

DistortDisruptDisclosureDestructDeception

0

10

20

30

40

50

60

70

80

90

100

8/2

6/2

00

0

9/2

/2

00

0

9/9

/2

00

0

9/1

6/2

00

0

9/2

3/2

00

0

9/3

0/2

00

0

10

/6

/2

00

0

10

/1

3/2

00

0

10

/2

0/2

00

0

10

/2

7/2

00

0

11

/4

/2

00

0

11

/1

1/2

00

0

11

/1

8/2

00

0

11

/2

5/2

00

0

12

/2

/2

00

0

12

/9

/2

00

0

12

/1

6/2

00

0

12

/2

3/2

00

0

12

/3

0/2

00

0

1/6

/2

00

1

1/1

3/2

00

1

1/2

0/2

00

1

1/2

7/2

00

1

DistortDisruptdisclosureDestructDeceptionUnknown


Pace of Attack - 1999• Out-of-the-box Linux PC hooked to Internet, not announced:

[30 seconds] First service probes/scans detected

[1 hour] First compromise attempts detected

[12 hours] PC fully compromised: Administrative access obtained Event logging selectively disabled System software modified to suit intruder Attack software installed PC actively probing for new hosts to intrude

Clear the disk and try again!


Organized Crime Individual crime may be difficult to differentiate from organized crime:

– Distribution and Coordination tools – Mass exploitation methods

Organized crime exploitation of Information technologies in various ways

– Enhanced efficiencies – on-line management of illegal gambling schemes

– Intelligence tool for risk management – Cali organization in 1995 had state of the art equipment

– Force multiplier – GPS for sea drops

New channels and new targets for crime


European Union Bank

Fraud on Line Russian organized crime figures Offshore banking – Antigua Solicited deposits on-line Warnings form various sources Bank collapsed


Chinese ActivitiesWhat We Have Observed:

• A series of activities over 3 years from similar network locations

•A series of attack tools in last 1.5 yearsQAZ, Red Lyon, Code Red

•Political timingWhat We Surmise:

• Diverse team with resources

• Using hackers/loose ISP for cover

• Keeping attacks below threshold

• Studying reaction/defense


Cracker Team Structure

• ISTJ personality

• Ephemeral teams

• Little team structure

• Internal and external friction

• Occasional persistency


Staged Attack

1

2

3


Auto-Coordinated Attack

Probe

Victim2

Identity

Victim

Compromise & Coopt

Probe

• Remote, fast-acting

• Adapts existing tools

• Limited deployment

• Sophisticated reporters


• Defaced Health-care web site in India • "This site has been hacked by ISI ( Kashmir is ours),

we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat

• Post-dates activity by Pakistani Hackers Club• Linked to G-Force Pakistan• Part of larger pattern of influenced

hacker activity (3Q99 - 4Q01)– Differing expertise– Multiple actors/teams– Transnational collaborations

Hacker to Terrorism?


Pakistani/Indian Defacements

10/99 7/00

4/00

1/00

10/00 4/01

1/01

Well written Juvenile

No mention of terrorist organizations

Mentions terrorist organizations

More…

Sources: attrition.org, alldas.de


Cyber Terrorism

• Cyberterror is still emerging– Evolving threat– Integrating critical missions with general Internet– Increasing damage/speed of attacks– Continued vulnerability of off-the-shelf software

• Much confusion of descriptions and definitions

• Widely viewed as critical weakness of Western nations


Hacktivism

• Hacking for politics– Primarily websites– High publicity / calls for public participation

• Examples:– WTO 1999/2000/…– Monsanto / Genetic Engineering of plants


Cyber-Intifada

• Prolonged campaign– Palestinian hackers/web defacers– Targeting Israeli and Israel-supporting

organizations– Low innovation level

• Counter-campaigns– Publicity– Counter-hacking: 2xS.co.il


Insiders

•Most cyber-crime will be perpetrated by individuals rather than criminal organizations per se

•Individuals, including insiders, are becoming quick to exploit the transnational nature of the Internet


Insiders – The Prouty CaseAmerican Express – the largest network intrusion and credit card fraud activity in its history – actual losses $8 million – potential losses $20 million

– David Prouty worked for POS company providing credit card equipment to restaurants.

– August 1999 to January 2001 compromised computer networks of 10 restaurants

– Used employment and subsequently social engineering skills (PC Anywhere) and then a “bust out” company to process card numbers


Cyber Warriors•Sociology of warriors vs. hackers

– Morale– Organization– Vigilance vs. assumed invulnerability

• Motivation of warriors vs. hackers– Accountability vs. anarchy– Delayed vs. immediate gratification– Internal vs. external gratification

• Preparation of warriors vs. hackers– Training– Tool selection– Intelligence

•Strategy


Defenders

• System / Network Administrators

• White-hat Hackers

• Red Teams/Tiger Teams

• Vulnerability / Risk Analysts

• Intrusion Response Teams


Defense FlowAnalysis & Assessment

Remediation

Indications & Warnings

Mitigation

Response

Reconstitution

Threshold?

No

Yes


Internet Growth 1988-1998

BS and MS Degrees in Computer and

Information Sciences 1988-1998

1988 1998

0

40,000,000

Source: Digest of Education Statistics 1997, US Office of Educational Research and Improvement, Washington DC, publisher: US Superintendent of Document, 1997

Source: Internet Domain Survey by Network Wizards, WWW.ww.com/zone

50,000

0

1988 1998


Intrusion Response teams

• Types:– Automated– Local dedicated or volunteer team– Contracted team

• Why?– Single-point of contact for fast response– Provide for consistent response– Provide for collateral relationships

• Problems:– Resources– Authorization to act– Trust


Summary

• Increasingly diverse threat

• Ongoing challenge to track, trend, pursue

• Who may be as important as what

© 2002 carnegie mellon universityattackers: 1 attackers and defenders

Documents

enemy slide

reporter slide

method of attack slide

service shifts slide

reporting site slide

pace of attack

transnational virtual

references http