© 2002 carnegie mellon universityattackers: 1 attackers and defenders

© 2002 Carnegie Mellon University Attackers: 1

Attackers and Defenders

© 2002 Carnegie Mellon University Attackers: 2

Overview

• Hackers/Crackers

• Defenders

© 2002 Carnegie Mellon University Attackers: 3

References

http://www.cert.org

InfoWar:

http://infowar.freeservers.com/index.html

http://www.nmrc.org/links/

Culture: http://www.eff.org/pub/Net_culture/

Terrorism: http://www.terrorism.com/terrorism/links.shtml

Books :

Sterling - The Hacker Crackdown

Stoll - The Cuckoo’s Egg

Honeynet Project – Know Your Enemy

© 2002 Carnegie Mellon University Attackers: 4

Attackers• National Security

– Critical National Infrastructure

– Cyber-Warfare

• Computer Crime– Organized Crime

– Hackers/Crackers

– Identity Theft

– Extortion

– Fraud

• Non-State Actors– Terrorists

– Political Activists

© 2002 Carnegie Mellon University Attackers: 5

Transnational Virtual Crime

Organizedcrime

Hacktivism

Insidercrime

Hackers/Crackers

Cyber-crime

© 2002 Carnegie Mellon University Attackers: 6

Hackers/Crackers

• Old-Line Hackers

• Scr1pt Kiddiez

• Tool Writers / Virus Writers

• Reverse Engineers / Vulnerability finders

• Social Engineers

• Hacktivists

© 2002 Carnegie Mellon University Attackers: 7

Attack Sophistication vs.Intruder Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Cross site scripting

Stagedattack

© 2002 Carnegie Mellon University Attackers: 8

AdvancedIntrudersDiscover NewVulnerability

CrudeExploit Tools

Distributed

Novice IntrudersUse Crude

Exploit Tools

AutomatedScanning/ExploitTools Developed

Widespread Use of Automated Scanning/Exploit Tools

Intruders Begin Using New Types of Exploits

Vulnerability Exploit Cycle

© 2002 Carnegie Mellon University Attackers: 9

Service Shifts

0

20

40

60

80

100

120

Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01

DNSHTTPFTPRPCemailIRC

© 2002 Carnegie Mellon University Attackers: 10

Incident Data•Profile of 2 six-month periods– Sept 1, 2000 – Feb 1, 2001: 1027 incidents – Sept 1, 2001 – Feb 1, 2002: 997 incidents

•Examined “damaging” incidents, excluding:• Simple probes & scans

• Information Requests

• Hoaxes

• False Alarms

• Overly vague reports

© 2002 Carnegie Mellon University Attackers: 11

Method of Attack

0

10

20

30

40

50

60

70

80

9/1/2001

9/8/2001

9/15/2001

9/22/2001

9/29/2001

10/6/2001

10/13/2001

10/20/2001

10/27/2001

11/3/2001

11/10/2001

11/17/2001

11/24/2001

12/1/2001

12/8/2001

12/15/2001

12/22/2001

12/29/2001

1/5/2002

1/12/2002

1/19/2002

1/26/2002

2/2/2002

VirusRoot CompromiseReconnDenial of ServiceUser CompromiseMisuse of ResourcesWeb CompromiseSocial EngineeringTrojan HorseOther

0

10

20

30

40

50

60

70

80

90

100

9/2

/2

00

0

9/9

/2

00

0

9/1

6/2

00

0

9/2

3/2

00

0

9/3

0/2

00

0

10

/6

/2

00

0

10

/1

3/2

00

0

10

/2

0/2

00

0

10

/2

7/2

00

0

11

/4

/2

00

0

11

/1

1/2

00

0

11

/1

8/2

00

0

11

/2

5/2

00

0

12

/2

/2

00

0

12

/9

/2

00

0

12

/1

6/2

00

0

12

/2

3/2

00

0

12

/3

0/2

00

0

1/6

/2

00

1

1/1

3/2

00

1

1/2

0/2

00

1

1/2

7/2

00

1

2/3

/2

00

1

Root CompromiseVirusWeb CompromiseDenial of ServiceReconnMisuse of ResourcesWormUser CompromiseTrojanSocial EngineeringVaried

© 2002 Carnegie Mellon University Attackers: 12

Reporter

0

10

20

30

40

50

60

70

80

90

100

9/2/2000

9/9/2000

9/16/2000

9/23/2000

9/30/2000

10/6/2000

10/13/2000

10/20/2000

10/27/2000

11/4/2000

11/11/2000

11/18/2000

11/25/2000

12/2/2000

12/9/2000

12/16/2000

12/23/2000

12/30/2000

1/6/2001

1/13/2001

1/20/2001

1/27/2001

2/3/2001

govcomintlusereduisporgfink12miscother

0

10

20

30

40

50

60

70

9/1/2001

9/8/2001

9/15/2001

9/22/2001

9/29/2001

10/6/2001

10/13/2001

10/20/2001

10/27/2001

11/3/2001

11/10/2001

11/17/2001

11/24/2001

12/1/2001

12/8/2001

12/15/2001

12/22/2001

12/29/2001

1/5/2002

1/12/2002

1/19/2002

1/26/2002

2/2/2002

comusergovintleduorgispk12unknownmisc

© 2002 Carnegie Mellon University Attackers: 13

Impact at Reporting Site

0

10

20

30

40

50

60

70

80

9/1/2001

9/8/2001

9/15/2001

9/22/2001

9/29/2001

10/6/2001

10/13/2001

10/20/2001

10/27/2001

11/3/2001

11/10/2001

11/17/2001

11/24/2001

12/1/2001

12/8/2001

12/15/2001

12/22/2001

12/29/2001

1/5/2002

1/12/2002

1/19/2002

1/26/2002

2/2/2002

DistortDisruptDisclosureDestructDeception

0

10

20

30

40

50

60

70

80

90

100

8/2

6/2

00

0

9/2

/2

00

0

9/9

/2

00

0

9/1

6/2

00

0

9/2

3/2

00

0

9/3

0/2

00

0

10

/6

/2

00

0

10

/1

3/2

00

0

10

/2

0/2

00

0

10

/2

7/2

00

0

11

/4

/2

00

0

11

/1

1/2

00

0

11

/1

8/2

00

0

11

/2

5/2

00

0

12

/2

/2

00

0

12

/9

/2

00

0

12

/1

6/2

00

0

12

/2

3/2

00

0

12

/3

0/2

00

0

1/6

/2

00

1

1/1

3/2

00

1

1/2

0/2

00

1

1/2

7/2

00

1

DistortDisruptdisclosureDestructDeceptionUnknown

© 2002 Carnegie Mellon University Attackers: 14

Pace of Attack - 1999• Out-of-the-box Linux PC hooked to Internet, not announced:

[30 seconds] First service probes/scans detected

[1 hour] First compromise attempts detected

[12 hours] PC fully compromised: Administrative access obtained Event logging selectively disabled System software modified to suit intruder Attack software installed PC actively probing for new hosts to intrude

Clear the disk and try again!

© 2002 Carnegie Mellon University Attackers: 15

Organized Crime Individual crime may be difficult to differentiate from organized crime:

– Distribution and Coordination tools – Mass exploitation methods

Organized crime exploitation of Information technologies in various ways

– Enhanced efficiencies – on-line management of illegal gambling schemes

– Intelligence tool for risk management – Cali organization in 1995 had state of the art equipment

– Force multiplier – GPS for sea drops

New channels and new targets for crime

© 2002 Carnegie Mellon University Attackers: 16

European Union Bank

Fraud on Line Russian organized crime figures Offshore banking – Antigua Solicited deposits on-line Warnings form various sources Bank collapsed

© 2002 Carnegie Mellon University Attackers: 17

Chinese ActivitiesWhat We Have Observed:

• A series of activities over 3 years from similar network locations

•A series of attack tools in last 1.5 yearsQAZ, Red Lyon, Code Red

•Political timingWhat We Surmise:

• Diverse team with resources

• Using hackers/loose ISP for cover

• Keeping attacks below threshold

• Studying reaction/defense

© 2002 Carnegie Mellon University Attackers: 18

Cracker Team Structure

• ISTJ personality

• Ephemeral teams

• Little team structure

• Internal and external friction

• Occasional persistency

© 2002 Carnegie Mellon University Attackers: 19

Staged Attack

1

2

3

© 2002 Carnegie Mellon University Attackers: 20

Auto-Coordinated Attack

Probe

Victim2

Identity

Victim

Compromise & Coopt

Probe

• Remote, fast-acting

• Adapts existing tools

• Limited deployment

• Sophisticated reporters

© 2002 Carnegie Mellon University Attackers: 21

• Defaced Health-care web site in India • "This site has been hacked by ISI ( Kashmir is ours),

we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat

• Post-dates activity by Pakistani Hackers Club• Linked to G-Force Pakistan• Part of larger pattern of influenced

hacker activity (3Q99 - 4Q01)– Differing expertise– Multiple actors/teams– Transnational collaborations

Hacker to Terrorism?

© 2002 Carnegie Mellon University Attackers: 22

Pakistani/Indian Defacements

10/99 7/00

4/00

1/00

10/00 4/01

1/01

Well written Juvenile

No mention of terrorist organizations

Mentions terrorist organizations

More…

Sources: attrition.org, alldas.de

© 2002 Carnegie Mellon University Attackers: 23

Cyber Terrorism

• Cyberterror is still emerging– Evolving threat– Integrating critical missions with general Internet– Increasing damage/speed of attacks– Continued vulnerability of off-the-shelf software

• Much confusion of descriptions and definitions

• Widely viewed as critical weakness of Western nations

© 2002 Carnegie Mellon University Attackers: 24

Hacktivism

• Hacking for politics– Primarily websites– High publicity / calls for public participation

• Examples:– WTO 1999/2000/…– Monsanto / Genetic Engineering of plants

© 2002 Carnegie Mellon University Attackers: 25

Cyber-Intifada

• Prolonged campaign– Palestinian hackers/web defacers– Targeting Israeli and Israel-supporting

organizations– Low innovation level

• Counter-campaigns– Publicity– Counter-hacking: 2xS.co.il

© 2002 Carnegie Mellon University Attackers: 26

Insiders

•Most cyber-crime will be perpetrated by individuals rather than criminal organizations per se

•Individuals, including insiders, are becoming quick to exploit the transnational nature of the Internet

© 2002 Carnegie Mellon University Attackers: 27

Insiders – The Prouty CaseAmerican Express – the largest network intrusion and credit card fraud activity in its history – actual losses $8 million – potential losses $20 million

– David Prouty worked for POS company providing credit card equipment to restaurants.

– August 1999 to January 2001 compromised computer networks of 10 restaurants

– Used employment and subsequently social engineering skills (PC Anywhere) and then a “bust out” company to process card numbers

© 2002 Carnegie Mellon University Attackers: 28

Cyber Warriors•Sociology of warriors vs. hackers

– Morale– Organization– Vigilance vs. assumed invulnerability

• Motivation of warriors vs. hackers– Accountability vs. anarchy– Delayed vs. immediate gratification– Internal vs. external gratification

• Preparation of warriors vs. hackers– Training– Tool selection– Intelligence

•Strategy

© 2002 Carnegie Mellon University Attackers: 29

Defenders

• System / Network Administrators

• White-hat Hackers

• Red Teams/Tiger Teams

• Vulnerability / Risk Analysts

• Intrusion Response Teams

© 2002 Carnegie Mellon University Attackers: 30

Defense FlowAnalysis & Assessment

Remediation

Indications & Warnings

Mitigation

Response

Reconstitution

Threshold?

No

Yes

© 2002 Carnegie Mellon University Attackers: 31

Internet Growth 1988-1998

BS and MS Degrees in Computer and

Information Sciences 1988-1998

1988 1998

0

40,000,000

Source: Digest of Education Statistics 1997, US Office of Educational Research and Improvement, Washington DC, publisher: US Superintendent of Document, 1997

Source: Internet Domain Survey by Network Wizards, WWW.ww.com/zone

50,000

0

1988 1998

© 2002 Carnegie Mellon University Attackers: 32

Intrusion Response teams

• Types:– Automated– Local dedicated or volunteer team– Contracted team

• Why?– Single-point of contact for fast response– Provide for consistent response– Provide for collateral relationships

• Problems:– Resources– Authorization to act– Trust

© 2002 Carnegie Mellon University Attackers: 33

Summary

• Increasingly diverse threat

• Ongoing challenge to track, trend, pursue

• Who may be as important as what