NATO Advanced Training Seminar

CYBER TERRORISM PREVENTION &COUNTERACTION

Kiev, Ukraine September 27-29, 2010

About

Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania

Main practice areas: Computer Crime & Electronic Evidence

Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.

http://en.criminalitate.info http://www.driga.ro

contact@criminalitate.info

POTENTIAL ATTACKS

Possibility, Likelyhood, Impact,Containment and Recovery

NATO Advanced Training Seminar – Kiev, Ukraine 2010

Realm of the Possible

Experts agree that coordinated cyber-terrorist attacks may be used to amplify effects of conventional terrorist attacks

Tighter border controls and increased on-site security measures may trigger terrorists to shift their activities to cyber-attacks

Hacker groups may adhere to political ideologies and shift activities to cyber-terrorism

Advantages of using IT as weapon

Attacks conducted at distante Realtive phisical safety Annonimity Possibly undetected

Possible disadvantagesTerrorist perspective

Results are less predictable Predilection for widely visible results (deaths,

panic, etc) Less certain results

Choice of attacks

Short time attacks vs. attacks over a longer period of time

Simpler attacks on complex targets vs. complex attacks

Attacks that require insider access Single attacks vs. multiple attacks

Attacks against the Internet itself

Possible Would mean attacks against organization's own

infrastructure in a certain degree. Terrorists already use the internet

As source of information Propaganda Recruitment Planning Coordinating Fundraising

Cyber-attacks among other methods

Cyber-terrorist attacks agains IT infrastructure are a real danger

But they are, only one of a number of ways through which terrorists could act

Terrorists might use them if they have no other means of attack (suicide, explosive, chemical, etc.)

Or use them in conjunction with conventional attacks

Points to consider in choosing attack methods

Expertise and resources at hand Desired effects The publicity they wished to gain Complexity of an attack Symbolic value of the attack The risk of being caught & likelihood of survival The defenses that would be faced International reaction to such an attack

How likely?

Even if some of the scenarios above may make terrorist's shift to cyber-attacks seem unlikely

The terrorists may not behave as expected Other groups having IT as primary tools

(hacktivists, hackers, cybercrime) shifting to cyber-terrorist activities in the name of an ideology and political agendaDaily cyber-attacks occur on all networksWhich of them are mounted by terrorists?

Common types of incidents

Unauthorized Access Denial of Service (DoS and DDoS) Malicious Code Inappropriate Use Data Loss Multiple component

Precursors - Unauthorized access

Reconnaissance activity (i.e. port scanning, host scanning, traceroutes, etc.)

New exploits released publicly Users reporting possible social engineering

attempts

Precursors - DoS & DDoS

Reconnaissance activity Small traffic from attacks sources Newly released DoS tools

Precursors - Malicious code

New malicious code warnings for software that organizations use

Newly received files detected as infected by antivirus

Detection and Analysis- initial handling -

Has an incident occured? What type of incident? Reporting the incident Estimate the impact Apropriate incident procedures

Containment and Eradication- generic steps -

Acquire & preserve evidence Contain the incident Look for aditional incidents Eradicate the incident

Vulnerabilities that were used Malicious code removal

Containment - common steps

Isolate the affected systems Disable the affected service Eliminate the attacker’s route into the

environment Disable user accounts that may have been

used in the attack Enhance physical security measures

Unauthorized access- specific measures -

Confirm that containment was sufficient Check other systems for intrusion Aditional containment measures if necessary

Denial of Service- specific measures -

Contain the incident - stop DoS Identify and eliminate vulnerabilities used Not yet contained?

Implement filtering based on the characteristics of the attack

Contact the ISP for assistance in filtering the attack Relocate the target

Malicious code- specific measures -

Identify infected systems Disconnect infected systems from the network Mitigate vulnerabilities that were exploited If necessary, block the transmission

mechanisms for the malicious code Eradication:

Disinfect, quarantine, delete, and replace infected files

Mitigate the exploited vulnerabilities for other hosts within the organization

Inappropriate use- specific measures -

Acquire, preserve and document evidence Assess the incident:

Determine whether the activity seems criminal in nature, and if necessary notify law enforcement

Discuss incident indicators and possible actions with human resources personnel

Discuss liability issues with legal counsel Keep the investigative team small and maintain strict

confidentiality If necessary, contain and eradicate the incident

Data loss - specific measures

Acquire, preserve and document evidence Identify how the data was lost Assess the potential damage caused Identify the individuals potentially affected by the

loss of personally identifiable information Estimate current and potential effect and

economic damage of the incident Verify that data protection mechanisms are

functioning properly, review and update data management processes and data policies

Multiple component incident

Every incident could be a multiple component incident

Usually contain the first detected incident and search for other components

Prioritization

Recovery

Returning to operational state Confirm normal functioning Implement supplemental monitoring

Forensics

Collection Examination Analysis Reporting

Handling evidence

Existing legal requirements Preserving evidence Logs for every step, person, action taken Data integrity Confidentiality

Specificity of the IT environment

Comparison with fire fighting You can choose fire resistant materials to a certain

temperature or to resist fire a certain time There is no way of telling how long a new security

measure added to a computer or network will hold

Key factors in incident handling

Time Lessons learned Existing proper procedures Cooperation & Coordination

What favors the attacks?

Persistent computer vulnerabilities Misconfigured systems The insider threat Organization resistance to new policies and

change Lack of legislation and proper legal procedures Lack of international cooperation

How to reduce risks?

Real international cooperation on cybercrime and cybersecurity (CERTs, ENISA)

National strategy on combating cybercrime Continuous research Training and Certification Proper organizational policies Education and Public awareness

Thank you!

Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania

Main practice areas: Computer Crime & Electronic Evidence

Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.

http://en.criminalitate.info http://www.driga.ro

contact@criminalitate.info