capabilities of cyber-trerrorists - potential attacks - possibility, likelyhood, impact, containment...
TRANSCRIPT
NATO Advanced Training Seminar
CYBER TERRORISM PREVENTION &COUNTERACTION
Kiev, Ukraine September 27-29, 2010
About
Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania
Main practice areas: Computer Crime & Electronic Evidence
Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.
http://en.criminalitate.info http://www.driga.ro
POTENTIAL ATTACKS
Possibility, Likelyhood, Impact,Containment and Recovery
NATO Advanced Training Seminar – Kiev, Ukraine 2010
Realm of the Possible
Experts agree that coordinated cyber-terrorist attacks may be used to amplify effects of conventional terrorist attacks
Tighter border controls and increased on-site security measures may trigger terrorists to shift their activities to cyber-attacks
Hacker groups may adhere to political ideologies and shift activities to cyber-terrorism
Advantages of using IT as weapon
Attacks conducted at distante Realtive phisical safety Annonimity Possibly undetected
Possible disadvantagesTerrorist perspective
Results are less predictable Predilection for widely visible results (deaths,
panic, etc) Less certain results
Choice of attacks
Short time attacks vs. attacks over a longer period of time
Simpler attacks on complex targets vs. complex attacks
Attacks that require insider access Single attacks vs. multiple attacks
Attacks against the Internet itself
Possible Would mean attacks against organization's own
infrastructure in a certain degree. Terrorists already use the internet
As source of information Propaganda Recruitment Planning Coordinating Fundraising
Cyber-attacks among other methods
Cyber-terrorist attacks agains IT infrastructure are a real danger
But they are, only one of a number of ways through which terrorists could act
Terrorists might use them if they have no other means of attack (suicide, explosive, chemical, etc.)
Or use them in conjunction with conventional attacks
Points to consider in choosing attack methods
Expertise and resources at hand Desired effects The publicity they wished to gain Complexity of an attack Symbolic value of the attack The risk of being caught & likelihood of survival The defenses that would be faced International reaction to such an attack
How likely?
Even if some of the scenarios above may make terrorist's shift to cyber-attacks seem unlikely
The terrorists may not behave as expected Other groups having IT as primary tools
(hacktivists, hackers, cybercrime) shifting to cyber-terrorist activities in the name of an ideology and political agendaDaily cyber-attacks occur on all networksWhich of them are mounted by terrorists?
Common types of incidents
Unauthorized Access Denial of Service (DoS and DDoS) Malicious Code Inappropriate Use Data Loss Multiple component
Precursors - Unauthorized access
Reconnaissance activity (i.e. port scanning, host scanning, traceroutes, etc.)
New exploits released publicly Users reporting possible social engineering
attempts
Precursors - DoS & DDoS
Reconnaissance activity Small traffic from attacks sources Newly released DoS tools
Precursors - Malicious code
New malicious code warnings for software that organizations use
Newly received files detected as infected by antivirus
Detection and Analysis- initial handling -
Has an incident occured? What type of incident? Reporting the incident Estimate the impact Apropriate incident procedures
Containment and Eradication- generic steps -
Acquire & preserve evidence Contain the incident Look for aditional incidents Eradicate the incident
Vulnerabilities that were used Malicious code removal
Containment - common steps
Isolate the affected systems Disable the affected service Eliminate the attacker’s route into the
environment Disable user accounts that may have been
used in the attack Enhance physical security measures
Unauthorized access- specific measures -
Confirm that containment was sufficient Check other systems for intrusion Aditional containment measures if necessary
Denial of Service- specific measures -
Contain the incident - stop DoS Identify and eliminate vulnerabilities used Not yet contained?
Implement filtering based on the characteristics of the attack
Contact the ISP for assistance in filtering the attack Relocate the target
Malicious code- specific measures -
Identify infected systems Disconnect infected systems from the network Mitigate vulnerabilities that were exploited If necessary, block the transmission
mechanisms for the malicious code Eradication:
Disinfect, quarantine, delete, and replace infected files
Mitigate the exploited vulnerabilities for other hosts within the organization
Inappropriate use- specific measures -
Acquire, preserve and document evidence Assess the incident:
Determine whether the activity seems criminal in nature, and if necessary notify law enforcement
Discuss incident indicators and possible actions with human resources personnel
Discuss liability issues with legal counsel Keep the investigative team small and maintain strict
confidentiality If necessary, contain and eradicate the incident
Data loss - specific measures
Acquire, preserve and document evidence Identify how the data was lost Assess the potential damage caused Identify the individuals potentially affected by the
loss of personally identifiable information Estimate current and potential effect and
economic damage of the incident Verify that data protection mechanisms are
functioning properly, review and update data management processes and data policies
Multiple component incident
Every incident could be a multiple component incident
Usually contain the first detected incident and search for other components
Prioritization
Recovery
Returning to operational state Confirm normal functioning Implement supplemental monitoring
Handling evidence
Existing legal requirements Preserving evidence Logs for every step, person, action taken Data integrity Confidentiality
Specificity of the IT environment
Comparison with fire fighting You can choose fire resistant materials to a certain
temperature or to resist fire a certain time There is no way of telling how long a new security
measure added to a computer or network will hold
Key factors in incident handling
Time Lessons learned Existing proper procedures Cooperation & Coordination
What favors the attacks?
Persistent computer vulnerabilities Misconfigured systems The insider threat Organization resistance to new policies and
change Lack of legislation and proper legal procedures Lack of international cooperation
How to reduce risks?
Real international cooperation on cybercrime and cybersecurity (CERTs, ENISA)
National strategy on combating cybercrime Continuous research Training and Certification Proper organizational policies Education and Public awareness
Thank you!
Cristian Driga - Attorney at Law, Executive director at Computer Crime Research Centre (NGO), Romania
Main practice areas: Computer Crime & Electronic Evidence
Special interests: public policy, raising public & legal professionals awareness in the fields of computer security, computer crime and electronic evidence.
http://en.criminalitate.info http://www.driga.ro