cyber intelligence analysis

CERT Centers, Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890

SEI is sponsored by the U.S. Department of Defense© 2000 by Carnegie Mellon University

Intelligence - page 1

Cyber Intelligence Analysis

© 2000 by Carnegie Mellon University Intelligence - page 2

A Different Internet

Armies may cease to march

Stock may lose a hundred points

Businesses may be bankrupted

Individuals may lose their social identity

Threats not from novice teenagers, but purposeful military, political, and criminal organizations


Purpose of Intelligence

1. Identify the need for action

2. Provide the insight and context for deciding among courses of action

3. Provide information on the effectiveness of pursuing the selected course of action


Change of View


Content / Context of Intelligence


What is Cyber Intelligence?

Internet Behavior

Intrusions/Responses

Threats/Counters

Vulnerabilities/Fixes

Operators/Groups Victims

Stimuli/MotivesOpportunities


Strategic Intelligence Analysis

• Provides “Big Picture” assessment

• Trend Analysis

• Sector Threat assessments

• Potential Damage assessments

• Categorization of Attacks and Attackers

• Identification of Anomalies


Tactical Intelligence Analysis

• Linking element between macro- and micro-level analysis

• Cluster and pattern analysis

• Temporal patterns

• Profiling

• Analysis of intrusion methods

• Commonality of targets

• Reinforces and compliments Strategic Analytic efforts


Using CERT/CC Data

• Year 2000 - 21,756 Incidents• 16,129 Probes/Scans• 2,912 Information Requests• 261 Hoaxes, false alarms, vul reports, unknown

• 2454 Incidents with substantive impact on target• Profiled 639 incidents, all active during July-Sept 2000

(profiling work is ongoing)

• Many different dimensions for analysis and trend generation (analysis work is ongoing)


Immediate Data Observations

Increasing trend of incidents per month(some incidents carry over between months)

Increasing diversity of ports used in incidents

Shifts in services used in incidents

Shifts in operating systems involved in incidents

Generic attack tools adapted to specific targets

Incidents

0

100

200

300

400

500

600

June July August Sept October

Year 2000

Inc

ide

nts

Ac

tiv

e

Ports

01020304050

Year 2000

Po

rts

in In

cid

en

ts


Service Shifts

0

10

20

30

40

50

60

Ju

ne

Ju

ly

Au

gu

st

Sep

tem

ber

DNS

HTTP

FTP

RPC

email

IRC


70

60

50

40

30

20

10

0

6/24/0

0

7/1/

00

7/8/

00

7/15

/00

7/22

/00

7/29

/00

8/5/

00

8/12

/00

8/19

/00

8/26

/00

9/2/

00

9/9/

00

9/16

/00

Weekly Incidents


Weekly Incidents by Target

0

10

20

30

40

50

60

70

user

org

misc

isp

intl

gov

fin

edu

eat

com


Monthly Incidents by Target

0

50

100

150

200

250

J uly August September

User

Com

eat

edu

fin

gov

intl

isp

misc

org


Weekly Incidents by OS

0

10

20

30

40

50

60

70

unknown

Un

So

NT

MO

misc

LX

IR


Monthly Incidents by Operating System

0

20

40

60

80

100

120

J uly Aug Sep

UNKNOWN

IR

LX

misc

MO

NT

So

Un


Weekly Incidents by Impact

0

10

20

30

40

50

60

70

Distort

Disrupt

disclosure

Destruct

Deception


Monthly Incidents by Impact

0

20

40

60

80

100

120

140

160

180

J uly August September

Deception

Destruct

Disclosure

Disrupt

Distort


Drivers for Weekly Incidents

70

60

50

40

30

20

10

0

6/24/0

0

7/1/

00

7/8/

00

7/15

/00

7/22

/00

7/29

/00

8/5/

00

8/12

/00

8/19

/00

8/26

/00

9/2/

00

9/9/

00

9/16

/00

Independence Day

LaborDay

Advisory/Alert

NewToolkits

DefCon


Operational Intelligence Analysis

• Overlaps with Tactical Analysis

• Technical assessments of intrusion methods

• Specific investigation of intruders

• Identification of vulnerabilities to support mitigation

• Attribution


Example: Signed Defacement

Defaced Health-care web site in India

"This site has been hacked by ISI ( Kashmir is ours), we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat.

Post-dates activity by Pakistani Hackers Club

Level of activity is not significant

Claim of identity may be significant


Example: Coordinated Automated Attack

Probe

Victim2

Identity

Victim

Compromise & Coopt

Probe

• Remote, fast-acting

• Adapts existing tools

• Limited deployment

• Sophisticated reporters


A Problem Too Big

Cannot remain technical specialty

Cannot remain localized activity

Cannot remain responsive to incidents

Cannot remain centrally controlled or performed

Distributed, ongoing, multifaceted problem demands distributed, ongoing, multifaceted strategy


Cyber Intelligence Products

Fused analysis reports

Demographics and situational awareness

In-depth studies

Technology of intelligence


For Further Contact

24-hour hotline: +1 412 268 7090

FAX: +1 412 268 6989

Email: Tim Shimeall - [email protected] - [email protected]

Direct voice: +1 412 268 7611

US mail: CERT Analysis CenterSoftware Engineering Institute

Carnegie Melon University4500 Fifth Avenue

Pittsburgh, PA 15213-3890 USA

cyber intelligence analysis

Documents