The Threat

sunflowerplateΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

70 εμφανίσεις

Threat Briefing

Objectives


Appreciate the threat


To
learn some of the more creative and
complex ways organizations are being
attacked through the Internet today


To understand how to organize more
effective collaborative responses to
these threats in the
future

Stages of computer attack

1.
Reconnaissance

(gather information about the target system or network)

2.
Probe and attack

(probe the system for weaknesses and deploy the
tools)

3.
Toehold

(exploit security weakness and gain entry into the system)

4.
Advancement

(advance from an unprivileged account to a privileged
account)

5.
Stealth

(hide tracks; install a backdoor)

6.
Listening post

(establish a listening post)

7.
Takeover

(expand control from a single host to other hosts on network)

“Catapults and grappling hooks: The tools and techniques of information warfare,”


http://www.research.ibm.com/journal/sj/371/boulanger.html


Attack Structure/Path

Cost vs. Risk

Figures from the 2005 CSI/FBI Computer Crime Survey (http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf)

Ranked by Prevalence

Ranked by Loss

Principle Threat Categories


Disruption


Extortion / crime


Espionage


Fraud

Disruption


Denial of Service Attacks


“Script kiddies” attacking

for pleasure


Competitive Advantage


Extortion


Political statement


Accident


Natural Disaster (flood,

earthquake, …)


Man
-
made


Accidental (digging up fiber optic cable)


For Malicious Purposes

Extortion


Distributed Denial of Service (
DDoS
)
attacks


Online gaming industry, Porn sites…


Anything time sensitive (e.g., stock trading,
holidays
, major
sporting events), or when
majority of revenue derived online, are
potential targets


Encryption of files on hard drive

http://news.com.com/Antivirus+expert+Ransomware+on+the+rise/2100
-
7355_3
-
6157092.html

Espionage


Targeted “spam” with trojan horse, dropped
USB thumb drives, etc.


Executable attachments


Media files, documents, embedded content


Key loggers or “root kits” installed


Data exfiltrated by POST or reverse tunnel
through firewall


Wireless sniffing


Surplused equipment!


http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf

Fraud


Unauthorized access to steal data,
media


Phishing (social engineering via email)


Key logging, or screen capture (attack
virtual keyboards)


Attacking Javascript cryptography


HTTP
POST

interception

Victim sites

Responding


The OODA Loop


Coordination


Working with Law Enforcement


Striking back?

The OODA Loop

O

A

D

O

Observe

Orient

Decide

Act

Time

Observe & Orient

Decide & Act

Source: AF2025 v3c2, http://csat.au.af.mil/2025/volume3/vol3ch02.pdf

Controlling speed through the
OODA Loop


To speed up your loop


Get better information
sooner


Access new and stored
information quicker


Correlate and fuse
information quickly


Increase understanding
of tools/tactics


Automate decision
making and actions


To slow down your
adversary’s loop


Change the landscape
(force reconnaissance)


Act in unobservable ways


Mix conventional/

unconventional actions


Give the adversary false
information (and/or
“noise”)


Keep the adversary
guessing

Coordination


Data Collection


Data Fusion


Data Dissemination


Action in relationship

(time, location, function)


Capacity to work

together


OPSEC considerations

(attacker reading your

email)

Working with LE

Military

Intelligence

Community

Law Enforcement

Private Sector


Law Enforcement
central to integrated
public/private response


LE can do things that
private sector cannot
(e.g., search/seizure)


International LE
coordination on
cybercrime is working
(e.g., Zotob case in
Turkey)

“Strike
-
back” vs. other Active
Response Actions


Fight DDoS with DDoS (No way)


Pre
-
emptive DoS (Highly unlikely)


Retribution (Very risky)


Back tracking (Risky)


Information gathering (Less risky)


Ambiguity/dynamism (Least risky)

Conclusions


Future responses must be MORE collaborative,
LESS isolated


Identifying the structure of attack, and acting in
deliberate ways (rather than simply reacting to
discrete events) is important


Increase training, outreach capacity


Collaborative/cooperative response will become
essential (lots of opportunities to optimize)


There is much research and learning left to do…

Questions