Blackhat's Cyber Adversary Characterization Parker
-
Upload
nathan-chan -
Category
Documents
-
view
224 -
download
0
Transcript of Blackhat's Cyber Adversary Characterization Parker
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
1/68
Cyber Adversary Characterization
Know thy enemy!
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
2/68
Introduction and Background
Cyber Adversary Characterization
workshop in 2002
Research discussions continued via email
Briefings to Blackhat and Defcon to
introduce concept and obtain feedback
Future workshops planned for October 2003
Slides will be on both conference web sites
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
3/68
Why characterize?
Theoretical: To gain understanding of and
an ability to anticipate an adversary in order
to build improved threat models.
Practice: Improved profiling of attackers at
post attack and forensic levels.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
4/68
Point Scoring: Rating-the-Hacker
Toby Miller
mailto:[email protected]:[email protected] -
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
5/68
Point Scoring: Why?
No standard system to help rate the
attacker
No system to help with the threat level
Help management in the decision making
process
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
6/68
Point Scoring: The Categories
Passive Fingerprinting
Intelligence
The Attack
The Exploit
Backdoors | Cover up Other
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
7/68
Example Score Metric
Linux 3
FreeBSD 4
OpenBSD 6
IRIX 4
Windows 3
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
8/68
Point Scoring: Past, Present,
Future Originally posted on incidents.org
Currently on rev2
Soon to release rev 3
www.ratingthehacker.net
http://www.ratingthehacker.net/http://www.ratingthehacker.net/ -
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
9/68
Tool characterizations,
Disclosure Patterns and
Technique scoring.
Tom ParkerPentest Limited (UK)
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
10/68
The Hacker Pie
Representative of characterization metrics
which build the final characterization.
Available elements dependant upon
scenario.
Does not rely solely upon IDS/attack
signature data.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
11/68
The Hacker Pie (continued)
Pie reliant upon the results of multiple metrics
which are, in many cases inter-related,strengthening the likelihood of an accurate
characterization.
Relationships between key metrics and key data
enable accurate assumptions to be made regarding
unobserved key information.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
12/68
The Pie Explained
Metric One Metric ThreeMetric Two
Key Data Key Data Key Data Key Data Key Data
Characterization
Metric Four
021
2
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
13/68
Point Scoring Systems
(Continued) Attempt to characterize an adversary based
on attack information captured from the
wild. Attempt to characterize adversary based
upon technique classification model
Attempt to characterize adversary basedupon tool classification model
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
14/68
Tool classification model
Availability of application
Origins of application
Ease of use
Requires in-depth knowledge of vulnerability to
execute?
Other mitigating factors
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
15/68
Example Exploit ClassificationWeb App Flaw Public PrivateProprietary Application Penetration
Via SQL Injection 3 4Open Source Application Penetration
Via SQL Injection 3 4Proprietary Application Penetration
Via Arbitrary Script Injection 2 3Open Source Application Penetration
Via Arbitrary Script Injection 2 3Proprietary Application Penetration
Via OS command execution using
SQL Injection (MS SQL)3 5
Proprietary Application Penetration
Via OS command execution using
SQL Injection (other)4 7
Proprietary Application Penetration
Via SQL Injection (MS SQL) 5 6Proprietary Application Penetration
Via SQL Injection (other) 4 7
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
16/68
Disclosure Food Chain
Characterization All tools have a story
Often years before dissemination into public
domain.
Social demeanour often key to placing in
disclosure disclosure chain.
Pyramid metric.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
17/68
Exploit Development
Vendor Coordination
Public Disclosure
Exploit Reverse Engineered / Vulnerability Research
Honey Pot Capture
Exploit Usage In Wild
Exploit TradingType title here
Vendor Patch Released
Public Disclosure
Vendor Coordination
Public Disclosure Vendor Fix Released
Further Research
Disclosure to Security Company
Information shared further throughout grey hat communities
Information shared with fellow researchers (Exploit Development)
Vulnerability Discovery
The Disclosure Food Chain
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
18/68
2 Approaches to Modeling the Cyber Adversary: Offender
Profiling & Remote Assessment
Dr. Eric D. Shaw
Consulting & Clinical Psychology, [email protected]
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
19/68
Offender Profiling
Roots in Law enforcement & intelligence community (criminal eventor incident analysis)intensive review of past offenders
Insider Computer Crimes, 1998-present 50 cases
10 in-depth case studies from companies or govt. contractors Products
Typology of actors: motivation, psychological characteristics, actions
Critical pathwayprocess of interactions w/environment (personal andprofessional) leading to attack
At-risk characteristics
Organizational vulnerabilities & Insights into prevention, deterrence,detection, management
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
20/68
Offender Profiling Headlines
The Termination Problem
Actor subtypesthe Proprietor & Hacker
The Tracking Problem
Organizational Vulnerabilities
Detection Issues
Intervention Challenges
Hacker Overview
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
21/68
Attacks: The Termination Problem
Simple terminationof Disgruntled Insider is nottheanswer80% attack after termination (4
hours-2 months)
70% attack from remote locations vs. insidetermination did not impact access
Attack types: DOS to disrupt business
Destruction & corruption of data
Theft of Proprietary data
Time bombs
Extortion
Attack on reputations
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
22/68
Attackers
Hackers40%: affiliated with and active inhacking community, brings hacking
practices to worksite Proprietors40%: defend system as
belonging to them, resist efforts to dilutecontrol
Avengers20%: attack impulsively inresponse to perceived injustice
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
23/68
Prevention: Screening &
SelectionThe Tracking Problem
Screening & Selection Problems in 60% of
casesno or delayed background,nepotism, failure to detect risk factors
30% had prior felony convictions
30% had high-profile hacker activity
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
24/68
Organizational Issues
80% of cases occur during periods of high
organizational stress or changeat the highest to
supervisory levels Lack of policiescontributed to disgruntlement or
facilitated attack in 60% of cases
Lack of policy enforcementcontributed to
disgruntlement of facilitated attack in 70% ofcases
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
25/68
Detection Problems
80% of attackers used operational securityto protect attack planning or identity
Time disgruntled to attack: 1-48 monthswith a mean of 11.3 months
Time active problems (probation) to attack:0-76 weeks with a mean of 26 weeks
Forget the big bang theory of the sudden,unforeseen attack
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
26/68
Intervention Problems
Management intervention initiallyexacerbated problems in 80% of cases
(ignore, placate or tolerate problems,negotiate then cut-off, terminate poorly)
Problems with termination process in 80%of cases (esp. failure to terminate access)
Multidisciplinary risk assessment prior totermination
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
27/68
Hardcore Hackers:Not Script
KiddiesAgeMean=25.5
Tech
Capability
Prior
Offenses50%
Acted with
Others75%
Status in
Hacker
Community
Oquendo 29 High Yes Yes High
Zezev 30 High No Yes Unknown
Carpenter 20 High Yes No Low
Demostenis 23 Low No Yes Low
R t A t U i W T h
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
28/68
Remote Assessment UsingWarmTouch(patent pending)
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
29/68
Why Use WarmTouch Software to
Detect Disgruntlement or Psych Change
on-line? Communication has moved on-line
Loss of visual & auditory cues on-line
Failure of other systems to detect violations:
technical noise, supervisor & peer reporting
Protects Privacy Provides Objectivity
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
30/68
Vulnerable
CITI
Minor
Infraction
Moderate
InfractionMajor
Act
Personal Stressors
Professional Stressors
Mounting Stress and Frustration
Person-Situation Interaction:
Detect Psychological Leakage
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
31/68
Software Components
Psychological Profiling Algorithms
Emphasis on measuring emotional state
Anger
Anxiety
Depression
Changes in emotional state from baseline
Psychological characteristics: decision-making and personal relations
Loner/team player
plans/reacts
Rigid/flexible
Sensitivity to environment
Alert Phrases-key words
Threats
Victimization
Employment Problems
Communication Characteristics To, From, Time, Length, etc.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
32/68
WarmTouchSoftware Overview
WarmTouch origins in IC, 1986-present
Use of WarmTouchwith Insider Communications Khannaat Bank
Threat Monitoring
Sting operations& negotiations
Suspect identification Hanssen
Other WarmTouchApplications
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
33/68
Case Example: Financial
Proprietor Well paid systems administrator
Personality Traits-Proprietor
Entitlement
Manipulative
Devaluing of others
Padded OT Context: Supervisor Change
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
34/68
Email from Boss
Asked to train back-up
You seem to have developed a personal
attachment to the System Servers. Theseservers and the entire system belong to this
institution not to you
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
35/68
Email 1: April
(Asked to train his back-up, subject refuses) Hisexperience was ZERO. He does notknowANYTHING about ...our reporting tools.
Until you firemeor I quit, I have to take ordersfrom youUntil he is a trained expert, I wontgive him access...If you order meto give him rootaccess, then you have topermanently relieveme
of my duties on that machine. I cantbe a garbagecleanerif someone screws up.I wontcompromise on that.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
36/68
Email 3: July
Whether or not you continue me here after
next month (consulting, full-time, or part-
time), you can always count on me forquick response to any questions, concerns,
or production problems with the system. As
always, youll always get the most cost-effective, and productive solution from me.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
37/68
Email 4: July
I would be honored to work until last weekof August.
As John may have told you, there are a lot ofthings which at times get flaky with thesystem front-end and back-end. Two weekextension wont be enough time for me tolook into everything for such a critical andcomplex system.
Thanks for all your trust in me.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
38/68
The Event
On last day of work, subject disables the
computer networks two fileservers.
Company executives implore subject to helpthem fix the problems, but he refuses.
Independent consulting firm hired to
investigate problems, discovers sabotage. Timing: deception to cover plotting.
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
39/68
WarmTouch Challenge
Detect deterioration in relationship with
supervisor
Detect Deception
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
40/68
The April Email Profile# of Negatives on 4/10 versus Mean
17
7
0
5
10
15
20
1
4/10 versus Mean
#o
fNega
tives
Anger Scores on 4/10 Versus Mean--# of words/email
0
100
200
300
400
500
600
1
4/10 versus Mean
#o
fwordsperema
il
# of Evaluators on 4/10 versus Mean
35
18
0
5
10
15
2025
30
35
40
1
4/10 Versus Mean
#o
fEva
lua
tors
# of Alert Phrases on 4/10 versus Mean
7
2.75
0
1
2
3
45
6
7
8
1
4/10 versus mean
Num
bero
fAlertPhrases
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
41/68
July Email Profile
August
Changes In Anger Variables Peak Disgruntlement toAttack Planning(4/11 versus 7/12)--# of Negatives
7
3
0
2
4
6
8
1
4/11 versus 7/12
#o
fNega
tives
Changes in Anger Variables--peak disgruntlement to
attack planning(4/11 to 7/12)--# of evaluators
29
8
0
5
10
15
20
2530
35
1
4/11 versus 7/12
#o
feva
lua
tors
Changes In Anger Variables From Time of PeakDisgruntlement Until Attack Planning(4/11 TO 7/12)--#
of Words per e-mail
312
141
0
100
200
300
400
1
4/11 VERSUS 7/12
#o
fWordspere-
ma
il
Changes in Anger Variables--Peak Disgruntlement to
Attack Planning(4/11 versus 7/12)--# of Alert Phrases
4
00
1
2
3
4
5
1
4/11 versus 7/12
#o
fa
lertp
hrase
s
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
42/68
Detecting Deception
Covert Hostility Toward Supervisor--
Psychological Distance Score by E-Mail Date
3.283.5
4
3.4
Dates of E-Mail: 4/10, 4/11, 6/14, 7/12
PsychologicalDistance
Score
4/10
4/11 6/147/12
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
43/68
Covert vs. Overt Hostility in Email
Prior to Attack
Overt Hostility
Covert Hostility
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
44/68
Zezev vs. Bloomberg: Managing his
Psychological State Task: to lure him to London for the bust
must manage his anger and anxiety at delays
and manipulationssatisfy his dependencyneed for $ & job
Warmtouchhelp:
Objectively highlight and help managepsychological states
Objectively measure success
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
45/68
Support to Sting Ops/Negotiations:
Levels of Anger in Zezevs emails to
Bloomberg
Indicators of Anger (+)
0
50
100
150
200
250
300
350
400
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Evaluators -
Evaluators +
Feelings -
Feelings +
Direct Ref.
Negatives
Me
We
I
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
46/68
Zezevs Use of Me
passive/dependent mode
Me
0
0.5
1
1.5
2
2.5
33.5
1 3 5 7 9 11 13 15 17 19
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
47/68
Zezevs Use of Retractors
AnxietyRetractors
0
1
2
3
4
5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
48/68
Robert Hanssen
8 Communications with Soviet Handlers
Between October 1985 & November 2000
Challenge for Software:
Detect signs of emotional stress associated with
spying, disgruntlement and affair as
documented in public records
A i
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
49/68
Psycholinguistic Measures of Anger: Words
0
100
200
300
400
500
600
700
10/1/1
985
10/10/1
985
11/8/1
985
9/8/1
987
6/13/1
988
3/14/2
000
6/8/2
000
11/15/
200
Date
NumberofWords
Words
Hansen: Anger over Time
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
50/68
Hansen: Changes over Time
0
5
1 0
1 5
2 0
N um ber of
Words
1 0/1 /1 98 5 9 /8 /1 98 7 6 /8 /2 00 0
Date
P sychol ingu ist ic M easures o f An ger
N e g a t i v e s
M e
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
51/68
Hansen: Changes Over Time
05
10
15
20
25
30
35
40
45
50
Number of Words
10/1/1985 11/8/1985 6/13/1988 6/8/2000
Date
Emotional Vulnerability
Adv Intensifiers
Direct Ref
Feelings
I
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
52/68
Hansen: Changes over Time
0
2
4
6
8
10
12
14
Number of
Words
10/1/1985 11/8/1985 6/13/1988 6/8/2000
Date
Psycholinguistic Measures: Anxiety
Explainers
Retractors
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
53/68
Other WarmTouch Applications
Communications Manager
Analyze state of relationship
Assess characteristics of persons in relationship Help modify language to improve/modify relationship
Track success/changes over time
Media Monitoring
Attitude of Egyptian press toward U.S.
Attitude of customers toward product or service
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
54/68
Internet Threat Actors
Marcus H. Sachs
Director, Internet Storm Center
The SANS Institutehttp://isc.sans.org
Th C b Th t t th
http://www.sans.org/ -
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
55/68
US national information networks have become more
vulnerableand therefore more attractive as a target
Growing connectivity among secure and insecure
networks creates new opportunities for unauthorized
intrusions into sensitive or proprietary computer systems
The complexity of computer networks is growing faster
than the ability to understand and protect them
The prospects for a cascade of failures across US
infrastructures are largely unknown
The Cyber Threat to the
United States
C b Th t t th
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
56/68
Hacker/Script Kiddies/Hobbyist
Disgruntled Employee
Insider aiding others Hacktivist
Industrial Espionage
Foreign Espionage Terrorist
State Sponsored Attack
Cyber Threats to the
Critical Infrastructure
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
57/68
Low High
High
Low
PotentialDamage
Probability of occurrence
2003
2004
2005
Source: 1997 DSB Summer Study
HackerCriminal
Espionage
Terrorist
State Sponsored
The Threat is Increasing
Wh
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
58/68
Internet was not built to be secure
Secure (i.e., obscure) software being replaced bycommercial products in infrastructures
Software development focused on Slick, Stable,Simple (not Secure)
System administrators lack training
Leaders rarely see computer security as part of thebottom line
User awareness is low
Why are we so
Vulnerable?
Wh Th F d C d
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
59/68
The real threat to the Critical Infrastructure is not the hacker,but the structured state-sponsored organization
However... Sometimes its hard to tell the difference - both use the same tools Growing sophistication and availability of tools increases concern
Must assume the worst until proven wrong
So...
The government takes seriously all unauthorized activity They will use all technical and law enforcement tools to respond ... and
deter
They will seek legal prosecution where appropriate
Why The Feds are Concerned
About Hackers
New Homeland Security
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
60/68
http://www.whitehouse.gov/homeland/
y
Strategies
National Strategy to
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
61/68
National Strategy to
Secure Cyberspace
Nation fully dependent on cyberspace
Range of threats: script kiddies to nation states
Fix vulnerabilities, dont orient on threats
New vulnerabilities require constant vigilance
Individual vs. national risk management
Government alone cannot secure
cyberspace
Priority II
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
62/68
Enhance law enforcements capabilities for
preemption, prevention, and prosecution
Secure the mechanisms of the Internet includingimproving protocols and routing
Foster trusted digital control systems/ supervisory
control and data acquisition systems
Reduce and remediate software vulnerabilities
Improve physical security of cyber
and telecommunications systems
yA National Cyberspace Security
Threat and Vulnerability
Reduction Program
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
63/68
Inside the Internet Storm CenterData Collection
DShield Users
Analysis Dissemination
DShield.org
Typical Residential
http://isc.incidents.org/country_report.htmlhttp://www.openbsd.org/index.htmlhttp://www.microsoft.com/windows/default.mspxhttp://www.sun.com/ -
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
64/68
Typical Residential
Cable Modem Log
Pop-up
ads
(Spam)
FTPattempt
s
Pop-up
ads
(Spam)
FTPattempt
s
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
65/68
Internet Storm Center Web Page
http://isc.sans.org
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
66/68
Port Report
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
67/68
2002 Top 20 ListTop Vulnerabilities to Windows Systems
W1 Internet Information Services (IIS)
W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W3 Microsoft SQL Server
W4 NETBIOS -- Unprotected Windows Networking Shares
W5 Anonymous Logon -- Null Sessions
W6 LAN Manager Authentication -- Weak LM Hashing
W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords
W8 Internet ExplorerW9 Remote Registry Access
W10 Windows Scripting Host
Top Vulnerabilities to Unix Systems
U1 Remote Procedure Calls (RPC)
U2 Apache Web Server
U3 Secure Shell (SSH)U4 Simple Network Management Protocol (SNMP)
U5 File Transfer Protocol (FTP)
U6 R-Services -- Trust Relationships
U7 Line Printer Daemon (LPD)
U8 Sendmail
U9 BIND/DNS
U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords
www.sans.org/top20
-
8/10/2019 Blackhat's Cyber Adversary Characterization Parker
68/68
Questions?
Contact:
mailto:[email protected]:[email protected]:[email protected]:[email protected]