Blackhat's Cyber Adversary Characterization Parker

8/10/2019 Blackhat's Cyber Adversary Characterization Parker

1/68

Cyber Adversary Characterization

Know thy enemy!


2/68

Introduction and Background

Cyber Adversary Characterization

workshop in 2002

Research discussions continued via email

Briefings to Blackhat and Defcon to

introduce concept and obtain feedback

Future workshops planned for October 2003

Slides will be on both conference web sites


3/68

Why characterize?

Theoretical: To gain understanding of and

an ability to anticipate an adversary in order

to build improved threat models.

Practice: Improved profiling of attackers at

post attack and forensic levels.


4/68

Point Scoring: Rating-the-Hacker

Toby Miller

[email protected]
mailto:[email protected]:[email protected]


5/68

Point Scoring: Why?

No standard system to help rate the

attacker

No system to help with the threat level

Help management in the decision making

process


6/68

Point Scoring: The Categories

Passive Fingerprinting

Intelligence

The Attack

The Exploit

Backdoors | Cover up Other


7/68

Example Score Metric

Linux 3

FreeBSD 4

OpenBSD 6

IRIX 4

Windows 3


8/68

Point Scoring: Past, Present,

Future Originally posted on incidents.org

Currently on rev2

Soon to release rev 3

www.ratingthehacker.net
http://www.ratingthehacker.net/http://www.ratingthehacker.net/


9/68

Tool characterizations,

Disclosure Patterns and

Technique scoring.

Tom ParkerPentest Limited (UK)


10/68

The Hacker Pie

Representative of characterization metrics

which build the final characterization.

Available elements dependant upon

scenario.

Does not rely solely upon IDS/attack

signature data.


11/68

The Hacker Pie (continued)

Pie reliant upon the results of multiple metrics

which are, in many cases inter-related,strengthening the likelihood of an accurate

characterization.

Relationships between key metrics and key data

enable accurate assumptions to be made regarding

unobserved key information.


12/68

The Pie Explained

Metric One Metric ThreeMetric Two

Key Data Key Data Key Data Key Data Key Data

Characterization

Metric Four

021

2


13/68

Point Scoring Systems

(Continued) Attempt to characterize an adversary based

on attack information captured from the

wild. Attempt to characterize adversary based

upon technique classification model

Attempt to characterize adversary basedupon tool classification model


14/68

Tool classification model

Availability of application

Origins of application

Ease of use

Requires in-depth knowledge of vulnerability to

execute?

Other mitigating factors


15/68

Example Exploit ClassificationWeb App Flaw Public PrivateProprietary Application Penetration

Via SQL Injection 3 4Open Source Application Penetration

Via SQL Injection 3 4Proprietary Application Penetration

Via Arbitrary Script Injection 2 3Open Source Application Penetration

Via Arbitrary Script Injection 2 3Proprietary Application Penetration

Via OS command execution using

SQL Injection (MS SQL)3 5

Proprietary Application Penetration

Via OS command execution using

SQL Injection (other)4 7

Proprietary Application Penetration

Via SQL Injection (MS SQL) 5 6Proprietary Application Penetration

Via SQL Injection (other) 4 7


16/68

Disclosure Food Chain

Characterization All tools have a story

Often years before dissemination into public

domain.

Social demeanour often key to placing in

disclosure disclosure chain.

Pyramid metric.


17/68

Exploit Development

Vendor Coordination

Public Disclosure

Exploit Reverse Engineered / Vulnerability Research

Honey Pot Capture

Exploit Usage In Wild

Exploit TradingType title here

Vendor Patch Released

Public Disclosure

Vendor Coordination

Public Disclosure Vendor Fix Released

Further Research

Disclosure to Security Company

Information shared further throughout grey hat communities

Information shared with fellow researchers (Exploit Development)

Vulnerability Discovery

The Disclosure Food Chain


18/68

2 Approaches to Modeling the Cyber Adversary: Offender

Profiling & Remote Assessment

Dr. Eric D. Shaw

Consulting & Clinical Psychology, [email protected]


19/68

Offender Profiling

Roots in Law enforcement & intelligence community (criminal eventor incident analysis)intensive review of past offenders

Insider Computer Crimes, 1998-present 50 cases

10 in-depth case studies from companies or govt. contractors Products

Typology of actors: motivation, psychological characteristics, actions

Critical pathwayprocess of interactions w/environment (personal andprofessional) leading to attack

At-risk characteristics

Organizational vulnerabilities & Insights into prevention, deterrence,detection, management


20/68

Offender Profiling Headlines

The Termination Problem

Actor subtypesthe Proprietor & Hacker

The Tracking Problem

Organizational Vulnerabilities

Detection Issues

Intervention Challenges

Hacker Overview


21/68

Attacks: The Termination Problem

Simple terminationof Disgruntled Insider is nottheanswer80% attack after termination (4

hours-2 months)

70% attack from remote locations vs. insidetermination did not impact access

Attack types: DOS to disrupt business

Destruction & corruption of data

Theft of Proprietary data

Time bombs

Extortion

Attack on reputations


22/68

Attackers

Hackers40%: affiliated with and active inhacking community, brings hacking

practices to worksite Proprietors40%: defend system as

belonging to them, resist efforts to dilutecontrol

Avengers20%: attack impulsively inresponse to perceived injustice


23/68

Prevention: Screening &

SelectionThe Tracking Problem

Screening & Selection Problems in 60% of

casesno or delayed background,nepotism, failure to detect risk factors

30% had prior felony convictions

30% had high-profile hacker activity


24/68

Organizational Issues

80% of cases occur during periods of high

organizational stress or changeat the highest to

supervisory levels Lack of policiescontributed to disgruntlement or

facilitated attack in 60% of cases

Lack of policy enforcementcontributed to

disgruntlement of facilitated attack in 70% ofcases


25/68

Detection Problems

80% of attackers used operational securityto protect attack planning or identity

Time disgruntled to attack: 1-48 monthswith a mean of 11.3 months

Time active problems (probation) to attack:0-76 weeks with a mean of 26 weeks

Forget the big bang theory of the sudden,unforeseen attack


26/68

Intervention Problems

Management intervention initiallyexacerbated problems in 80% of cases

(ignore, placate or tolerate problems,negotiate then cut-off, terminate poorly)

Problems with termination process in 80%of cases (esp. failure to terminate access)

Multidisciplinary risk assessment prior totermination


27/68

Hardcore Hackers:Not Script

KiddiesAgeMean=25.5

Tech

Capability

Prior

Offenses50%

Acted with

Others75%

Status in

Hacker

Community

Oquendo 29 High Yes Yes High

Zezev 30 High No Yes Unknown

Carpenter 20 High Yes No Low

Demostenis 23 Low No Yes Low

R t A t U i W T h


28/68

Remote Assessment UsingWarmTouch(patent pending)


29/68

Why Use WarmTouch Software to

Detect Disgruntlement or Psych Change

on-line? Communication has moved on-line

Loss of visual & auditory cues on-line

Failure of other systems to detect violations:

technical noise, supervisor & peer reporting

Protects Privacy Provides Objectivity


30/68

Vulnerable

CITI

Minor

Infraction

Moderate

InfractionMajor

Act

Personal Stressors

Professional Stressors

Mounting Stress and Frustration

Person-Situation Interaction:

Detect Psychological Leakage


31/68

Software Components

Psychological Profiling Algorithms

Emphasis on measuring emotional state

Anger

Anxiety

Depression

Changes in emotional state from baseline

Psychological characteristics: decision-making and personal relations

Loner/team player

plans/reacts

Rigid/flexible

Sensitivity to environment

Alert Phrases-key words

Threats

Victimization

Employment Problems

Communication Characteristics To, From, Time, Length, etc.


32/68

WarmTouchSoftware Overview

WarmTouch origins in IC, 1986-present

Use of WarmTouchwith Insider Communications Khannaat Bank

Threat Monitoring

Sting operations& negotiations

Suspect identification Hanssen

Other WarmTouchApplications


33/68

Case Example: Financial

Proprietor Well paid systems administrator

Personality Traits-Proprietor

Entitlement

Manipulative

Devaluing of others

Padded OT Context: Supervisor Change


34/68

Email from Boss

Asked to train back-up

You seem to have developed a personal

attachment to the System Servers. Theseservers and the entire system belong to this

institution not to you


35/68

Email 1: April

(Asked to train his back-up, subject refuses) Hisexperience was ZERO. He does notknowANYTHING about ...our reporting tools.

Until you firemeor I quit, I have to take ordersfrom youUntil he is a trained expert, I wontgive him access...If you order meto give him rootaccess, then you have topermanently relieveme

of my duties on that machine. I cantbe a garbagecleanerif someone screws up.I wontcompromise on that.


36/68

Email 3: July

Whether or not you continue me here after

next month (consulting, full-time, or part-

time), you can always count on me forquick response to any questions, concerns,

or production problems with the system. As

always, youll always get the most cost-effective, and productive solution from me.


37/68

Email 4: July

I would be honored to work until last weekof August.

As John may have told you, there are a lot ofthings which at times get flaky with thesystem front-end and back-end. Two weekextension wont be enough time for me tolook into everything for such a critical andcomplex system.

Thanks for all your trust in me.


38/68

The Event

On last day of work, subject disables the

computer networks two fileservers.

Company executives implore subject to helpthem fix the problems, but he refuses.

Independent consulting firm hired to

investigate problems, discovers sabotage. Timing: deception to cover plotting.


39/68

WarmTouch Challenge

Detect deterioration in relationship with

supervisor

Detect Deception


40/68

The April Email Profile# of Negatives on 4/10 versus Mean

17

7

0

5

10

15

20

1

4/10 versus Mean

#o

fNega

tives

Anger Scores on 4/10 Versus Mean--# of words/email

0

100

200

300

400

500

600

1

4/10 versus Mean

#o

fwordsperema

il

# of Evaluators on 4/10 versus Mean

35

18

0

5

10

15

2025

30

35

40

1

4/10 Versus Mean

#o

fEva

lua

tors

# of Alert Phrases on 4/10 versus Mean

7

2.75

0

1

2

3

45

6

7

8

1

4/10 versus mean

Num

bero

fAlertPhrases


41/68

July Email Profile

August

Changes In Anger Variables Peak Disgruntlement toAttack Planning(4/11 versus 7/12)--# of Negatives

7

3

0

2

4

6

8

1

4/11 versus 7/12

#o

fNega

tives

Changes in Anger Variables--peak disgruntlement to

attack planning(4/11 to 7/12)--# of evaluators

29

8

0

5

10

15

20

2530

35

1

4/11 versus 7/12

#o

feva

lua

tors

Changes In Anger Variables From Time of PeakDisgruntlement Until Attack Planning(4/11 TO 7/12)--#

of Words per e-mail

312

141

0

100

200

300

400

1

4/11 VERSUS 7/12

#o

fWordspere-

ma

il

Changes in Anger Variables--Peak Disgruntlement to

Attack Planning(4/11 versus 7/12)--# of Alert Phrases

4

00

1

2

3

4

5

1

4/11 versus 7/12

#o

fa

lertp

hrase

s


42/68

Detecting Deception

Covert Hostility Toward Supervisor--

Psychological Distance Score by E-Mail Date

3.283.5

4

3.4

Dates of E-Mail: 4/10, 4/11, 6/14, 7/12

PsychologicalDistance

Score

4/10

4/11 6/147/12


43/68

Covert vs. Overt Hostility in Email

Prior to Attack

Overt Hostility

Covert Hostility


44/68

Zezev vs. Bloomberg: Managing his

Psychological State Task: to lure him to London for the bust

must manage his anger and anxiety at delays

and manipulationssatisfy his dependencyneed for $ & job

Warmtouchhelp:

Objectively highlight and help managepsychological states

Objectively measure success


45/68

Support to Sting Ops/Negotiations:

Levels of Anger in Zezevs emails to

Bloomberg

Indicators of Anger (+)

0

50

100

150

200

250

300

350

400

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Evaluators -

Evaluators +

Feelings -

Feelings +

Direct Ref.

Negatives

Me

We

I


46/68

Zezevs Use of Me

passive/dependent mode

Me

0

0.5

1

1.5

2

2.5

33.5

1 3 5 7 9 11 13 15 17 19


47/68

Zezevs Use of Retractors

AnxietyRetractors

0

1

2

3

4

5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20


48/68

Robert Hanssen

8 Communications with Soviet Handlers

Between October 1985 & November 2000

Challenge for Software:

Detect signs of emotional stress associated with

spying, disgruntlement and affair as

documented in public records

A i


49/68

Psycholinguistic Measures of Anger: Words

0

100

200

300

400

500

600

700

10/1/1

985

10/10/1

985

11/8/1

985

9/8/1

987

6/13/1

988

3/14/2

000

6/8/2

000

11/15/

200

Date

NumberofWords

Words

Hansen: Anger over Time


50/68

Hansen: Changes over Time

0

5

1 0

1 5

2 0

N um ber of

Words

1 0/1 /1 98 5 9 /8 /1 98 7 6 /8 /2 00 0

Date

P sychol ingu ist ic M easures o f An ger

N e g a t i v e s

M e


51/68

Hansen: Changes Over Time

05

10

15

20

25

30

35

40

45

50

Number of Words

10/1/1985 11/8/1985 6/13/1988 6/8/2000

Date

Emotional Vulnerability

Adv Intensifiers

Direct Ref

Feelings

I


52/68

Hansen: Changes over Time

0

2

4

6

8

10

12

14

Number of

Words

10/1/1985 11/8/1985 6/13/1988 6/8/2000

Date

Psycholinguistic Measures: Anxiety

Explainers

Retractors


53/68

Other WarmTouch Applications

Communications Manager

Analyze state of relationship

Assess characteristics of persons in relationship Help modify language to improve/modify relationship

Track success/changes over time

Media Monitoring

Attitude of Egyptian press toward U.S.

Attitude of customers toward product or service


54/68

Internet Threat Actors

Marcus H. Sachs

Director, Internet Storm Center

The SANS Institutehttp://isc.sans.org

Th C b Th t t th
http://www.sans.org/


55/68

US national information networks have become more

vulnerableand therefore more attractive as a target

Growing connectivity among secure and insecure

networks creates new opportunities for unauthorized

intrusions into sensitive or proprietary computer systems

The complexity of computer networks is growing faster

than the ability to understand and protect them

The prospects for a cascade of failures across US

infrastructures are largely unknown

The Cyber Threat to the

United States

C b Th t t th


56/68

Hacker/Script Kiddies/Hobbyist

Disgruntled Employee

Insider aiding others Hacktivist

Industrial Espionage

Foreign Espionage Terrorist

State Sponsored Attack

Cyber Threats to the

Critical Infrastructure


57/68

Low High

High

Low

PotentialDamage

Probability of occurrence

2003

2004

2005

Source: 1997 DSB Summer Study

HackerCriminal

Espionage

Terrorist

State Sponsored

The Threat is Increasing

Wh


58/68

Internet was not built to be secure

Secure (i.e., obscure) software being replaced bycommercial products in infrastructures

Software development focused on Slick, Stable,Simple (not Secure)

System administrators lack training

Leaders rarely see computer security as part of thebottom line

User awareness is low

Why are we so

Vulnerable?

Wh Th F d C d


59/68

The real threat to the Critical Infrastructure is not the hacker,but the structured state-sponsored organization

However... Sometimes its hard to tell the difference - both use the same tools Growing sophistication and availability of tools increases concern

Must assume the worst until proven wrong

So...

The government takes seriously all unauthorized activity They will use all technical and law enforcement tools to respond ... and

deter

They will seek legal prosecution where appropriate

Why The Feds are Concerned

About Hackers

New Homeland Security


60/68

http://www.whitehouse.gov/homeland/

y

Strategies

National Strategy to


61/68

National Strategy to

Secure Cyberspace

Nation fully dependent on cyberspace

Range of threats: script kiddies to nation states

Fix vulnerabilities, dont orient on threats

New vulnerabilities require constant vigilance

Individual vs. national risk management

Government alone cannot secure

cyberspace

Priority II


62/68

Enhance law enforcements capabilities for

preemption, prevention, and prosecution

Secure the mechanisms of the Internet includingimproving protocols and routing

Foster trusted digital control systems/ supervisory

control and data acquisition systems

Reduce and remediate software vulnerabilities

Improve physical security of cyber

and telecommunications systems

yA National Cyberspace Security

Threat and Vulnerability

Reduction Program


63/68

Inside the Internet Storm CenterData Collection

DShield Users

Analysis Dissemination

DShield.org

Typical Residential
http://isc.incidents.org/country_report.htmlhttp://www.openbsd.org/index.htmlhttp://www.microsoft.com/windows/default.mspxhttp://www.sun.com/


64/68

Typical Residential

Cable Modem Log

Pop-up

ads

(Spam)

FTPattempt

s

Pop-up

ads

(Spam)

FTPattempt

s


65/68

Internet Storm Center Web Page

http://isc.sans.org


66/68

Port Report


67/68

2002 Top 20 ListTop Vulnerabilities to Windows Systems

W1 Internet Information Services (IIS)

W2 Microsoft Data Access Components (MDAC) -- Remote Data Services

W3 Microsoft SQL Server

W4 NETBIOS -- Unprotected Windows Networking Shares

W5 Anonymous Logon -- Null Sessions

W6 LAN Manager Authentication -- Weak LM Hashing

W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords

W8 Internet ExplorerW9 Remote Registry Access

W10 Windows Scripting Host

Top Vulnerabilities to Unix Systems

U1 Remote Procedure Calls (RPC)

U2 Apache Web Server

U3 Secure Shell (SSH)U4 Simple Network Management Protocol (SNMP)

U5 File Transfer Protocol (FTP)

U6 R-Services -- Trust Relationships

U7 Line Printer Daemon (LPD)

U8 Sendmail

U9 BIND/DNS

U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords

www.sans.org/top20


68/68

Questions?

Contact:

[email protected]

[email protected]

[email protected]

[email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]

Blackhat's Cyber Adversary Characterization Parker

Documents

Transcript of Blackhat's Cyber Adversary Characterization Parker