1 / 68

Cyber Adversary Characterization

Cyber Adversary Characterization . Know thy enemy!. Introduction and Background. Cyber Adversary Characterization workshop in 2002 Research discussions continued via email Briefings to Blackhat and Defcon to introduce concept and obtain feedback Future workshops planned for October 2003

dora
Télécharger la présentation

Cyber Adversary Characterization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Adversary Characterization Know thy enemy!

  2. Introduction and Background • Cyber Adversary Characterization workshop in 2002 • Research discussions continued via email • Briefings to Blackhat and Defcon to introduce concept and obtain feedback • Future workshops planned for October 2003 • Slides will be on both conference web sites

  3. Why characterize? • Theoretical: To gain understanding of and an ability to anticipate an adversary in order to build improved threat models. • Practice: Improved profiling of attackers at post attack and forensic levels.

  4. Point Scoring: Rating-the-Hacker Toby Miller toby_miller@adelphia.net

  5. Point Scoring: Why? • No “standard” system to help rate the attacker • No system to help with the threat level • Help management in the decision making process

  6. Point Scoring: The Categories • Passive Fingerprinting • Intelligence • The Attack • The Exploit • Backdoors | Cover up • Other

  7. Example Score Metric

  8. Point Scoring: Past, Present, Future • Originally posted on incidents.org • Currently on rev2 • Soon to release rev 3 • www.ratingthehacker.net

  9. Tool characterizations, Disclosure Patterns and Technique scoring. Tom Parker – Pentest Limited (UK)

  10. The Hacker Pie • Representative of characterization metrics which build the final characterization. • Available elements dependant upon scenario. • Does not rely solely upon IDS/attack signature data.

  11. The Hacker Pie (continued) • Pie reliant upon the results of multiple metrics which are, in many cases inter-related, strengthening the likelihood of an accurate characterization. • Relationships between key metrics and key data enable accurate assumptions to be made regarding unobserved key information.

  12. The Pie Explained Characterization 2 0 1 2 Metric One Metric Two Metric Three Metric Four Key Data Key Data Key Data Key Data Key Data

  13. Point Scoring Systems (Continued) • Attempt to characterize an adversary based on attack information captured from the wild. • Attempt to characterize adversary based upon “technique classification model” • Attempt to characterize adversary based upon “tool classification model”

  14. Tool classification model • Availability of application • Origins of application • Ease of use • Requires in-depth knowledge of vulnerability to execute? • Other mitigating factors

  15. Example Exploit Classification

  16. Disclosure Food Chain Characterization • All tools have a story • Often years before dissemination into public domain. • Social demeanour often key to placing in disclosure disclosure chain. • “Pyramid” metric.

  17. The Disclosure “Food Chain”

  18. 2 Approaches to Modeling the Cyber Adversary: Offender Profiling & Remote Assessment Dr. Eric D. Shaw Consulting & Clinical Psychology, Ltd. eshaw@msn.com

  19. Offender Profiling • Roots in Law enforcement & intelligence community (criminal event or incident analysis)—intensive review of past offenders • Insider Computer Crimes, 1998-present • 50 cases • 10 in-depth case studies from companies or gov’t. contractors • Products • Typology of actors: motivation, psychological characteristics, actions • Critical pathway—process of interactions w/environment (personal and professional) leading to attack • At-risk characteristics • Organizational vulnerabilities & Insights into prevention, deterrence, detection, management

  20. Offender Profiling Headlines • The Termination Problem • Actor subtypes—the Proprietor & Hacker • The Tracking Problem • Organizational Vulnerabilities • Detection Issues • Intervention Challenges • Hacker Overview

  21. Attacks: The Termination Problem • Simple termination of Disgruntled Insider is not theanswer—80% attack after termination (4 hours-2 months) • 70% attack from remote locations vs. inside—termination did not impact access • Attack types: • DOS to disrupt business • Destruction & corruption of data • Theft of Proprietary data • Time bombs • Extortion • Attack on reputations

  22. Attackers • Hackers—40%: affiliated with and active in hacking community, brings hacking practices to worksite • Proprietors—40%: defend system as belonging to them, resist efforts to dilute control • Avengers—20%: attack impulsively in response to perceived injustice

  23. Prevention: Screening & Selection The Tracking Problem • Screening & Selection Problems in 60% of cases—no or delayed background, nepotism, failure to detect risk factors • 30% had prior felony convictions • 30% had high-profile hacker activity

  24. Organizational Issues • 80% of cases occur during periods of high organizational stress or change at the highest to supervisory levels • Lack of policies contributed to disgruntlement or facilitated attack in 60% of cases • Lack of policy enforcement contributed to disgruntlement of facilitated attack in 70% of cases

  25. Detection Problems • 80% of attackers used operational security to protect attack planning or identity • Time disgruntled to attack: 1-48 months with a mean of 11.3 months • Time active problems (probation) to attack: 0-76 weeks with a mean of 26 weeks Forget the “big bang” theory of the sudden, unforeseen attack

  26. Intervention Problems • Management intervention initially exacerbated problems in 80% of cases (ignore, placate or tolerate problems, negotiate then cut-off, terminate poorly) • Problems with termination process in 80% of cases (esp. failure to terminate access) • Multidisciplinary risk assessment prior to termination

  27. Hardcore Hackers: Not Script Kiddies

  28. Remote Assessment UsingWarmTouch (patent pending)

  29. Why Use WarmTouch Software to Detect Disgruntlement or Psych Change on-line? • Communication has moved on-line • Loss of visual & auditory cues on-line • Failure of other systems to detect violations: technical noise, supervisor & peer reporting • Protects Privacy • Provides Objectivity

  30. Major Act Vulnerable CITI Minor Infraction Moderate Infraction Person-Situation Interaction:Detect Psychological “Leakage” Personal Stressors MountingStress and Frustration Professional Stressors

  31. “Software” Components • Psychological Profiling Algorithms • Emphasis on measuring emotional state • Anger • Anxiety • Depression • Changes in emotional state from baseline • Psychological characteristics: decision-making and personal relations • Loner/team player • plans/reacts • Rigid/flexible • Sensitivity to environment • Alert Phrases-key words • Threats • Victimization • Employment Problems • Communication Characteristics • To, From, Time, Length, etc.

  32. WarmTouch “Software” Overview • WarmTouch origins in IC, 1986-present • Use of WarmTouch with Insider Communications • Khanna at Bank • Threat Monitoring • Sting operations & negotiations • Suspect identification • Hanssen • Other WarmTouch Applications

  33. Case Example: Financial Proprietor • Well paid systems administrator • Personality Traits-Proprietor • Entitlement • Manipulative • Devaluing of others • Padded OT • Context: Supervisor Change

  34. Email from Boss • Asked to train back-up • “You seem to have developed a personal attachment to the System Servers. These servers and the entire system belong to this institution not to you…”

  35. Email 1: April • (Asked to train his back-up, subject refuses) “His experience was ZERO. He does not know ANYTHING about ...our reporting tools.” • “Until you fireme or I quit, I have to take orders from you…Until he is a trained expert, I won’t give him access...If you order me to give him root access, then you have to permanently relieveme of my duties on that machine. I can’t be a garbage cleaner if someone screws up….I won’t compromise on that.”

  36. Email 3: July • “Whether or not you continue me here after next month (consulting, full-time, or part-time), you can always count on me for quick response to any questions, concerns, or production problems with the system. As always, you’ll always get the most cost-effective, and productive solution from me.”

  37. Email 4: July • “I would be honored to work until last week of August.” • “As John may have told you, there are a lot of things which at times get “flaky” with the system front-end and back-end. Two week extension won’t be enough time for me to look into everything for such a critical and complex system.” • “Thanks for all your trust in me.”

  38. The Event • On last day of work, subject disables the computer network’s two fileservers. • Company executives implore subject to help them fix the problems, but he refuses. • Independent consulting firm hired to investigate problems, discovers sabotage. • Timing: deception to cover plotting.

  39. WarmTouch Challenge • Detect deterioration in relationship with supervisor • Detect Deception

  40. The April Email Profile

  41. July Email Profile • August

  42. Detecting Deception

  43. Overt Hostility Covert Hostility Covert vs. Overt Hostility in Email Prior to Attack Attack Three Months Prior Two Months Prior Two Weeks Prior

  44. Zezev vs. Bloomberg: Managing his Psychological State • Task: to lure him to London for the bust • must manage his anger and anxiety at delays and manipulations • satisfy his dependency—need for $ & job • Warmtouch help: • Objectively highlight and help manage psychological states • Objectively measure success

  45. Support to Sting Ops/Negotiations: Levels of Anger in Zezev’s emails to Bloomberg

  46. Zezev’s Use of “Me”passive/dependent mode

  47. Zezev’s Use of RetractorsAnxiety

  48. Robert Hanssen • 8 Communications with Soviet Handlers • Between October 1985 & November 2000 • Challenge for Software: • Detect signs of emotional stress associated with spying, disgruntlement and “affair” as documented in public records

  49. Hansen: Anger over Time

  50. Hansen: Changes over Time

More Related