Threat Briefing
Objectives• Appreciate the threat• To learn some of the more creative and
complex ways organizations are being attacked through the Internet today
• To understand how to organize more effective collaborative responses to these threats in the future
Stages of computer attack
1. Reconnaissance (gather information about the target system or network)
2. Probe and attack (probe the system for weaknesses and deploy the tools)
3. Toehold (exploit security weakness and gain entry into the system)
4. Advancement (advance from an unprivileged account to a privileged account)
5. Stealth (hide tracks; install a backdoor)
6. Listening post (establish a listening post)
7. Takeover (expand control from a single host to other hosts on network)
“Catapults and grappling hooks: The tools and techniques of information warfare,” http://www.research.ibm.com/journal/sj/371/boulanger.html
Attack Structure/Path
Cost vs. Risk
Figures from the 2005 CSI/FBI Computer Crime Survey (http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf)
Ranked by Prevalence Ranked by Loss
Principle Threat Categories
• Disruption• Extortion / crime• Espionage• Fraud
Disruption• Denial of Service Attacks
– “Script kiddies” attackingfor pleasure
– Competitive Advantage– Extortion– Political statement
• Accident– Natural Disaster (flood,
earthquake, …)– Man-made
• Accidental (digging up fiber optic cable)• For Malicious Purposes
Extortion
• Distributed Denial of Service (DDoS) attacks– Online gaming industry, Porn sites…– Anything time sensitive (e.g., stock trading,
holidays, major sporting events), or when majority of revenue derived online, are potential targets
• Encryption of files on hard drivehttp://news.com.com/Antivirus+expert+Ransomware+on+the+rise/2100-7355_3-6157092.html
Espionage• Targeted “spam” with trojan horse, dropped
USB thumb drives, etc.– Executable attachments– Media files, documents, embedded content– Key loggers or “root kits” installed– Data exfiltrated by POST or reverse tunnel
through firewall• Wireless sniffing• Surplused equipment!
http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf
Fraud
• Unauthorized access to steal data, media
• Phishing (social engineering via email)• Key logging, or screen capture (attack
virtual keyboards)• Attacking Javascript cryptography• HTTP POST interception
Victim sites
Responding
• The OODA Loop• Coordination• Working with Law Enforcement• Striking back?
The OODA Loop
O
A
DOObserve
Orient
Decide
Act
Time
Observe & Orient
Decide & Act
Source: AF2025 v3c2, http://csat.au.af.mil/2025/volume3/vol3ch02.pdf
Controlling speed through the OODA Loop
• To speed up your loop– Get better information
sooner– Access new and stored
information quicker– Correlate and fuse
information quickly– Increase understanding
of tools/tactics– Automate decision
making and actions
• To slow down your adversary’s loop– Change the landscape
(force reconnaissance)– Act in unobservable
ways– Mix conventional/
unconventional actions– Give the adversary false
information (and/or “noise”)
– Keep the adversary guessing
Coordination• Data Collection• Data Fusion• Data Dissemination• Action in relationship
(time, location, function)• Capacity to work
together• OPSEC considerations
(attacker reading your email)
Working with LE
MilitaryIntelligenceCommunity
Law Enforcement
Private Sector• Law Enforcement
central to integrated public/private response
• LE can do things that private sector cannot (e.g., search/seizure)
• International LE coordination on cybercrime is working (e.g., Zotob case in Turkey)
“Strike-back” vs. other Active Response Actions
• Fight DDoS with DDoS (No way)• Pre-emptive DoS (Highly unlikely)• Retribution (Very risky)• Back tracking (Risky)• Information gathering (Less risky)• Ambiguity/dynamism (Least risky)
Conclusions• Future responses must be MORE collaborative,
LESS isolated• Identifying the structure of attack, and acting in
deliberate ways (rather than simply reacting to discrete events) is important
• Increase training, outreach capacity• Collaborative/cooperative response will become
essential (lots of opportunities to optimize)• There is much research and learning left to do…
Questions