Threat Briefing

Objectives• Appreciate the threat• To learn some of the more creative and

complex ways organizations are being attacked through the Internet today

• To understand how to organize more effective collaborative responses to these threats in the future

Stages of computer attack

1. Reconnaissance (gather information about the target system or network)

2. Probe and attack (probe the system for weaknesses and deploy the tools)

3. Toehold (exploit security weakness and gain entry into the system)

4. Advancement (advance from an unprivileged account to a privileged account)

5. Stealth (hide tracks; install a backdoor)

6. Listening post (establish a listening post)

7. Takeover (expand control from a single host to other hosts on network)

“Catapults and grappling hooks: The tools and techniques of information warfare,” http://www.research.ibm.com/journal/sj/371/boulanger.html

Attack Structure/Path

Cost vs. Risk

Figures from the 2005 CSI/FBI Computer Crime Survey (http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf)

Ranked by Prevalence Ranked by Loss

Principle Threat Categories

• Disruption• Extortion / crime• Espionage• Fraud

Disruption• Denial of Service Attacks

– “Script kiddies” attackingfor pleasure

– Competitive Advantage– Extortion– Political statement

• Accident– Natural Disaster (flood,

earthquake, …)– Man-made

• Accidental (digging up fiber optic cable)• For Malicious Purposes

Extortion

• Distributed Denial of Service (DDoS) attacks– Online gaming industry, Porn sites…– Anything time sensitive (e.g., stock trading,

holidays, major sporting events), or when majority of revenue derived online, are potential targets

• Encryption of files on hard drivehttp://news.com.com/Antivirus+expert+Ransomware+on+the+rise/2100-7355_3-6157092.html

Espionage• Targeted “spam” with trojan horse, dropped

USB thumb drives, etc.– Executable attachments– Media files, documents, embedded content– Key loggers or “root kits” installed– Data exfiltrated by POST or reverse tunnel

through firewall• Wireless sniffing• Surplused equipment!

http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf

Fraud

• Unauthorized access to steal data, media

• Phishing (social engineering via email)• Key logging, or screen capture (attack

virtual keyboards)• Attacking Javascript cryptography• HTTP POST interception

Victim sites

Responding

• The OODA Loop• Coordination• Working with Law Enforcement• Striking back?

The OODA Loop

O

A

DOObserve

Orient

Decide

Act

Time

Observe & Orient

Decide & Act

Source: AF2025 v3c2, http://csat.au.af.mil/2025/volume3/vol3ch02.pdf

Controlling speed through the OODA Loop

• To speed up your loop– Get better information

sooner– Access new and stored

information quicker– Correlate and fuse

information quickly– Increase understanding

of tools/tactics– Automate decision

making and actions

• To slow down your adversary’s loop– Change the landscape

(force reconnaissance)– Act in unobservable

ways– Mix conventional/

unconventional actions– Give the adversary false

information (and/or “noise”)

– Keep the adversary guessing

Coordination• Data Collection• Data Fusion• Data Dissemination• Action in relationship

(time, location, function)• Capacity to work

together• OPSEC considerations

(attacker reading your email)

Working with LE

MilitaryIntelligenceCommunity

Law Enforcement

Private Sector• Law Enforcement

central to integrated public/private response

• LE can do things that private sector cannot (e.g., search/seizure)

• International LE coordination on cybercrime is working (e.g., Zotob case in Turkey)

“Strike-back” vs. other Active Response Actions

• Fight DDoS with DDoS (No way)• Pre-emptive DoS (Highly unlikely)• Retribution (Very risky)• Back tracking (Risky)• Information gathering (Less risky)• Ambiguity/dynamism (Least risky)

Conclusions• Future responses must be MORE collaborative,

LESS isolated• Identifying the structure of attack, and acting in

deliberate ways (rather than simply reacting to discrete events) is important

• Increase training, outreach capacity• Collaborative/cooperative response will become

essential (lots of opportunities to optimize)• There is much research and learning left to do…

Questions