1 / 21

Threat Briefing

Threat Briefing. Objectives. Appreciate the threat To learn some of the more creative and complex ways organizations are being attacked through the Internet today To understand how to organize more effective collaborative responses to these threats in the future. Stages of computer attack.

bowen
Download Presentation

Threat Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threat Briefing

  2. Objectives • Appreciate the threat • To learn some of the more creative and complex ways organizations are being attacked through the Internet today • To understand how to organize more effective collaborative responses to these threats in the future

  3. Stages of computer attack • Reconnaissance(gather information about the target system or network) • Probe and attack(probe the system for weaknesses and deploy the tools) • Toehold(exploit security weakness and gain entry into the system) • Advancement(advance from an unprivileged account to a privileged account) • Stealth(hide tracks; install a backdoor) • Listening post(establish a listening post) • Takeover(expand control from a single host to other hosts on network) “Catapults and grappling hooks: The tools and techniques of information warfare,”http://www.research.ibm.com/journal/sj/371/boulanger.html

  4. Attack Structure/Path

  5. Cost vs. Risk Ranked by Prevalence Ranked by Loss Figures from the 2005 CSI/FBI Computer Crime Survey (http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf)

  6. Principle Threat Categories • Disruption • Extortion / crime • Espionage • Fraud

  7. Disruption • Denial of Service Attacks • “Script kiddies” attackingfor pleasure • Competitive Advantage • Extortion • Political statement • Accident • Natural Disaster (flood,earthquake, …) • Man-made • Accidental (digging up fiber optic cable) • For Malicious Purposes

  8. Extortion • Distributed Denial of Service (DDoS) attacks • Online gaming industry, Porn sites… • Anything time sensitive (e.g., stock trading, holidays, major sporting events), or when majority of revenue derived online, are potential targets • Encryption of files on hard drive http://news.com.com/Antivirus+expert+Ransomware+on+the+rise/2100-7355_3-6157092.html

  9. Espionage • Targeted “spam” with trojan horse, dropped USB thumb drives, etc. • Executable attachments • Media files, documents, embedded content • Key loggers or “root kits” installed • Data exfiltrated by POST or reverse tunnel through firewall • Wireless sniffing • Surplused equipment! http://www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf

  10. Fraud • Unauthorized access to steal data, media • Phishing (social engineering via email) • Key logging, or screen capture (attack virtual keyboards) • Attacking Javascript cryptography • HTTP POST interception

  11. Victim sites

  12. Responding • The OODA Loop • Coordination • Working with Law Enforcement • Striking back?

  13. Time Orient O Observe Decide O D A Act The OODA Loop

  14. Observe & Orient

  15. Decide & Act Source: AF2025 v3c2, http://csat.au.af.mil/2025/volume3/vol3ch02.pdf

  16. To speed up your loop Get better information sooner Access new and stored information quicker Correlate and fuse information quickly Increase understanding of tools/tactics Automate decision making and actions To slow down your adversary’s loop Change the landscape (force reconnaissance) Act in unobservable ways Mix conventional/unconventional actions Give the adversary false information (and/or “noise”) Keep the adversary guessing Controlling speed through the OODA Loop

  17. Coordination • Data Collection • Data Fusion • Data Dissemination • Action in relationship(time, location, function) • Capacity to worktogether • OPSEC considerations(attacker reading your email)

  18. Private Sector Law Enforcement IntelligenceCommunity Military Working with LE • Law Enforcement central to integrated public/private response • LE can do things that private sector cannot (e.g., search/seizure) • International LE coordination on cybercrime is working (e.g., Zotob case in Turkey)

  19. “Strike-back” vs. other Active Response Actions • Fight DDoS with DDoS (No way) • Pre-emptive DoS (Highly unlikely) • Retribution (Very risky) • Back tracking (Risky) • Information gathering (Less risky) • Ambiguity/dynamism (Least risky)

  20. Conclusions • Future responses must be MORE collaborative, LESS isolated • Identifying the structure of attack, and acting in deliberate ways (rather than simply reacting to discrete events) is important • Increase training, outreach capacity • Collaborative/cooperative response will become essential (lots of opportunities to optimize) • There is much research and learning left to do…

  21. Questions

More Related