Cyber adversary characterization
1 / 68

Cyber Adversary Characterization - PowerPoint PPT Presentation

  • Uploaded on

Cyber Adversary Characterization . Know thy enemy!. Introduction and Background. Cyber Adversary Characterization workshop in 2002 Research discussions continued via email Briefings to Blackhat and Defcon to introduce concept and obtain feedback Future workshops planned for October 2003

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Cyber Adversary Characterization' - dora

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Introduction and background l.jpg
Introduction and Background

  • Cyber Adversary Characterization workshop in 2002

  • Research discussions continued via email

  • Briefings to Blackhat and Defcon to introduce concept and obtain feedback

  • Future workshops planned for October 2003

  • Slides will be on both conference web sites

Why characterize l.jpg
Why characterize?

  • Theoretical: To gain understanding of and an ability to anticipate an adversary in order to build improved threat models.

  • Practice: Improved profiling of attackers at post attack and forensic levels.

Point scoring why l.jpg
Point Scoring: Why?

  • No “standard” system to help rate the attacker

  • No system to help with the threat level

  • Help management in the decision making process

Point scoring the categories l.jpg
Point Scoring: The Categories

  • Passive Fingerprinting

  • Intelligence

  • The Attack

  • The Exploit

  • Backdoors | Cover up

  • Other

Point scoring past present future l.jpg
Point Scoring: Past, Present, Future

  • Originally posted on

  • Currently on rev2

  • Soon to release rev 3


Tool characterizations disclosure patterns and technique scoring l.jpg

Tool characterizations, Disclosure Patterns and Technique scoring.

Tom Parker – Pentest Limited (UK)

The hacker pie l.jpg
The Hacker Pie scoring.

  • Representative of characterization metrics which build the final characterization.

  • Available elements dependant upon scenario.

  • Does not rely solely upon IDS/attack signature data.

The hacker pie continued l.jpg
The Hacker Pie (continued) scoring.

  • Pie reliant upon the results of multiple metrics which are, in many cases inter-related, strengthening the likelihood of an accurate characterization.

  • Relationships between key metrics and key data enable accurate assumptions to be made regarding unobserved key information.

The pie explained l.jpg
The Pie Explained scoring.






Metric One

Metric Two

Metric Three

Metric Four

Key Data

Key Data

Key Data

Key Data

Key Data

Point scoring systems continued l.jpg
Point Scoring Systems (Continued) scoring.

  • Attempt to characterize an adversary based on attack information captured from the wild.

  • Attempt to characterize adversary based upon “technique classification model”

  • Attempt to characterize adversary based upon “tool classification model”

Tool classification model l.jpg
Tool classification model scoring.

  • Availability of application

  • Origins of application

  • Ease of use

    • Requires in-depth knowledge of vulnerability to execute?

    • Other mitigating factors

Disclosure food chain characterization l.jpg
Disclosure Food Chain Characterization scoring.

  • All tools have a story

  • Often years before dissemination into public domain.

  • Social demeanour often key to placing in disclosure disclosure chain.

  • “Pyramid” metric.

2 approaches to modeling the cyber adversary offender profiling remote assessment l.jpg

2 Approaches to Modeling the Cyber Adversary: Offender Profiling & Remote Assessment

Dr. Eric D. Shaw

Consulting & Clinical Psychology, Ltd.

[email protected]

Offender profiling l.jpg
Offender Profiling Profiling & Remote Assessment

  • Roots in Law enforcement & intelligence community (criminal event or incident analysis)—intensive review of past offenders

  • Insider Computer Crimes, 1998-present

    • 50 cases

    • 10 in-depth case studies from companies or gov’t. contractors

  • Products

    • Typology of actors: motivation, psychological characteristics, actions

    • Critical pathway—process of interactions w/environment (personal and professional) leading to attack

    • At-risk characteristics

    • Organizational vulnerabilities & Insights into prevention, deterrence, detection, management

Offender profiling headlines l.jpg
Offender Profiling Headlines Profiling & Remote Assessment

  • The Termination Problem

  • Actor subtypes—the Proprietor & Hacker

  • The Tracking Problem

  • Organizational Vulnerabilities

  • Detection Issues

  • Intervention Challenges

  • Hacker Overview

Attacks the termination problem l.jpg
Attacks: Profiling & Remote Assessment The Termination Problem

  • Simple termination of Disgruntled Insider is not theanswer—80% attack after termination (4 hours-2 months)

  • 70% attack from remote locations vs. inside—termination did not impact access

  • Attack types:

    • DOS to disrupt business

    • Destruction & corruption of data

    • Theft of Proprietary data

    • Time bombs

    • Extortion

    • Attack on reputations

Attackers l.jpg
Attackers Profiling & Remote Assessment

  • Hackers—40%: affiliated with and active in hacking community, brings hacking practices to worksite

  • Proprietors—40%: defend system as belonging to them, resist efforts to dilute control

  • Avengers—20%: attack impulsively in response to perceived injustice

Prevention screening selection l.jpg
Prevention: Screening & Selection Profiling & Remote Assessment

The Tracking Problem

  • Screening & Selection Problems in 60% of cases—no or delayed background, nepotism, failure to detect risk factors

  • 30% had prior felony convictions

  • 30% had high-profile hacker activity

Organizational issues l.jpg
Organizational Issues Profiling & Remote Assessment

  • 80% of cases occur during periods of high organizational stress or change at the highest to supervisory levels

  • Lack of policies contributed to disgruntlement or facilitated attack in 60% of cases

  • Lack of policy enforcement contributed to disgruntlement of facilitated attack in 70% of cases

Detection problems l.jpg
Detection Problems Profiling & Remote Assessment

  • 80% of attackers used operational security to protect attack planning or identity

  • Time disgruntled to attack: 1-48 months with a mean of 11.3 months

  • Time active problems (probation) to attack: 0-76 weeks with a mean of 26 weeks

    Forget the “big bang” theory of the sudden, unforeseen attack

Intervention problems l.jpg
Intervention Problems Profiling & Remote Assessment

  • Management intervention initially exacerbated problems in 80% of cases (ignore, placate or tolerate problems, negotiate then cut-off, terminate poorly)

  • Problems with termination process in 80% of cases (esp. failure to terminate access)

  • Multidisciplinary risk assessment prior to termination

Hardcore hackers not script kiddies l.jpg
Hardcore Hackers: Profiling & Remote Assessment Not Script Kiddies

Slide28 l.jpg

Remote Assessment Using Profiling & Remote Assessment WarmTouch

(patent pending)

Why use warmtouch software to detect disgruntlement or psych change on line l.jpg
Why Use Profiling & Remote Assessment WarmTouch Software to Detect Disgruntlement or Psych Change on-line?

  • Communication has moved on-line

  • Loss of visual & auditory cues on-line

  • Failure of other systems to detect violations: technical noise, supervisor & peer reporting

  • Protects Privacy

  • Provides Objectivity

Person situation interaction detect psychological leakage l.jpg

Major Profiling & Remote Assessment








Person-Situation Interaction:Detect Psychological “Leakage”

Personal Stressors

MountingStress and Frustration

Professional Stressors

Software components l.jpg
“Software” Components Profiling & Remote Assessment

  • Psychological Profiling Algorithms

    • Emphasis on measuring emotional state

      • Anger

      • Anxiety

      • Depression

    • Changes in emotional state from baseline

  • Psychological characteristics: decision-making and personal relations

    • Loner/team player

    • plans/reacts

    • Rigid/flexible

    • Sensitivity to environment

  • Alert Phrases-key words

    • Threats

    • Victimization

    • Employment Problems

  • Communication Characteristics

    • To, From, Time, Length, etc.

Warmtouch software overview l.jpg
WarmTouch Profiling & Remote Assessment “Software” Overview

  • WarmTouch origins in IC, 1986-present

  • Use of WarmTouch with Insider Communications

    • Khanna at Bank

    • Threat Monitoring

    • Sting operations & negotiations

    • Suspect identification

    • Hanssen

  • Other WarmTouch Applications

Case example financial proprietor l.jpg
Case Example: Financial Proprietor Profiling & Remote Assessment

  • Well paid systems administrator

  • Personality Traits-Proprietor

    • Entitlement

    • Manipulative

    • Devaluing of others

    • Padded OT

  • Context: Supervisor Change

Email from boss l.jpg
Email from Boss Profiling & Remote Assessment

  • Asked to train back-up

  • “You seem to have developed a personal attachment to the System Servers. These servers and the entire system belong to this institution not to you…”

Email 1 april l.jpg
Email 1: April Profiling & Remote Assessment

  • (Asked to train his back-up, subject refuses) “His experience was ZERO. He does not know ANYTHING about ...our reporting tools.”

  • “Until you fireme or I quit, I have to take orders from you…Until he is a trained expert, I won’t give him access...If you order me to give him root access, then you have to permanently relieveme of my duties on that machine. I can’t be a garbage cleaner if someone screws up….I won’t compromise on that.”

Email 3 july l.jpg
Email 3: July Profiling & Remote Assessment

  • “Whether or not you continue me here after next month (consulting, full-time, or part-time), you can always count on me for quick response to any questions, concerns, or production problems with the system. As always, you’ll always get the most cost-effective, and productive solution from me.”

Email 4 july l.jpg
Email 4: July Profiling & Remote Assessment

  • “I would be honored to work until last week of August.”

  • “As John may have told you, there are a lot of things which at times get “flaky” with the system front-end and back-end. Two week extension won’t be enough time for me to look into everything for such a critical and complex system.”

  • “Thanks for all your trust in me.”

The event l.jpg
The Event Profiling & Remote Assessment

  • On last day of work, subject disables the computer network’s two fileservers.

  • Company executives implore subject to help them fix the problems, but he refuses.

  • Independent consulting firm hired to investigate problems, discovers sabotage.

  • Timing: deception to cover plotting.

Warmtouch challenge l.jpg
WarmTouch Challenge Profiling & Remote Assessment

  • Detect deterioration in relationship with supervisor

  • Detect Deception

The april email profile l.jpg
The April Email Profile Profiling & Remote Assessment

July email profile l.jpg
July Email Profile Profiling & Remote Assessment

  • August

Detecting deception l.jpg
Detecting Deception Profiling & Remote Assessment

Covert vs overt hostility in email prior to attack l.jpg

Overt Hostility Profiling & Remote Assessment

Covert Hostility

Covert vs. Overt Hostility in Email Prior to Attack


Three Months


Two Months


Two Weeks


Zezev vs bloomberg managing his psychological state l.jpg
Zezev vs. Bloomberg: Managing his Psychological State Profiling & Remote Assessment

  • Task: to lure him to London for the bust

    • must manage his anger and anxiety at delays and manipulations

    • satisfy his dependency—need for $ & job

  • Warmtouch help:

    • Objectively highlight and help manage psychological states

    • Objectively measure success

Zezev s use of me passive dependent mode l.jpg
Zezev’s Use of “Me” Zezev’s emails to Bloombergpassive/dependent mode

Zezev s use of retractors anxiety l.jpg
Zezev’s Use of Retractors Zezev’s emails to BloombergAnxiety

Robert hanssen l.jpg
Robert Hanssen Zezev’s emails to Bloomberg

  • 8 Communications with Soviet Handlers

  • Between October 1985 & November 2000

  • Challenge for Software:

    • Detect signs of emotional stress associated with spying, disgruntlement and “affair” as documented in public records

Hansen anger over time l.jpg
Hansen: Anger over Time Zezev’s emails to Bloomberg

Hansen changes over time l.jpg
Hansen: Changes over Time Zezev’s emails to Bloomberg

Hansen changes over time51 l.jpg
Hansen: Changes Over Time Zezev’s emails to Bloomberg

Hansen changes over time52 l.jpg
Hansen: Changes over Time Zezev’s emails to Bloomberg

Other warmtouch applications l.jpg
Other WarmTouch Applications Zezev’s emails to Bloomberg

  • Communications Manager

    • Analyze state of relationship

    • Assess characteristics of persons in relationship

    • Help modify language to improve/modify relationship

    • Track success/changes over time

  • Media Monitoring

    • Attitude of Egyptian press toward U.S.

    • Attitude of customers toward product or service

Internet threat actors l.jpg

Internet Threat Actors Zezev’s emails to Bloomberg

Marcus H. Sachs

Director, Internet Storm Center

The SANS Institute

Slide55 l.jpg

The Cyber Threat to the Zezev’s emails to BloombergUnited States

  • US national information networks have become more vulnerable—and therefore more attractive as a target

  • Growing connectivity among secure and insecure networks creates new opportunities for unauthorized intrusions into sensitive or proprietary computer systems

  • The complexity of computer networks is growing faster than the ability to understand and protect them

  • The prospects for a cascade of failures across US infrastructures are largely unknown

Slide56 l.jpg

Cyber Threats to the Zezev’s emails to BloombergCritical Infrastructure

  • Hacker/Script Kiddies/Hobbyist

  • Disgruntled Employee

  • Insider aiding others

  • Hacktivist

  • Industrial Espionage

  • Foreign Espionage

  • Terrorist

  • State Sponsored Attack

Slide57 l.jpg

The Threat is Increasing Zezev’s emails to Bloomberg



State Sponsored










Probability of occurrence

Low High

Source: 1997 DSB Summer Study

Slide58 l.jpg

Why are we so Vulnerable? Zezev’s emails to Bloomberg

  • Internet was not built to be secure

  • “Secure” (i.e., obscure) software being replaced by commercial products in infrastructures

  • Software development focused on “Slick, Stable, Simple” (not “Secure”)

  • System administrators lack training

  • Leaders rarely see computer security as part of the “bottom line”

  • User awareness is low

Slide59 l.jpg

Why The Feds are Concerned About Hackers Zezev’s emails to Bloomberg

  • The real threat to the Critical Infrastructure is not the hacker, but the structured state-sponsored organization

  • However...

    • Sometimes it’s hard to tell the difference - both use the same tools

    • Growing sophistication and availability of tools increases concern

    • Must assume the worst until proven wrong

  • So...

    • The government takes seriously all unauthorized activity

    • They will use all technical and law enforcement tools to respond ... and deter

    • They will seek legal prosecution where appropriate

Slide60 l.jpg

New Homeland Security Strategies Zezev’s emails to Bloomberg

National strategy to secure cyberspace l.jpg
National Strategy to Secure Cyberspace Zezev’s emails to Bloomberg

  • Nation fully dependent on cyberspace

  • Range of threats: script kiddies to nation states

  • Fix vulnerabilities, don’t orient on threats

  • New vulnerabilities require constant vigilance

  • Individual vs. national risk management

  • Government alone cannot secure cyberspace

Priority ii a national cyberspace security threat and vulnerability reduction program l.jpg
Priority II Zezev’s emails to BloombergA National Cyberspace Security Threat and Vulnerability Reduction Program

  • Enhance law enforcement’s capabilities for preemption, prevention, and prosecution

  • Secure the mechanisms of the Internet including improving protocols and routing

  • Foster trusted digital control systems/ supervisory control and data acquisition systems

  • Reduce and remediate software vulnerabilities

  • Improve physical security of cyber and telecommunications systems

Inside the internet storm center l.jpg
Inside the Internet Storm Center Zezev’s emails to Bloomberg

Data Collection



DShield Users

Typical residential cable modem log l.jpg
Typical Residential Zezev’s emails to BloombergCable Modem Log

FTP attempts

FTP attempts

Pop-up ads (Spam)

Pop-up ads (Spam)

Internet storm center web page l.jpg
Internet Storm Center Web Page Zezev’s emails to Bloomberg

Port report l.jpg
Port Report Zezev’s emails to Bloomberg

2002 top 20 list l.jpg
2002 Top 20 List Zezev’s emails to Bloomberg

Top Vulnerabilities to Windows Systems

W1 Internet Information Services (IIS)

W2 Microsoft Data Access Components (MDAC) -- Remote Data Services

W3 Microsoft SQL Server

W4 NETBIOS -- Unprotected Windows Networking Shares

W5 Anonymous Logon -- Null Sessions

W6 LAN Manager Authentication -- Weak LM Hashing

W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords

W8 Internet Explorer

W9 Remote Registry Access

W10 Windows Scripting Host

Top Vulnerabilities to Unix Systems

U1 Remote Procedure Calls (RPC)

U2 Apache Web Server

U3 Secure Shell (SSH)

U4 Simple Network Management Protocol (SNMP)

U5 File Transfer Protocol (FTP)

U6 R-Services -- Trust Relationships

U7 Line Printer Daemon (LPD)

U8 Sendmail


U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords