Digital forensics
Download
1 / 66

Digital Forensics - PowerPoint PPT Presentation


  • 172 Views
  • Uploaded on

Digital Forensics. Dr. Bhavani Thuraisingham The University of Texas at Dallas Network and Application Forensics October 5, 2012. Network Forensics. Network Forensics Network Attacks Security Measures Network Forensics and Tools Types of Networks Other info

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Digital Forensics' - monet


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Digital forensics

Digital Forensics

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Network and Application Forensics

October 5, 2012


Network forensics
Network Forensics

  • Network Forensics

    • Network Attacks

    • Security Measures

    • Network Forensics and Tools

    • Types of Networks

    • Other info

  • Summary/Conclusion and Links

  • Special presentation of network forensic

  • http://www.infragard.net/library/congress_05/computer_forensics/network_primer.pdf


Network attacks
Network Attacks

  • Denial of service Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program.

  • These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail.

  • They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning.

  • Preventing suspicious network traffic from reaching hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack.

  • It is useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.


Network attacks1
Network Attacks

  • Spoofing This type of attack causes a host or application to mimic the actions of another.

  • Typically the attacker pretends to be an innocent host by following IP addresses in network packets.

  • For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers.

  • To protect against this type of attack, verify the authenticity of datagrams and commands.

  • Prevent datagram routing with invalid source addresses. Introduce unpredictablility into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.


Network attacks2
Network Attacks

  • Eavesdropping This is the simplest type of attack.

  • A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections.

  • Broadcast networks like Ethernet are especially vulnerable to this type of attack.

  • To protect against this type of threat, avoid use of broadcast network technologies and enforce the use of data encryption.

  • IP firewalling is very useful in preventing or reducing unauthorized access, network layer denial of service, and IP spoofing attacks.

  • It not very useful in avoiding exploitation of weaknesses in network services or programs and eavesdropping.


Securing a network
Securing a Network

  • Need measures to secure a network and prevent breaches

  • Apply patches; User a layered network defense strategy

  • NSA (National Security Agency) ahs developed DiD Defense in Depth) and has three models of protection

    • People, Technology, Operations

    • People: Employees are trained well

    • Technology: Strong network architecture and testing tools

    • Operations: applying security patches, anti-virus software, etc.


Network security mechanisms
Network Security Mechanisms

  • Network security starts from authenticating any user, most likely a username and a password.

  • Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network users

  • Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network.

  • An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service.

  • Communication between two hosts using the network could be encrypted to maintain privacy.

  • Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.


Network security mechanisms1
Network Security Mechanisms

  • Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools.

  • Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques.

  • Such analysis could be used to further tighten security of the actual network being protected by the honeypot

  • Some tools: Firewall, Antivirus software and Internet Security Software. For authentication, use strong passwords and change it on a bi-weekly/monthly basis. When using a wireless connection, use a robust password. Network analyzer to monitor and analyze the network.


Network forensics1
Network Forensics

  • What is Network Forensics?

    • http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci859579,00.html

  • Network Forensics Analysis

  • Relationship to Honeynets/Honeypots

  • Policies for Networks Forensics

  • Example Prototype System

  • Some Popular Networks Forensics Analysis Tools (NFAT)


What is network forensics
What is Network Forensics

  • Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity.

    • Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.

  • A network forensics appliance is a device that automates this process.

  • Wireless forensics is the process of capturing information that moves over a wireless network and trying to make sense of it in some kind of forensics capacity.


What is network forensics1
What is Network Forensics?

  • Network forensics systems can be one of two kinds:

    • "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.

    • "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.


What is network forensics2
What is Network Forensics

  • Network Forensics is the process of collecting and analyzing raw network data and then tracking network traffic to determine how an attack took place

  • When intruders break into a network they leave a trail. Need to spot variations in network traffic; detect anomalies

  • Network forensics can usually help to determine whether network has been attacked or there is a user error

  • Examiners must establish standards procedures to carry out forensics


Network analysis
Network Analysis

  • Find analysis techniques developed for one type of network and apply it to another type of network

  • Types of networks

    • Computer and Communication Networks

    • Telecommunication Network

    • Transportation networks

      • Highways, Railroad, Air Traffic

    • Human networks

      • Terror networks, Relationship networks


Network forensics analysis tools nfat relationships between ids firewalls and nfat
Network Forensics Analysis Tools (NFAT): Relationships between IDS, Firewalls and NFAT

  • IDS attempts to detect activity that violates an organization’s security policy by implementing a set of rules describing preconfigures patterns of interest

  • Firewall allows or disallows traffic to or from specific networks, machine addresses and port numbers

  • NFAT synergizes with IDSs and Firewalls.

    • Preserves long term record of network traffic

    • Allows quick analysis of trouble spots identified by IDSs and Firewalls

  • NFATs must do the following:

    • Capture network traffic

    • Analyze network traffic according to user needs

    • Allow system users discover useful and interesting things about the analyzed traffic


Nfat tasks
NFAT Tasks between IDS, Firewalls and NFAT

  • Traffic Capture

    • What is the policy?

    • What is the traffic of interest?

    • Intermal/Externasl?

    • Collect packets: tcpdump

  • Traffic Analysis

    • Sessionizing captured traffic (organize)

    • Protocol Parsing and analysis

      • Check for strings, use expert systems for analysis

  • Interacting with NFAT

    • Appropriate user interfaces, reports, examine large quantities of information and make it manageable


Network forensics networkminer
Network Forensics: NetworkMiner between IDS, Firewalls and NFAT

  • NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows.

  • NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.

  • The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.

  • The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).


Honeynets honeypots
Honeynets/Honeypots between IDS, Firewalls and NFAT

  • Network Forensics and honeynet systems have the same features of collecting information about computer misuses

  • Honeynet system can lure attackers and gain information about new types of intrusions

  • Network forensics systems analyze and reconstruct he attack behaviors

  • These two systems integrated together build a active self learning and response system to profile the intrusion behavior features and investigate the original source of the attack.


Honeynet project
Honeynet project between IDS, Firewalls and NFAT

  • Honeynet project was established to make information about network attacks and solutions widely available

  • Objectives: Awareness, information, tools

  • Attacks: distributed Denial of Service, Zero day attacks

  • Honeypot is a computer set up to lure attackers

  • Honeywalls are computers set up to monitor what is happening to the honeypots in the network


Policies computer attack taxonomy
Policies: Computer Attack Taxonomy between IDS, Firewalls and NFAT

  • Probing

    • Attackers reconnaissance

    • Attackers create a profile of an organization's structure, network capabilities and content, security posture

    • Attacker finds the targets and devices plans to circumvent the security mechanism

  • Penetration

    • Exploit System Configuration errors and vulnerabilities

    • Install Trojans, record passwords, delete files, etc.

  • Cover tracks

    • Configure event logging to a previous state

    • Clear event logs and hide files


Policies to enhance forensics
Policies to enhance forensics between IDS, Firewalls and NFAT

  • Retaining information

  • Planning the response

  • Training

  • Accelerating the investigation

  • Preventing anonymous activities

  • Protect the evidence


Example prototype system iowa state university
Example Prototype System: Iowa State University between IDS, Firewalls and NFAT

  • Network Forensics Analysis mechanisms should meet the following:

    • Short response times; User friendly interfaces

  • Questions addresses

    • How likely is a specific host relevant to the attack? What is the role the host played in the attack? How strong are two hosts connected to the attack?

  • Features of the prototype

    • Preprocessing mechanism to reduce redundancy in intrusion alerts

    • Graph model for presenting and interacting with th3 evidence

    • Hierarchical reasoning framework for automated inference of attack group identification


Example prototype system modules
Example Prototype System: Modules between IDS, Firewalls and NFAT

  • Evidence collection module

  • Evidence preprocessing module

  • Attack knowledge base

  • Assets knowledge base

  • Evidence graph generation module

  • Attack reasoning module

  • Analyst interface module

  • Reference

  • http://delivery.acm.org/10.1145/1420000/1410238/a4-wang.pdf?key1=1410238&key2=9838895521&coll=GUIDE&dl=GUIDE&CFID=57276464&CFTOKEN=77054716

  • https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf


Network tools
Network Tools between IDS, Firewalls and NFAT

  • Network Forensics tools help in the monitoring of the network

  • Example: the records that Ps tools generate can prove that an employee ran a program without permission

  • Can also monitor machines/processes that may be harmful

  • Problem is the attacker can get administrator rights and start using the tools

  • Chapter 11 discusses tools for Windows and Linux


Some popular tools
Some Popular Tools between IDS, Firewalls and NFAT

  • Raytheon’s SilentRunner

    • Gives administrators help as they attempt to protect their company’s assets

    • Collector, Analyzer and Visualize Modules

  • Sandstorm Enterprise’s NetIntercept

    • Hardware appliance focused on capturing network traffic

  • Niksun’s NetDetector

    • Its an appliance like NetIntercept

    • Has an alerting mechanism

    • Integrates with Cicso IDS for a complete forensic analysis


Network forensics open source tools
Network Forensics: Open Source Tools between IDS, Firewalls and NFAT

  • Open source tools

    • Wireshark

    • Kismet

    • Snort

    • OSSEC

    • NetworkMiner is an open source Network Forensics Tool available at SourceForge.

    • Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6


Network forensics commercial tools
Network Forensics: Commercial Tools between IDS, Firewalls and NFAT

  • Deep Analysis Tools (data mining based tools)

    • E-Detective

    • ManTech International Corporation

    • Network Instruments

    • NIKSUN's NetDetector

    • PacketMotion

    • Sandstorm's NetIntercept

    • Mera Systems NetBeholder

    • InfoWatch Traffic Monitor


Network forensics commercial tools1
Network Forensics: Commercial Tools between IDS, Firewalls and NFAT

  • Flow-Based Systems

    • Arbor Networks

    • GraniteEdge Networks

    • Lancope http://www.lancope.com/

    • Mazu Networks http://www.mazunetworks.com/

  • Hybrid Systems

    • These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

    • Q1 Labs http://www.q1labs.com/


Performing live acquisitions
Performing Live Acquisitions between IDS, Firewalls and NFAT

  • Insert bootable forensics CD in the suspect system

  • Keep a log of all the actions

  • Send collected information to a network drive

  • Copy the physical memory

  • Determine if root kit is present; access system’s firmware, - -

  • Get forensics hash value of all files


Performing live acquisitions windows
Performing Live Acquisitions: Windows between IDS, Firewalls and NFAT

  • Setup NetCat listener to send the forensics data

  • Load Helix CD in the CD-ROM drive

  • Click appropriate buttons – System Information; Glad arrow etc

  • Click Acquire Live Image if Widows System

  • Connect to NetCat listener to send the collected data (e.g., enter IP address of NetCat listener)

  • Click Incidence Response Tools

  • Click on appropriate tools to collect data


Standard procedures
Standard procedures between IDS, Firewalls and NFAT

  • Standard installation image, hash schemes (e.g., MD5, SHA-1)

  • Fix vulnerabilities if intrusion is detected

  • Retrieve volatile data (RAM, processes)

  • Acquire compromised drive and make forensics image of it

  • Compare forensics image and standard image and determine if anything has changed


Network logs
Network Logs between IDS, Firewalls and NFAT

  • Network logs record traffic in and out of network

  • Network servers, routers, firewalls record activities and events that move through them

  • One ways is to run Tcpdump

  • When viewing network log, port information can give clues about suspicious activity

  • Use network analysis tool


Packet sniffers
Packet Sniffers between IDS, Firewalls and NFAT

  • Devices or software to monitor (sniff) traffic

  • TCP/IP sniffers operate at the Packet level; in OSI operates at the Layer 2 or 3 level (e.g. Data link or Network layers)

  • Some sniffers perform packet captures, some perform analysis and some perform both

  • Tools exist for examining (i) packets with certain flags set (ii) email headers (iii) IRC chats


Summary
Summary between IDS, Firewalls and NFAT

  • Network Forensics is the process of collecting and analyzing raw network data and then tracking network traffic to determine how an attack took place

  • Layered defense strategies to the network architecture

  • Live acquisitions are needed to retrieve volatile items

  • Standard procedure are needed to establish how to proceed after a network attack occurs

  • By monitoring network traffic can establish normal operations; then determine if there is an anomaly

  • Network tools used to monitor networks; but intruders can get admin rights to attack from the inside

  • Tools are available for monitoring network traffic for both Windows and Linux systems

  • Honeynet project enables people to learn latest intrusion techniques


Links
Links between IDS, Firewalls and NFAT

  • https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf

  • http://www.cs.fsu.edu/~yasinsac/Papers/MY01.pdf

  • http://www.sandstorm.net/support/netintercept/downloads/ni-ieee.pdf

  • http://www.giac.org/certified_professionals/practicals/gsec/2478.php

  • http://www.infragard.net/library/congress_05/computer_forensics/network_primer.pdf

  • http://dfrws.org/2003/presentations/Brief-Casey.pdf

  • http://delivery.acm.org/10.1145/1070000/1066749/p302-ren.pdf?key1=1066749&key2=0512850911&coll=GUIDE&dl=GUIDE&CFID=36223233&CFTOKEN=49225512

  • http://dfrws.org/


Application forensics
Application Forensics between IDS, Firewalls and NFAT

  • Email Forensics

    • UTD work on Email worm detection - revisited

    • Mobile System Forensics

    • Note: Other Application/systems related forensics

      • Database forensics, Network forensics (already discussed)

  • Military Forensics Overview

  • Optional paper to read:

    • http://www.mindswap.org/papers/Trust.pdf


Email forensics
Email Forensics between IDS, Firewalls and NFAT

  • Email Investigations

  • Client/Server roles

  • Email crimes and violations

  • Email servers

  • Email forensics tools


Email investigations
Email Investigations between IDS, Firewalls and NFAT

  • Types of email investigations

    • Emails have worms and viruses – suspicious emails

    • Checking emails in a crime – homicide

  • Types of suspicious emails

    • Phishing emails i- they are in HTML format and redirect to suspicious web sites

    • Nigerian scam

    • Spoofing emails


Client server roles
Client/Server Roles between IDS, Firewalls and NFAT

  • Client-Server architecture

  • Email servers runs the email server programs – example Microsoft Exchange Server

  • Email runs the client program – example Outlook

  • Identitication/authntictaion is used for client to access the server

  • Intranet/Internet email servers

    • Intranet – local environment

    • Internet – public: example: yahoo, hotmail etc.


Email crimes and violations
Email Crimes and Violations between IDS, Firewalls and NFAT

  • Goal is to determine who is behind the crime such as who sent the email

  • Steps to email forensics

    • Examine email message

    • Copy email message – also forward email

    • View and examine email header: tools available for outlook and other email clients

    • Examine additional files such as address books

    • Trace the message using various Internet tools

    • Examine network logs (netflow analysis)

      • Note: UTD Netflow tools SCRUB are in SourceForge


Email servers
Email Servers between IDS, Firewalls and NFAT

  • Need to work with the network administrator on how to retrieve messages from the server

  • Understand how the server records and handles the messages

  • How are the email logs created and stored

  • How are deleted email messages handled by the server? Are copies of the messages still kept?

  • Chapter 12 discussed email servers by UNIX, Microsoft, Novell


Email forensics tools
Email Forensics Tools between IDS, Firewalls and NFAT

  • Several tools for Outlook Express, Eudora Exchange, Lotus notes

  • Tools for log analysis, recovering deleted emails,

  • Examples:

    • AccessData FTK

    • FINALeMAIL

    • EDBXtract

    • MailRecovery


Worm detection introduction
Worm Detection: Introduction between IDS, Firewalls and NFAT

  • What are worms?

    • Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victims

  • Evil worms

    • Severe effect; Code Red epidemic cost $2.6 Billion

  • Goals of worm detection

    • Real-time detection

  • Issues

    • Substantial Volume of Identical Traffic, Random Probing

  • Methods for worm detection

    • Count number of sources/destinations; Count number of failed connection attempts

  • Worm Types

    • Email worms, Instant Messaging worms, Internet worms, IRC worms, File-sharing Networks worms

  • Automatic signature generation possible

    • EarlyBird System (S. Singh -UCSD); Autograph (H. Ah-Kim - CMU)


Email worm detection using data mining
Email Worm Detection using Data Mining between IDS, Firewalls and NFAT

  • Task:

    • given some training instances of both “normal” and “viral” emails,

    • induce a hypothesis to detect “viral” emails.

  • We used:

    • Naïve Bayes

    • SVM

Outgoing Emails

The Model

Test data

Feature extraction

Classifier

Machine Learning

Training data

Cleanor Infected ?


Assumptions
Assumptions between IDS, Firewalls and NFAT

  • Features are based on outgoing emails.

  • Different users have different “normal” behaviour.

  • Analysis should be per-user basis.

  • Two groups of features

    • Per email (#of attachments, HTML in body, text/binary attachments)

    • Per window (mean words in body, variable words in subject)

  • Total of 24 features identified

  • Goal: Identify “normal” and “viral” emails based on these features


Feature sets
Feature sets between IDS, Firewalls and NFAT

  • Per email features

    • Binary valued Features

      • Presence of HTML; script tags/attributes; embedded images; hyperlinks;

      • Presence of binary, text attachments; MIME types of file attachments

    • Continuous-valued Features

      • Number of attachments; Number of words/characters in the subject and body

  • Per window features

    • Number of emails sent; Number of unique email recipients; Number of unique sender addresses; Average number of words/characters per subject, body; average word length:; Variance in number of words/characters per subject, body; Variance in word length

    • Ratio of emails with attachments


Data mining approach
Data Mining Approach between IDS, Firewalls and NFAT

Classifier

Clean/ Infected

Test instance

Clean/ Infected

infected?

SVM

Naïve Bayes

Test instance

Clean?

Clean


Data set
Data set between IDS, Firewalls and NFAT

  • Collected from UC Berkeley.

    • Contains instances for both normal and viral emails.

  • Six worm types:

    • bagle.f, bubbleboy, mydoom.m,

    • mydoom.u, netsky.d, sobig.f

  • Originally Six sets of data:

    • training instances: normal (400) + five worms (5x200)

    • testing instances: normal (1200) + the sixth worm (200)

  • Problem: Not balanced, no cross validation reported

  • Solution: re-arrange the data and apply cross-validation


Our implementation and analysis
Our Implementation and Analysis between IDS, Firewalls and NFAT

  • Implementation

    • Naïve Bayes: Assume “Normal” distribution of numeric and real data; smoothing applied

    • SVM: with the parameter settings: one-class SVM with the radial basis function using “gamma” = 0.015 and “nu” = 0.1.

  • Analysis

    • NB alone performs better than other techniques

    • SVM alone also performs better if parameters are set correctly

    • mydoom.m and VBS.Bubbleboy data set are not sufficient (very low detection accuracy in all classifiers)

    • The feature-based approach seems to be useful only when we have

      • identified the relevant features

      • gathered enough training data

      • Implement classifiers with best parameter settings


Mobile device system forensics
Mobile Device/System Forensics between IDS, Firewalls and NFAT

  • Mobile device forensics overview

  • Acquisition procedures

  • Summary


Mobile device forensics overview
Mobile Device Forensics Overview between IDS, Firewalls and NFAT

  • What is stored in cell phones

    • Incoming/outgoing/missed calls

    • Text messages

    • Short messages

    • Instant messaging logs

    • Web pages

    • Pictures

    • Calendars

    • Address books

    • Music files

    • Voice records


Mobile phones
Mobile Phones between IDS, Firewalls and NFAT

  • Multiple generations

    • Analog, Digital personal communications, Third generations (increased bandwidth and other features)

  • Digital networks

    • CDMA, GSM, TDMA, - - -

  • Proprietary OSs

  • SIM Cards (Subscriber Identity Module)

    • Identifies the subscriber to the network

    • Stores personal information, addresses books, etc.

  • PDAs (Personal digital assistant)

    • Combines mobile phone and laptop technologies


Acquisition procedures
Acquisition procedures between IDS, Firewalls and NFAT

  • Mobile devices have volatile memory, so need to retrieve RAM before losing power

  • Isolate device from incoming signals

    • Store the device in a special bag

    • Need to carry out forensics in a special lab (e.g., SAIAL)

  • Examine the following

    • Internal memory, SIM card, other external memory cards, System server, also may need information from service provider to determine location of the person who made the call


Mobile forensics tools
Mobile Forensics Tools between IDS, Firewalls and NFAT

  • Reads SIM Card files

  • Analyze file content (text messages etc.)

  • Recovers deleted messages

  • Manages PIN codes

  • Generates reports

  • Archives files with MD5, SHA-1 hash values

  • Exports data to files

  • Supports international character sets


Information warfare
Information Warfare between IDS, Firewalls and NFAT

  • Information Warfare

    • Defensive Strategies for Government and Industry

    • Military Tactics

    • Terrorism and Information Warfare

    • Tactics of Private Corporations

    • Future IW strategies

    • Surveillance Tools

    • The Victims of Information Warfare

  • Military Forensics

  • Relevant Papers


What is information warfare
What is Information Warfare? between IDS, Firewalls and NFAT

  • Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. Information warfare may involve collection of tactical information, assurance that one's own information is valid, spreading of propaganda or disinformation to demoralize the enemy and the public, undermining the quality of opposing force information and denial of information collection opportunities to opposing forces.

  • http://en.wikipedia.org/wiki/Information_warfare


Defensive strategies for government and industry
Defensive Strategies for Government and Industry between IDS, Firewalls and NFAT

  • Are US and Foreign governments prepared for Information Warfare

    • According to John Vacca, US will be most affected with 60% of the world’s computing power

    • Stealing sensitive information as well as critical, information to cripple an economy (e.g., financial information)

  • What have industry groups done

    • IT-SAC: Information Technology Information Sharing and Analysis

  • Will strategic diplomacy help with Information Warfare?

  • Educating the end user is critical according to John Vacca


Defensive strategies for government and industry1
Defensive Strategies for Government and Industry between IDS, Firewalls and NFAT

  • What are International organizations?

    • Think Tanks and Research agencies

    • Book cites several countries from Belarus to Taiwan engaged in Economic Espionage and Information Warfare

  • Risk-based analysis

  • Military alliances

    • Coalition forces – US, UK, Canada, Australia have regular meetings on Information Warfare

  • Legal implications

  • Strong parallels between National Security and Cyber Security


Military tactics
Military Tactics between IDS, Firewalls and NFAT

  • Supporting Technologies

    • Agents, XML, Human Computer Interaction

  • Military tactics

    • Planning, Security, Intelligence

  • Tools

    • Offensive Ruinous IW tools

      • Launching massive distributed denial of service attacks

    • Offensive Containment IW tools

      • Operations security, Military deception, Psychological operations, Electronic warfare (use electromagnetic energy), Targeting: Disable enemy's C2 (c0mmand and control) system and capability


Military tactics1
Military Tactics between IDS, Firewalls and NFAT

  • Tools (continued)

    • Defensive Preventive IW Tools

      • Monitor networks

    • Defensive Ruinous IW tools

      • Information operations

    • Defensive Responsive Containment IW tools

      • Handle hacking, viruses.

  • Other aspects

    • Dealing with sustained terrorist IW tactics, Dealing with random terrorist IW tactics


Terrorism and information warfare
Terrorism and Information Warfare between IDS, Firewalls and NFAT

  • Terrorists are using the web to carry out terrorism activities

  • What are the profiles of terrorists? Are they computer literate?

  • Hacker controlled tanks, planes and warships

  • Is there a Cyber underground network?

  • What are their tools?

    • Information weapons, HERF gun (high power radio energy at an electronic target), Electromagnetic pulse. Electric power disruptive technologies

  • Why are they hard to track down?

    • Need super forensics tools


Tactics of private corporations
Tactics of Private Corporations between IDS, Firewalls and NFAT

  • Defensive tactics

    • Open course intelligence, Gather business intelligence

  • Offensive tactics

    • Packet sniffing, Trojan horse etc.

  • Prevention tactics

    • Security techniques such as encryption

  • Survival tactics

    • Forensics tools


Future iw tactics
Future IW Tactics between IDS, Firewalls and NFAT

  • Electromagnetic bomb

    • Technology, targeting and delivery

  • Improved conventional method

    • Virus, worms, trap doors, Trojan horse

  • Global positioning systems

  • Nanotechnology developments

    • Nano bombs


Surveillance tools
Surveillance Tools between IDS, Firewalls and NFAT

  • Data emanating from sensors:

    • Video data, surveillance data

    • Data has to be analyzed

    • Monitoring suspicious events

  • Data mining

    • Determining events/activities that are abnormal

  • Biometrics technologies

  • Privacy is a concern


Victims of information warfare
Victims of Information Warfare between IDS, Firewalls and NFAT

  • Loss of money and funds

  • Loss of shelter, food and water

  • Spread of disease

  • Identity theft

  • Privacy violations

  • Death and destruction

  • Note: Computers can be hacked to loose money and identity; computers can be used to commit a crime resulting in death and destruction


Military forensics
Military Forensics between IDS, Firewalls and NFAT

  • CFX-2000: Computer Forencis Experiment 2000

    • Information Directorate (AFRL) partnership with NIJ/NLECTC

    • Hypothesis: possible to determine the motives, intent, targets, sophistication, identity and location of cyber terrorists by deploying an integrated forensics analysis framework

    • Tools included commercial products and research prototypes

    • http://www.afrlhorizons.com/Briefs/June01/IF0016.html

    • http://rand.org/pubs/monograph_reports/MR1349/MR1349.appb.pdf


Digital forensics1

Digital Forensics between IDS, Firewalls and NFAT

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Appendix

Social Network Analysis and Forensics

October 8, 2010


ad