Cyber Security & Infrastructure Protection - PowerPoint PPT Presentation

Cyber Security& Infrastructure Protection

FBI Philadelphia Division

Special Agent John B. Chesson

• Unauthorized Intrusions
• Website Defacements
• Domain Name Server Attacks
• Distributed Denial of Service (DDoS) Attacks
• Computer Worms
• Routing Operations
• Critical Infrastructures
• Compound Attacks

Cyberspace: the Infrastructure behind Critical Infrastructure…

9. Manufacturing 10. Food & Agriculture 11. Chemicals and Hazardous Materials

12. Defense Industry 13. Public Health

The New Threat: Anyone with a Computer

• Thrill Seekers
• Disgruntled Employees
• Organized Crime
• Terrorist Sympathizers and Anti-U.S. Hackers
• Terrorist Groups
• Nation-States

• No political motives
• Seeking notoriety – bragging rights
• ‘Nuisance attacks’ using pre-fabricated tools and exploits
• Potential for serious disruptions and monetary damage

• Extremist Muslim groups – known hacker groups (G-Force Pakistan, Pakistan Hackerz Club)
• Anti-Israeli groups
• Anti-capitalism and anti-globalization movement
• Chinese hackers

• Terrorist groups are using information technology
• Terrorists possess the will and can easily obtain the means to attack IT targets
• Potential for major cyber attacks is very high

• Cyber Attacks…
• Osama bin Laden allegedly gave a statement:
• "hundreds of young men had pledged to him that they were ready to die and that hundreds of Muslim scientists were with him and who would use their knowledge in chemistry, biology and (sic)ranging from computers to electronics againstthe infidels.”
• Mapping US vulnerabilities
• Compound Attacks most dangerous

• “Our country needs to go all-out to develop high-quality internet warriors. That should include development in exclusive universities as well as attracting private computer users to take part in internet combat".
• Liberation Army Daily
• China views information operations/information warfare (IO/IW) as a strategic weapon for use outside of traditional operational boundaries.
• China is particularly sensitive to the potential asymmetric applications IO/IW can have in any future conflict with a technologically superior adversary.
• Kosovo and the Chinese Embassy strike in Belgrade
• US / China reconnaissance incident
• Impact of Technology in the war on Terrorism Afghanistan

Many Potential Cyber Threats

Unstructured Threats

• Insiders
• Recreational Hackers
• Institutional Hackers

National Security Threats

• Terrorists
• Intelligence Agencies
• Information Warriors

Structured Threats

• Organized Crime
• Industrial Espionage
• Hacktivists

Attack Sophistication vs.

Intruder Technical Knowledge

Intruder

Knowledge

Tools

“stealth” / advanced scanning techniques

High

packet spoofing

DoS

sniffers

www attacks

sweepers

automated probes/scans

GUI

back doors

network mgmt. diagnostics

disabling audits

hijacking

sessions

burglaries

exploiting known vulnerabilities

Attack

Sophistication

password cracking

self-replicating code

Attackers

password guessing

Low

1980

1985

1990

1995

2000

• Freely available tools exploit vulnerabilities
• Part of the scanning process
• Capable of self-initiation
• Well-managed & coordinated global scale attacks
• Tools like “Sobig” self-propagate to global saturation in 28 minutes.
• IRC and IM are popular coordination attack tools.
• Signature based protection systems(Anti-virus and IDS) are ineffective against the new Polymorphic attacks
• IRC and HTTP are being used to disguise malicious code in legitimate network traffic

Types of Attacks

• Viruses
• Worms
• Trojans
• Denial of Service
• Computer Intrusions

• The Love Bug
• Estimated to have impacted 45 million users
• 20 Different Countries; $10 Billion; Two Days!
• Initiated in Philippines
• No Cyber Crime Legislation
• No extradition
• Anna Kournikova
• Virus in attachment
• Visual Basic Script disguised

as a jpg image

• Code Red v1, v2, Code Red II
• W32 / My Party Worm
• Bugbear Worm

VBS Worm Generator from Internet

• A Well Documented Vulnerability
• Victim computer(s) have not been compromised
• Victim computer simply overwhelmed with traffic….ICMP, Syn flood, etc.
• Code Red WhiteHouse.Gov attack
• Distributed Denial of Service…more traffic, harder to trace
• You Have No Control

Scanning

Gain user

access

Corrupt log files

Attack

other hosts

erase log files

Locate

system

to attack

Cover

tracks

Install

backdoors

Take or

alter

information

Sniffers

Gain

privileged

access

Engage in

other un-

authorized

activity

Root

create root users

Buffer overflow

OPERATION CYBERLOSS

www.ic3.gov

ISP

Victim company

Parent Company

Hack

Customer account/credit info

Subject

East Europe

Through hack/intrusion, subject obtains customer account credit info

Chat Room

ISP

Subject

East Europe

Using IRC chat rooms, the subject recruits college students to assist in scam.

ISP

Subject

East Europe

Orders for Merchandise Placed using Stolen Acct Info..

Merchandise Shipped to Co-conspirators..

OPERATION CYBERLOSSMAY, 2001

• 26 FBI FIELD OFFICES AND NUMEROUS OTHER FEDERAL AGENCIES.
• 32 STATE AND LOCAL LAW ENFORCEMENT AGENCIES
• INVOLVED 57,662 VICTIMS AND OVER $118,000,000 IN LOSSES.
• 61 CASES
• $2,025 LOSS TO $50,000,000 AGGREGATE LOSS
• AUCTION FRAUD, HACKING, ID THEFT, SOFTWARE PIRACY

www.ic3.gov

Where are they learning to do that?

• This image is from the WiFiMaps.com web site.

http://www.wifimaps.com

Virus Creation Kits

Virus Exchange Web Site

• Federal Bureau of Investigation
• http://www.ic3.gov/

(formerly: www.ifccfbi.gov/)

• U.S. Department of Justice
• Computer Crime and Intellectual

Property Section

• http://www.usdoj.gov/criminal/cybercrime

• CERT/CC
• http://www.cert.org
• located at the Software Engineering Institute
• Federally funded research and development center operated by Carnegie Mellon University.
• 2/18/2002 SNMP Vulnerability report
• CIAC
• http://ciac/llnl.gov/ciac/
• Located at Lawrence Livermore National Labs
• Federally funded by U.S. D.O.E.
• SANS
• http://www.sans.org
• Non-profit educational network security consortium
• Offers training and certification courses

• Develop a written Network Security Policy
• Coordinate with Legal, Security, and IT Departments
• Conduct Routine Network Security Audits
• Maintain and review Network Server and Router logs
• Use Intrusion Detection Software (IDS)
• Regularly backup and archive all critical files
• Investigate network irregularities completely
• Use Access Control List and Encryption
• If Attacked, notify Law Enforcement quickly

• Computer facilitated (non-intrusion)
• E-mail extortions
• Child pornography
• Fraud & Theft (IFCC) www.ifccfbi.gov
• Computer Intrusion (Title 18 Sec 1030)
• Unauthorized or exceeding authorized access to a protected computer
• National security
• Denial of Service attacks
• Data alteration or destruction
• Theft of intellectual property
• Worms & virus attacks
• Web defacement or Website redirects

• What should you do?
• What should you NOT do?

• Notify corporate security & legal counsel
• Think About:
• Protecting Yourself
• (Mission Critical vs. Proprietary Data)
• Catching the Perpetrator
• Activate your incident management team
• Created PRIOR to any incident
• One person in charge
• One person responsible for evidence.
• Keep a chronological log of events

• Activate all available audit trails & logging.
• What logs were active at the time of the attack?
• Begin keystroke monitoring.
• Banner in place?
• Identify and recover available evidence.
• System log files, system images, altered/damaged files, intruder’s files, network logs (IDS, routers, SNMP, etc.), traditional evidence.
• Secure evidence and maintain simple “chain-of-custody” records.

• Identify source(s) of the attack.
• Record specific damages and losses.
• Important for prosecution
• Prepare for repeat attacks.
• Protecting Mission Critical vs. Proprietary Data
• Theorize - nobody knows your system like you.
• Determine how the intrusion happened.
• Identify possible subjects and motives.
• Call law enforcement – but be patient

• Do NOT use the compromised systems before preserving any evidence.
• Do not make assumptions as to Federal jurisdiction or prosecutorial merit.
• Do not assume that by ignoring the incident, or damage to your files, that it will go away.
• Do not correspond via E-mail on a compromised network regarding the incident or the investigation.

• Agents will interview staff and obtain evidence
• Obtain prosecutive opinion
• Trace the attack (subpoenas, 2703(d) orders, sources
• Identify the subject(s)
• Obtain/execute search warrants, interview subjects
• Examine evidence, identify more victims, develop more leads
• Obtain Federal Grand Jury Indictment
• Arrest and Possible Trail
• Disclosure Issues…

Confidential

Public

• Possible plea bargaining
• Possible trial
• Sentencing (upon conviction)
• Restitution

These steps do NOT occur quickly!

• Increase logging and filtering
• Protect your data according to its value / use:
• Proprietary vs. Mission Critical
• Understand your Defenses
• (Flexible vs. Rigid)
• Make use of warning banners
• Develop a patch management protocol
• Establish an Incident Management Plan / Team
• Include “Critical Incident” scenarios
• Know your I.T. staff personally – it will matter
• Join your local chapter of InfraGard

To promote protection of critical information systems

Provides formal and informal channels for the exchange of information about infrastructure threats and vulnerabilities

What is InfraGard?

Representatives from private industry, government agencies, academic institutions, state & local law enforcement

Membership requirements (No Cost)

Sign Membership agreement

Ethics/confidentiality pledge

FBI criminal records check

http://www.infragard.net/

www.infragardphl.org

Cyber Incident Detection

& Data Analysis Center

Automated Incident Reporting

Cyber Threat Picture

Current Obstacles to Timely & Accurate Reporting

Current Cyber Incident Reporting

National Infrastructure Protection

Government

Victim Corporation

Executives

Law

Enforcement

NIP

Security

ITStaff

Technical Expertise

Who has the big picture?

Asset Protection

Something Breaks

Trouble Shoot

Analysis Tools

Legal Liability

FBI ?

IDS

Repair

Training

DHS ?

Attacker

Skill level

Anomaly Noticed

Market Perception

Intelligence Base

Investigate

DOD ?

Intrusion

Detection

Response

Notification

Analysis

Warning

External Services on a Network

Vulnerable to Attack

Attacker

Participant’s Perimeter Network

Web

Offers normal looking company services, but no legitimate network traffic. Use of this system will assist in an Early Detection of a Cyber Attack

Mail, Web, FTP

Company’s Mission Critical

Network

Mail

CIDDAC 24/7 Operations

Real-time Cyber Attack Detection Sensor (RCADS)

FTP

Take Home Points

• Cyber Terrorism is a real possibility based upon trends indicating terrorists targeting critical infrastructures
• Sophistication and number of Attacks are on the increase, while executing Attacks are Easier via Automation & Availability of Tools
• Government, law enforcement, intelligence agencies and private industry must work together to protect critical infrastructures and information systems

www.infragard.net

The End

John B. Chesson

Special Agent FBI

Philadelphia, PA

215-418-4406

jchesson@fbi.gov

www.ciddac.org