580 likes | 1.13k Views
Cyber Security & Infrastructure Protection. FBI Philadelphia Division Special Agent John B. Chesson. Cyber Terrorism. Potential Cyber Attacks. Unauthorized Intrusions Website Defacements Domain Name Server Attacks Distributed Denial of Service (DDoS) Attacks Computer Worms
E N D
Cyber Security& Infrastructure Protection FBI Philadelphia Division Special Agent John B. Chesson
Potential Cyber Attacks • Unauthorized Intrusions • Website Defacements • Domain Name Server Attacks • Distributed Denial of Service (DDoS) Attacks • Computer Worms • Routing Operations • Critical Infrastructures • Compound Attacks
Infrastructure Protection:A New Threat Paradigm Cyberspace: the Infrastructure behind Critical Infrastructure… 9. Manufacturing 10. Food & Agriculture 11. Chemicals and Hazardous Materials 12. Defense Industry 13. Public Health The New Threat: Anyone with a Computer
Potential Sources of Attacks • Thrill Seekers • Disgruntled Employees • Organized Crime • Terrorist Sympathizers and Anti-U.S. Hackers • Terrorist Groups • Nation-States
Thrill Seekers • No political motives • Seeking notoriety – bragging rights • ‘Nuisance attacks’ using pre-fabricated tools and exploits • Potential for serious disruptions and monetary damage
Terrorist Sympathizers and Anti-U.S. Hackers • Extremist Muslim groups – known hacker groups (G-Force Pakistan, Pakistan Hackerz Club) • Anti-Israeli groups • Anti-capitalism and anti-globalization movement • Chinese hackers
Terrorist Groups • Terrorist groups are using information technology • Terrorists possess the will and can easily obtain the means to attack IT targets • Potential for major cyber attacks is very high
Cyber Capabilities • Cyber Attacks… • Osama bin Laden allegedly gave a statement: • "hundreds of young men had pledged to him that they were ready to die and that hundreds of Muslim scientists were with him and who would use their knowledge in chemistry, biology and (sic)ranging from computers to electronics againstthe infidels.” • Mapping US vulnerabilities • Compound Attacks most dangerous
Nation States: China • “Our country needs to go all-out to develop high-quality internet warriors. That should include development in exclusive universities as well as attracting private computer users to take part in internet combat". • Liberation Army Daily • China views information operations/information warfare (IO/IW) as a strategic weapon for use outside of traditional operational boundaries. • China is particularly sensitive to the potential asymmetric applications IO/IW can have in any future conflict with a technologically superior adversary. • Kosovo and the Chinese Embassy strike in Belgrade • US / China reconnaissance incident • Impact of Technology in the war on Terrorism Afghanistan
Many Potential Cyber Threats Unstructured Threats • Insiders • Recreational Hackers • Institutional Hackers National Security Threats • Terrorists • Intelligence Agencies • Information Warriors Structured Threats • Organized Crime • Industrial Espionage • Hacktivists
Attack Sophistication vs. Intruder Technical Knowledge Intruder Knowledge Tools “stealth” / advanced scanning techniques High packet spoofing DoS sniffers www attacks sweepers automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries exploiting known vulnerabilities Attack Sophistication password cracking self-replicating code Attackers password guessing Low 1980 1985 1990 1995 2000
Current Cyber Attack TrendsCERT warns of automated attacks • Freely available tools exploit vulnerabilities • Part of the scanning process • Capable of self-initiation • Well-managed & coordinated global scale attacks • Tools like “Sobig” self-propagate to global saturation in 28 minutes. • IRC and IM are popular coordination attack tools. • Signature based protection systems(Anti-virus and IDS) are ineffective against the new Polymorphic attacks • IRC and HTTP are being used to disguise malicious code in legitimate network traffic
Types of Attacks • Viruses • Worms • Trojans • Denial of Service • Computer Intrusions
Viruses/Worms/Trojans • The Love Bug • Estimated to have impacted 45 million users • 20 Different Countries; $10 Billion; Two Days! • Initiated in Philippines • No Cyber Crime Legislation • No extradition • Anna Kournikova • Virus in attachment • Visual Basic Script disguised as a jpg image • Code Red v1, v2, Code Red II • W32 / My Party Worm • Bugbear Worm VBS Worm Generator from Internet
Denial of Service Attacks • A Well Documented Vulnerability • Victim computer(s) have not been compromised • Victim computer simply overwhelmed with traffic….ICMP, Syn flood, etc. • Code Red WhiteHouse.Gov attack • Distributed Denial of Service…more traffic, harder to trace • You Have No Control
Computer Intrusion:Typical Methodology Scanning Gain user access Corrupt log files Attack other hosts erase log files Locate system to attack Cover tracks Install backdoors Take or alter information Sniffers Gain privileged access Engage in other un- authorized activity Root create root users Buffer overflow
OPERATION CYBERLOSS www.ic3.gov
ISP Victim company Parent Company Hack Customer account/credit info Subject East Europe Through hack/intrusion, subject obtains customer account credit info
Chat Room ISP Subject East Europe Using IRC chat rooms, the subject recruits college students to assist in scam.
ISP Subject East Europe Orders for Merchandise Placed using Stolen Acct Info.. Merchandise Shipped to Co-conspirators..
OPERATION CYBERLOSSMAY, 2001 • 26 FBI FIELD OFFICES AND NUMEROUS OTHER FEDERAL AGENCIES. • 32 STATE AND LOCAL LAW ENFORCEMENT AGENCIES • INVOLVED 57,662 VICTIMS AND OVER $118,000,000 IN LOSSES. • 61 CASES • $2,025 LOSS TO $50,000,000 AGGREGATE LOSS • AUCTION FRAUD, HACKING, ID THEFT, SOFTWARE PIRACY www.ic3.gov
Philadelphia’s Wireless Web • This image is from the WiFiMaps.com web site. http://www.wifimaps.com
On-Line Resources • Federal Bureau of Investigation • http://www.ic3.gov/ (formerly: www.ifccfbi.gov/) • U.S. Department of Justice • Computer Crime and Intellectual Property Section • http://www.usdoj.gov/criminal/cybercrime
On-Line Resources (continued) • CERT/CC • http://www.cert.org • located at the Software Engineering Institute • Federally funded research and development center operated by Carnegie Mellon University. • 2/18/2002 SNMP Vulnerability report • CIAC • http://ciac/llnl.gov/ciac/ • Located at Lawrence Livermore National Labs • Federally funded by U.S. D.O.E. • SANS • http://www.sans.org • Non-profit educational network security consortium • Offers training and certification courses
Network Security Basics • Develop a written Network Security Policy • Coordinate with Legal, Security, and IT Departments • Conduct Routine Network Security Audits • Maintain and review Network Server and Router logs • Use Intrusion Detection Software (IDS) • Regularly backup and archive all critical files • Investigate network irregularities completely • Use Access Control List and Encryption • If Attacked, notify Law Enforcement quickly
When to contact Law Enforcement? • Computer facilitated (non-intrusion) • E-mail extortions • Child pornography • Fraud & Theft (IFCC) www.ifccfbi.gov • Computer Intrusion (Title 18 Sec 1030) • Unauthorized or exceeding authorized access to a protected computer • National security • Denial of Service attacks • Data alteration or destruction • Theft of intellectual property • Worms & virus attacks • Web defacement or Website redirects
You’ve just been hacked. • What should you do? • What should you NOT do?
What You Should Do If Attacked… • Notify corporate security & legal counsel • Think About: • Protecting Yourself • (Mission Critical vs. Proprietary Data) • Catching the Perpetrator • Activate your incident management team • Created PRIOR to any incident • One person in charge • One person responsible for evidence. • Keep a chronological log of events
What To Do (continued) • Activate all available audit trails & logging. • What logs were active at the time of the attack? • Begin keystroke monitoring. • Banner in place? • Identify and recover available evidence. • System log files, system images, altered/damaged files, intruder’s files, network logs (IDS, routers, SNMP, etc.), traditional evidence. • Secure evidence and maintain simple “chain-of-custody” records.
What To Do (continued) • Identify source(s) of the attack. • Record specific damages and losses. • Important for prosecution • Prepare for repeat attacks. • Protecting Mission Critical vs. Proprietary Data • Theorize - nobody knows your system like you. • Determine how the intrusion happened. • Identify possible subjects and motives. • Call law enforcement – but be patient
What NOT To Do • Do NOT use the compromised systems before preserving any evidence. • Do not make assumptions as to Federal jurisdiction or prosecutorial merit. • Do not assume that by ignoring the incident, or damage to your files, that it will go away. • Do not correspond via E-mail on a compromised network regarding the incident or the investigation.
What to Expect if you call the FBI • Agents will interview staff and obtain evidence • Obtain prosecutive opinion • Trace the attack (subpoenas, 2703(d) orders, sources • Identify the subject(s) • Obtain/execute search warrants, interview subjects • Examine evidence, identify more victims, develop more leads • Obtain Federal Grand Jury Indictment • Arrest and Possible Trail • Disclosure Issues… Confidential Public
What to Expect if you call the FBI • Possible plea bargaining • Possible trial • Sentencing (upon conviction) • Restitution These steps do NOT occur quickly!
Self Defense in the Current EnvironmentWhat Can You Do Today? • Increase logging and filtering • Protect your data according to its value / use: • Proprietary vs. Mission Critical • Understand your Defenses • (Flexible vs. Rigid) • Make use of warning banners • Develop a patch management protocol • Establish an Incident Management Plan / Team • Include “Critical Incident” scenarios • Know your I.T. staff personally – it will matter • Join your local chapter of InfraGard
Government/law enforcement alliance with private industry To promote protection of critical information systems Provides formal and informal channels for the exchange of information about infrastructure threats and vulnerabilities What is InfraGard?
InfraGard Membership Representatives from private industry, government agencies, academic institutions, state & local law enforcement Membership requirements (No Cost) Sign Membership agreement Ethics/confidentiality pledge FBI criminal records check