400 likes | 664 Views
Cyber Intelligence Analysis. A Different Internet. Armies may cease to march Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations.
E N D
A Different Internet • Armies may cease to march • Stock may lose a hundred points • Businesses may be bankrupted • Individuals may lose their social identity • Threats not from novice teenagers, but purposeful military, political, and criminal organizations
Purpose of Intelligence • 1. Identify the need for action • 2. Provide the insight and context for deciding among courses of action • 3. Provide information on the effectiveness of pursuing the selected course of action
Content / Context of Intelligence Technical Political Economic Social
Operators/Groups Victims Internet Behavior Opportunities Stimuli/Motives What is Cyber Intelligence? Intrusions/Responses Threats/Counters Vulnerabilities/Fixes
Strategic Intelligence Analysis • Provides “Big Picture” assessment • Trend Analysis • Sector Threat assessments • Potential Damage assessments • Categorization of Attacks and Attackers • Identification of Anomalies
Tactical Intelligence Analysis • Linking element between macro- and micro-level analysis • Cluster and pattern analysis • Temporal patterns • Profiling • Analysis of intrusion methods • Commonality of targets • Reinforces and compliments Strategic Analytic efforts
Using CERT/CC Data • Year 2000 - 21,756 Incidents • 16,129 Probes/Scans • 2,912 Information Requests • 261 Hoaxes, false alarms, vul reports, unknown • 2454 Incidents with substantive impact on target • Profiled 639 incidents, all active during July-Sept 2000 (profiling work is ongoing) • Many different dimensions for analysis and trend generation (analysis work is ongoing)
Immediate Data Observations • Increasing trend of incidents per month(some incidents carry over between months) • Increasing diversity of ports used in incidents • Shifts in services used in incidents • Shifts in operating systems involved in incidents • Generic attack tools adapted to specific targets
70 60 50 40 30 20 10 0 6/24/00 7/1/00 8/5/00 7/29/00 7/8/00 9/2/00 9/9/00 7/15/00 7/22/00 8/26/00 8/12/00 9/16/00 8/19/00 Weekly Incidents
LaborDay Independence Day DefCon 70 Advisory/Alert 60 50 40 30 20 10 0 NewToolkits 6/24/00 7/1/00 8/5/00 7/29/00 7/8/00 9/2/00 9/9/00 7/15/00 7/22/00 8/26/00 8/12/00 9/16/00 8/19/00 Drivers for Weekly Incidents
Operational Intelligence Analysis • Overlaps with Tactical Analysis • Technical assessments of intrusion methods • Specific investigation of intruders • Identification of vulnerabilities to support mitigation • Attribution
Example: Signed Defacement • Defaced Health-care web site in India • "This site has been hacked by ISI ( Kashmir is ours), we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat. • Post-dates activity by Pakistani Hackers Club • Level of activity is not significant • Claim of identity may be significant
Probe Victim Probe Victim2 Compromise & Coopt Identity Example: Coordinated Automated Attack • Remote, fast-acting • Adapts existing tools • Limited deployment • Sophisticated reporters
A Problem Too Big • Cannot remain technical specialty • Cannot remain localized activity • Cannot remain responsive to incidents • Cannot remain centrally controlled or performed • Distributed, ongoing, multifaceted problem demands distributed, ongoing, multifaceted strategy
Cyber Intelligence Products • Fused analysis reports • Demographics and situational awareness • In-depth studies • Technology of intelligence
For Further Contact • 24-hour hotline: +1 412 268 7090 • FAX: +1 412 268 6989 • Email: Tim Shimeall - tjs@cert.org • CERT - cert@cert.org • Direct voice: +1 412 268 7611 • US mail: CERT Analysis Center • Software Engineering Institute • Carnegie Melon University • 4500 Fifth Avenue • Pittsburgh, PA 15213-3890 USA