1 / 25

Cyber Intelligence Analysis

Cyber Intelligence Analysis. A Different Internet. Armies may cease to march Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations.

vance-merrill
Download Presentation

Cyber Intelligence Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Intelligence Analysis

  2. A Different Internet • Armies may cease to march • Stock may lose a hundred points • Businesses may be bankrupted • Individuals may lose their social identity • Threats not from novice teenagers, but purposeful military, political, and criminal organizations

  3. Purpose of Intelligence • 1. Identify the need for action • 2. Provide the insight and context for deciding among courses of action • 3. Provide information on the effectiveness of pursuing the selected course of action

  4. Change of View

  5. Content / Context of Intelligence Technical Political Economic Social

  6. Operators/Groups Victims Internet Behavior Opportunities Stimuli/Motives What is Cyber Intelligence? Intrusions/Responses Threats/Counters Vulnerabilities/Fixes

  7. Strategic Intelligence Analysis • Provides “Big Picture” assessment • Trend Analysis • Sector Threat assessments • Potential Damage assessments • Categorization of Attacks and Attackers • Identification of Anomalies

  8. Tactical Intelligence Analysis • Linking element between macro- and micro-level analysis • Cluster and pattern analysis • Temporal patterns • Profiling • Analysis of intrusion methods • Commonality of targets • Reinforces and compliments Strategic Analytic efforts

  9. Using CERT/CC Data • Year 2000 - 21,756 Incidents • 16,129 Probes/Scans • 2,912 Information Requests • 261 Hoaxes, false alarms, vul reports, unknown • 2454 Incidents with substantive impact on target • Profiled 639 incidents, all active during July-Sept 2000 (profiling work is ongoing) • Many different dimensions for analysis and trend generation (analysis work is ongoing)

  10. Immediate Data Observations • Increasing trend of incidents per month(some incidents carry over between months) • Increasing diversity of ports used in incidents • Shifts in services used in incidents • Shifts in operating systems involved in incidents • Generic attack tools adapted to specific targets

  11. Service Shifts

  12. 70 60 50 40 30 20 10 0 6/24/00 7/1/00 8/5/00 7/29/00 7/8/00 9/2/00 9/9/00 7/15/00 7/22/00 8/26/00 8/12/00 9/16/00 8/19/00 Weekly Incidents

  13. Weekly Incidents by Target

  14. Monthly Incidents by Target

  15. Weekly Incidents by OS

  16. Monthly Incidents by Operating System

  17. Weekly Incidents by Impact

  18. Monthly Incidents by Impact

  19. LaborDay Independence Day DefCon 70 Advisory/Alert 60 50 40 30 20 10 0 NewToolkits 6/24/00 7/1/00 8/5/00 7/29/00 7/8/00 9/2/00 9/9/00 7/15/00 7/22/00 8/26/00 8/12/00 9/16/00 8/19/00 Drivers for Weekly Incidents

  20. Operational Intelligence Analysis • Overlaps with Tactical Analysis • Technical assessments of intrusion methods • Specific investigation of intruders • Identification of vulnerabilities to support mitigation • Attribution

  21. Example: Signed Defacement • Defaced Health-care web site in India • "This site has been hacked by ISI ( Kashmir is ours), we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat. • Post-dates activity by Pakistani Hackers Club • Level of activity is not significant • Claim of identity may be significant

  22. Probe Victim Probe Victim2 Compromise & Coopt Identity Example: Coordinated Automated Attack • Remote, fast-acting • Adapts existing tools • Limited deployment • Sophisticated reporters

  23. A Problem Too Big • Cannot remain technical specialty • Cannot remain localized activity • Cannot remain responsive to incidents • Cannot remain centrally controlled or performed • Distributed, ongoing, multifaceted problem demands distributed, ongoing, multifaceted strategy

  24. Cyber Intelligence Products • Fused analysis reports • Demographics and situational awareness • In-depth studies • Technology of intelligence

  25. For Further Contact • 24-hour hotline: +1 412 268 7090 • FAX: +1 412 268 6989 • Email: Tim Shimeall - tjs@cert.org • CERT - cert@cert.org • Direct voice: +1 412 268 7611 • US mail: CERT Analysis Center • Software Engineering Institute • Carnegie Melon University • 4500 Fifth Avenue • Pittsburgh, PA 15213-3890 USA

More Related