Cyber Adversary Characterization

Know thy enemy!

Introduction and Background

Cyber Adversary Characterization
workshop in 2002
Research discussions continued via email
Briefings to Blackhat and Defcon to
introduce concept and obtain feedback
Future workshops planned for October 2003
Slides will be on both conference web sites

Why characterize?
Theoretical: To gain understanding of and
an ability to anticipate an adversary in order
to build improved threat models.
Practice: Improved profiling of attackers at
post attack and forensic levels.

Point Scoring: Rating-the-Hacker

Toby Miller
toby_miller@adelphia.net

Point Scoring: Why?

No standard system to help rate the
attacker
No system to help with the threat level
Help management in the decision making
process

Point Scoring: The Categories

Passive Fingerprinting
Intelligence
The Attack
The Exploit
Backdoors | Cover up
Other

Example Score Metric

Linux

FreeBSD

OpenBSD

IRIX

Windows

Point Scoring: Past, Present,

Future

Originally posted on incidents.org

Currently on rev2
Soon to release rev 3
www.ratingthehacker.net

Tool characterizations,
Disclosure Patterns and
Technique scoring.
Tom Parker Pentest Limited (UK)

The Hacker Pie

Representative of characterization metrics
which build the final characterization.
Available elements dependant upon
scenario.
Does not rely solely upon IDS/attack
signature data.

The Hacker Pie (continued)

Pie reliant upon the results of multiple metrics
which are, in many cases inter-related,
strengthening the likelihood of an accurate
characterization.
Relationships between key metrics and key data
enable accurate assumptions to be made regarding
unobserved key information.

The Pie Explained

Characterization
2
Metric One
Key Data

Key Data

1
Metric Two
Key Data

2
Metric Three
Key Data

Key Data

Metric Four

Point Scoring Systems

(Continued)
Attempt to characterize an adversary based
on attack information captured from the
wild.
Attempt to characterize adversary based
upon technique classification model
Attempt to characterize adversary based
upon tool classification model

Tool classification model

Availability of application
Origins of application
Ease of use
Requires in-depth knowledge of vulnerability to
execute?
Other mitigating factors

Example Exploit Classification

Web App Flaw

Public
3
3
2
2
3

Private
4
4
3
3
5

Proprietary Application Penetration

Via OS command execution using
SQL Injection (other)

Proprietary Application Penetration

Via SQL Injection (MS SQL)

5
4

6
7

Proprietary Application Penetration

Via SQL Injection
Open Source Application Penetration
Via SQL Injection
Proprietary Application Penetration
Via Arbitrary Script Injection

Open Source Application Penetration

Via Arbitrary Script Injection
Proprietary Application Penetration
Via OS command execution using
SQL Injection (MS SQL)

Proprietary Application Penetration

Via SQL Injection (other)

Disclosure Food Chain

Characterization
All tools have a story
Often years before dissemination into public
domain.
Social demeanour often key to placing in
disclosure disclosure chain.
Pyramid metric.

The Disclosure Food Chain

Exploit Development

Vulnerability Discovery

Information shared with fellow researchers (Exploit Development)

Exploit Trading
Type title here

Exploit Usage In Wild

Honey Pot Capture

Exploit Reverse Engineered / Vulnerability Research

Vendor Coordination

Public Disclosure

Information shared further throughout grey hat communities

Public Disclosure

Disclosure to Security Company

Vendor Patch Released

Further Research
Vendor Coordination

Public Disclosure

Vendor Fix Released

2 Approaches to Modeling the Cyber Adversary: Offender

Profiling & Remote Assessment

Dr. Eric D. Shaw

Consulting & Clinical Psychology, Ltd.
eshaw@msn.com

Offender Profiling
Roots in Law enforcement & intelligence community (criminal event
or incident analysis)intensive review of past offenders
Insider Computer Crimes, 1998-present
50 cases
10 in-depth case studies from companies or govt. contractors

Products
Typology of actors: motivation, psychological characteristics, actions
Critical pathwayprocess of interactions w/environment (personal and
professional) leading to attack
At-risk characteristics
Organizational vulnerabilities & Insights into prevention, deterrence,
detection, management

Offender Profiling Headlines

The Termination Problem

Actor subtypesthe Proprietor & Hacker
The Tracking Problem
Organizational Vulnerabilities
Detection Issues
Intervention Challenges
Hacker Overview

Attacks: The Termination Problem

Simple termination of Disgruntled Insider is not
the answer80% attack after termination (4
hours-2 months)
70% attack from remote locations vs. inside
termination did not impact access
Attack types:

DOS to disrupt business

Destruction & corruption of data
Theft of Proprietary data
Time bombs
Extortion
Attack on reputations

Attackers
Hackers40%: affiliated with and active in
hacking community, brings hacking
practices to worksite
Proprietors40%: defend system as
belonging to them, resist efforts to dilute
control
Avengers20%: attack impulsively in
response to perceived injustice

Prevention: Screening &

Selection
The Tracking Problem
Screening & Selection Problems in 60% of
casesno or delayed background,
nepotism, failure to detect risk factors
30% had prior felony convictions
30% had high-profile hacker activity

Organizational Issues
80% of cases occur during periods of high
organizational stress or change at the highest to
supervisory levels
Lack of policies contributed to disgruntlement or
facilitated attack in 60% of cases
Lack of policy enforcement contributed to
disgruntlement of facilitated attack in 70% of
cases

Detection Problems
80% of attackers used operational security
to protect attack planning or identity
Time disgruntled to attack: 1-48 months
with a mean of 11.3 months
Time active problems (probation) to attack:
0-76 weeks with a mean of 26 weeks
Forget the big bang theory of the sudden,
unforeseen attack

Intervention Problems
Management intervention initially
exacerbated problems in 80% of cases
(ignore, placate or tolerate problems,
negotiate then cut-off, terminate poorly)
Problems with termination process in 80%
of cases (esp. failure to terminate access)
Multidisciplinary risk assessment prior to
termination

Hardcore Hackers: Not Script

Kiddies
Age
Mean=25.5

Tech
Capability

Prior
Offenses

Acted with
Others

50%

75%

Status in
Hacker
Community

Oquendo

29

High

Yes

Yes

High

Zezev

30

High

No

Yes

Unknown

Carpenter

20

High

Yes

No

Low

Demostenis

23

Low

No

Yes

Low

Remote Assessment Using WarmTouch

(patent pending)

Why Use WarmTouch Software to

Detect Disgruntlement or Psych Change
on-line?
Communication has moved on-line
Loss of visual & auditory cues on-line
Failure of other systems to detect violations:
technical noise, supervisor & peer reporting
Protects Privacy
Provides Objectivity

Person-Situation Interaction:
Detect Psychological Leakage
Personal Stressors

Vulnerable
CITI

Minor
Infraction

Moderate
Infraction

Mounting Stress and Frustration

Professional Stressors

Major
Act

Software Components

Psychological Profiling Algorithms

Emphasis on measuring emotional state
Anger
Anxiety
Depression
Changes in emotional state from baseline

Psychological characteristics: decision-making and personal relations

Loner/team player
plans/reacts
Rigid/flexible
Sensitivity to environment

Alert Phrases-key words

Threats
Victimization
Employment Problems

Communication Characteristics
To, From, Time, Length, etc.

WarmTouch Software Overview

WarmTouch origins in IC, 1986-present
Use of WarmTouch with Insider Communications

Khanna at Bank
Threat Monitoring
Sting operations & negotiations
Suspect identification
Hanssen

Other WarmTouch Applications

Case Example: Financial

Proprietor
Well paid systems administrator
Personality Traits-Proprietor

Entitlement
Manipulative
Devaluing of others
Padded OT

Context: Supervisor Change

Email from Boss

Asked to train back-up
You seem to have developed a personal
attachment to the System Servers. These
servers and the entire system belong to this
institution not to you

Email 1: April
(Asked to train his back-up, subject refuses) His
experience was ZERO. He does not know
ANYTHING about ...our reporting tools.
Until you fire me or I quit, I have to take orders
from youUntil he is a trained expert, I wont
give him access...If you order me to give him root
access, then you have to permanently relieve me
of my duties on that machine. I cant be a garbage
cleaner if someone screws up.I wont
compromise on that.

Email 3: July
Whether or not you continue me here after
next month (consulting, full-time, or parttime), you can always count on me for
quick response to any questions, concerns,
or production problems with the system. As
always, youll always get the most costeffective, and productive solution from me.

Email 4: July
I would be honored to work until last week
of August.
As John may have told you, there are a lot of
things which at times get flaky with the
system front-end and back-end. Two week
extension wont be enough time for me to
look into everything for such a critical and
complex system.
Thanks for all your trust in me.

The Event
On last day of work, subject disables the
computer networks two fileservers.
Company executives implore subject to help
them fix the problems, but he refuses.
Independent consulting firm hired to
investigate problems, discovers sabotage.
Timing: deception to cover plotting.

WarmTouch Challenge
Detect deterioration in relationship with
supervisor
Detect Deception

The April Email Profile

# of Negatives

20

17

15
10

5
0

Anger Scores on 4/10 Versus Mean--# of words/email

# of words per email

# of Negatives on 4/10 versus Mean

600
500
400
300
200
100
0

4/10 versus Mean

4/10 versus Mean

40
35
30
25
20
15
10
5
0

35

18

# of Alert Phrases on 4/10 versus Mean

Number of Alert Phrases

# of Evaluators

# of Evaluators on 4/10 versus Mean

8
7
6
5
4
3
2
1
0

2.75

4/10 Versus Mean

4/10 versus mean

July Email Profile

Changes In Anger Variables Peak Disgruntlement to
Attack Planning(4/11 versus 7/12)--# of Negatives

August
7

2
0

# of Words per email

# of Negatives

Changes In Anger Variables From Time of Peak

Disgruntlement Until Attack Planning(4/11 TO 7/12)--#
of Words per e-mail

200

141

100
0
1

4/11 versus 7/12

4/11 VERSUS 7/12

29

Changes in Anger Variables--Peak Disgruntlement to

Attack Planning(4/11 versus 7/12)--# of Alert Phrases
# of alert phrases

# of evaluators

312

300

Changes in Anger Variables--peak disgruntlement to

attack planning(4/11 to 7/12)--# of evaluators
35
30
25
20
15
10
5
0

400

4
3
2
1

4/11 versus 7/12

4/11 versus 7/12

Detecting Deception
Covert Hostility Toward Supervisor-Psychological Distance Score by E-Mail Date

Psychological Distance Score

4
3.28

3.5

4/10
4/11

3.4

6/14

Dates of E-Mail: 4/10, 4/11, 6/14, 7/12

7/12

Covert vs. Overt Hostility in Email

Prior to Attack
Overt Hostility
Covert Hostility

Zezev vs. Bloomberg: Managing his

Psychological State
Task: to lure him to London for the bust
must manage his anger and anxiety at delays
and manipulations
satisfy his dependencyneed for $ & job

Warmtouch help:
Objectively highlight and help manage
psychological states
Objectively measure success

Support to Sting Ops/Negotiations:

Levels of Anger in Zezevs emails to
Bloomberg
Evaluators -

Indicators of Anger (+)

Evaluators +
400

Feelings -

350

Feelings +

300

Direct Ref.

250

Negatives

200

Me

150

We

100

50
0
1

10

11

12

13

14

15

16

17

18

19

20

Zezevs Use of Me
passive/dependent mode
Me
3.5
3
2.5
2
1.5
1
0.5
0
1

11

13

15

17

19

Zezevs Use of Retractors

Anxiety
Retractors
5
4
3
2
1
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Robert Hanssen
8 Communications with Soviet Handlers
Between October 1985 & November 2000
Challenge for Software:
Detect signs of emotional stress associated with
spying, disgruntlement and affair as
documented in public records

Hansen: Anger over Time

Psycholinguistic Measures of Anger: Words

600
500
400
Words

300
200
100
0

10
/1
/1
98
5
10
/1
0/
19
85
11
/8
/1
98
5
9/
8/
19
87
6/
13
/1
98
8
3/
14
/2
00
0
6/
8/
20
00
11
/1
5/
20
0

Number of Words

700

Date

Hansen: Changes over Time

P s y c h o l i n g u i s ti c M e a s u re s o f A n g e r

20
15
N um ber of
10
W o rd s

N e g a tiv e s
Me

5
0
1 0 /1 /1 9 8 5

9 /8 /1 9 8 7
D a te

6 /8 /2 0 0 0

Hansen: Changes Over Time

Emotional Vulnerability

50
45
40
35
30
Number of Words 25
20
15
10
5
0
10/1/1985 11/8/1985 6/13/1988
Date

Adv Intensifiers
Direct Ref
Feelings
I
6/8/2000

Hansen: Changes over Time

Psycholinguistic Measures: Anxiety

14
12
10
Number of 8
Words
6
4
2
0
10/1/1985

Explainers
Retractors

11/8/1985

6/13/1988
Date

6/8/2000

Other WarmTouch Applications

Communications Manager

Analyze state of relationship

Assess characteristics of persons in relationship
Help modify language to improve/modify relationship
Track success/changes over time

Media Monitoring
Attitude of Egyptian press toward U.S.
Attitude of customers toward product or service

Internet Threat Actors

Marcus H. Sachs
Director, Internet Storm Center
The SANS Institute
http://isc.sans.org

The Cyber Threat to the

United States
US national information networks have become more
vulnerableand therefore more attractive as a target
Growing connectivity among secure and insecure
networks creates new opportunities for unauthorized
intrusions into sensitive or proprietary computer systems

The complexity of computer networks is growing faster

than the ability to understand and protect them
The prospects for a cascade of failures across US
infrastructures are largely unknown

Cyber Threats to the

Critical Infrastructure
Hacker/Script Kiddies/Hobbyist
Disgruntled Employee
Insider aiding others
Hacktivist
Industrial Espionage
Foreign Espionage
Terrorist
State Sponsored Attack

The Threat is Increasing

High

2005
State Sponsored

Potential
Damage

2004

2003
Terrorist

Espionage
Criminal

Low

Hacker

Low
Source: 1997 DSB Summer Study

Probability of occurrence

High

Why are we so
Vulnerable?
Internet was not built to be secure
Secure (i.e., obscure) software being replaced by
commercial products in infrastructures
Software development focused on Slick, Stable,
Simple (not Secure)
System administrators lack training
Leaders rarely see computer security as part of the
bottom line
User awareness is low

Why The Feds are Concerned

About Hackers
The real threat to the Critical Infrastructure is not the hacker,
but the structured state-sponsored organization
However...
Sometimes its hard to tell the difference - both use the same tools
Growing sophistication and availability of tools increases concern
Must assume the worst until proven wrong

So...
The government takes seriously all unauthorized activity
They will use all technical and law enforcement tools to respond ... and
deter
They will seek legal prosecution where appropriate

New Homeland Security

Strategies

http://www.whitehouse.gov/homeland/

National Strategy to
Secure Cyberspace
Nation fully dependent on cyberspace
Range of threats: script kiddies to nation states
Fix vulnerabilities, dont orient on threats

New vulnerabilities require constant vigilance

Individual vs. national risk management

Government alone cannot secure

cyberspace

Priority II
A National Cyberspace Security
Threat and Vulnerability
Reduction Program
Enhance law enforcements capabilities for
preemption, prevention, and prosecution
Secure the mechanisms of the Internet including
improving protocols and routing
Foster trusted digital control systems/ supervisory
control and data acquisition systems
Reduce and remediate software vulnerabilities
Improve physical security of cyber
and telecommunications systems

Inside the Internet Storm Center

Data Collection

DShield Users

Analysis

DShield.org

Dissemination

Typical Residential
Cable Modem Log

FTP
attempt
s
Pop-up
ads
(Spam)

Internet Storm Center Web Page

http://isc.sans.org

Port Report

2002 Top 20 List

Top Vulnerabilities to Windows Systems

W1 Internet Information Services (IIS)

W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W3 Microsoft SQL Server
W4 NETBIOS -- Unprotected Windows Networking Shares
W5 Anonymous Logon -- Null Sessions
W6 LAN Manager Authentication -- Weak LM Hashing
W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords
W8 Internet Explorer
W9 Remote Registry Access
W10 Windows Scripting Host
Top Vulnerabilities to Unix Systems

www.sans.org/top20

U1 Remote Procedure Calls (RPC)

U2 Apache Web Server
U3 Secure Shell (SSH)
U4 Simple Network Management Protocol (SNMP)
U5 File Transfer Protocol (FTP)
U6 R-Services -- Trust Relationships
U7 Line Printer Daemon (LPD)
U8 Sendmail
U9 BIND/DNS
U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords

Questions?
Contact:
tom.parker@pentest.co.uk
toby_miller@adelphia.net
eshaw@msn.com
marc@sans.org