Documente Academic
Documente Profesional
Documente Cultură
Why characterize?
Theoretical: To gain understanding of and
an ability to anticipate an adversary in order
to build improved threat models.
Practice: Improved profiling of attackers at
post attack and forensic levels.
Passive Fingerprinting
Intelligence
The Attack
The Exploit
Backdoors | Cover up
Other
FreeBSD
OpenBSD
IRIX
Windows
Tool characterizations,
Disclosure Patterns and
Technique scoring.
Tom Parker Pentest Limited (UK)
Key Data
1
Metric Two
Key Data
2
Metric Three
Key Data
Key Data
Metric Four
Public
3
3
2
2
3
Private
4
4
3
3
5
5
4
6
7
Vulnerability Discovery
Exploit Trading
Type title here
Public Disclosure
Public Disclosure
Further Research
Vendor Coordination
Public Disclosure
Offender Profiling
Roots in Law enforcement & intelligence community (criminal event
or incident analysis)intensive review of past offenders
Insider Computer Crimes, 1998-present
50 cases
10 in-depth case studies from companies or govt. contractors
Products
Typology of actors: motivation, psychological characteristics, actions
Critical pathwayprocess of interactions w/environment (personal and
professional) leading to attack
At-risk characteristics
Organizational vulnerabilities & Insights into prevention, deterrence,
detection, management
Attackers
Hackers40%: affiliated with and active in
hacking community, brings hacking
practices to worksite
Proprietors40%: defend system as
belonging to them, resist efforts to dilute
control
Avengers20%: attack impulsively in
response to perceived injustice
Organizational Issues
80% of cases occur during periods of high
organizational stress or change at the highest to
supervisory levels
Lack of policies contributed to disgruntlement or
facilitated attack in 60% of cases
Lack of policy enforcement contributed to
disgruntlement of facilitated attack in 70% of
cases
Detection Problems
80% of attackers used operational security
to protect attack planning or identity
Time disgruntled to attack: 1-48 months
with a mean of 11.3 months
Time active problems (probation) to attack:
0-76 weeks with a mean of 26 weeks
Forget the big bang theory of the sudden,
unforeseen attack
Intervention Problems
Management intervention initially
exacerbated problems in 80% of cases
(ignore, placate or tolerate problems,
negotiate then cut-off, terminate poorly)
Problems with termination process in 80%
of cases (esp. failure to terminate access)
Multidisciplinary risk assessment prior to
termination
Tech
Capability
Prior
Offenses
Acted with
Others
50%
75%
Status in
Hacker
Community
Oquendo
29
High
Yes
Yes
High
Zezev
30
High
No
Yes
Unknown
Carpenter
20
High
Yes
No
Low
Demostenis
23
Low
No
Yes
Low
Person-Situation Interaction:
Detect Psychological Leakage
Personal Stressors
Vulnerable
CITI
Minor
Infraction
Moderate
Infraction
Professional Stressors
Major
Act
Software Components
Communication Characteristics
To, From, Time, Length, etc.
Khanna at Bank
Threat Monitoring
Sting operations & negotiations
Suspect identification
Hanssen
Entitlement
Manipulative
Devaluing of others
Padded OT
Email 1: April
(Asked to train his back-up, subject refuses) His
experience was ZERO. He does not know
ANYTHING about ...our reporting tools.
Until you fire me or I quit, I have to take orders
from youUntil he is a trained expert, I wont
give him access...If you order me to give him root
access, then you have to permanently relieve me
of my duties on that machine. I cant be a garbage
cleaner if someone screws up.I wont
compromise on that.
Email 3: July
Whether or not you continue me here after
next month (consulting, full-time, or parttime), you can always count on me for
quick response to any questions, concerns,
or production problems with the system. As
always, youll always get the most costeffective, and productive solution from me.
Email 4: July
I would be honored to work until last week
of August.
As John may have told you, there are a lot of
things which at times get flaky with the
system front-end and back-end. Two week
extension wont be enough time for me to
look into everything for such a critical and
complex system.
Thanks for all your trust in me.
The Event
On last day of work, subject disables the
computer networks two fileservers.
Company executives implore subject to help
them fix the problems, but he refuses.
Independent consulting firm hired to
investigate problems, discovers sabotage.
Timing: deception to cover plotting.
WarmTouch Challenge
Detect deterioration in relationship with
supervisor
Detect Deception
20
17
15
10
5
0
600
500
400
300
200
100
0
40
35
30
25
20
15
10
5
0
35
18
# of Evaluators
2.75
August
7
2
0
# of Negatives
200
141
100
0
1
29
# of evaluators
312
300
400
4
3
2
1
Detecting Deception
Covert Hostility Toward Supervisor-Psychological Distance Score by E-Mail Date
4
3.28
3.5
4/10
4/11
3.4
6/14
7/12
Warmtouch help:
Objectively highlight and help manage
psychological states
Objectively measure success
Evaluators +
400
Feelings -
350
Feelings +
300
Direct Ref.
250
Negatives
200
Me
150
We
100
50
0
1
10
11
12
13
14
15
16
17
18
19
20
Zezevs Use of Me
passive/dependent mode
Me
3.5
3
2.5
2
1.5
1
0.5
0
1
11
13
15
17
19
Robert Hanssen
8 Communications with Soviet Handlers
Between October 1985 & November 2000
Challenge for Software:
Detect signs of emotional stress associated with
spying, disgruntlement and affair as
documented in public records
600
500
400
Words
300
200
100
0
10
/1
/1
98
5
10
/1
0/
19
85
11
/8
/1
98
5
9/
8/
19
87
6/
13
/1
98
8
3/
14
/2
00
0
6/
8/
20
00
11
/1
5/
20
0
Number of Words
700
Date
20
15
N um ber of
10
W o rd s
N e g a tiv e s
Me
5
0
1 0 /1 /1 9 8 5
9 /8 /1 9 8 7
D a te
6 /8 /2 0 0 0
50
45
40
35
30
Number of Words 25
20
15
10
5
0
10/1/1985 11/8/1985 6/13/1988
Date
Adv Intensifiers
Direct Ref
Feelings
I
6/8/2000
14
12
10
Number of 8
Words
6
4
2
0
10/1/1985
Explainers
Retractors
11/8/1985
6/13/1988
Date
6/8/2000
Media Monitoring
Attitude of Egyptian press toward U.S.
Attitude of customers toward product or service
2005
State Sponsored
Potential
Damage
2004
2003
Terrorist
Espionage
Criminal
Low
Hacker
Low
Source: 1997 DSB Summer Study
Probability of occurrence
High
Why are we so
Vulnerable?
Internet was not built to be secure
Secure (i.e., obscure) software being replaced by
commercial products in infrastructures
Software development focused on Slick, Stable,
Simple (not Secure)
System administrators lack training
Leaders rarely see computer security as part of the
bottom line
User awareness is low
So...
The government takes seriously all unauthorized activity
They will use all technical and law enforcement tools to respond ... and
deter
They will seek legal prosecution where appropriate
http://www.whitehouse.gov/homeland/
National Strategy to
Secure Cyberspace
Nation fully dependent on cyberspace
Range of threats: script kiddies to nation states
Fix vulnerabilities, dont orient on threats
Priority II
A National Cyberspace Security
Threat and Vulnerability
Reduction Program
Enhance law enforcements capabilities for
preemption, prevention, and prosecution
Secure the mechanisms of the Internet including
improving protocols and routing
Foster trusted digital control systems/ supervisory
control and data acquisition systems
Reduce and remediate software vulnerabilities
Improve physical security of cyber
and telecommunications systems
DShield Users
Analysis
DShield.org
Dissemination
Typical Residential
Cable Modem Log
FTP
attempt
s
Pop-up
ads
(Spam)
Port Report
www.sans.org/top20
Questions?
Contact:
tom.parker@pentest.co.uk
toby_miller@adelphia.net
eshaw@msn.com
marc@sans.org