CERT Analysis Center:

Research into Predictive Cyber Analysis

Casey J. Dunlevy
Team Lead

CERT Centers, Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213-3890

SEI is sponsored by the U.S. Department of Defense

2001 by Carnegie Mellon University

Intelligence - page 1
Why Analysis Research?
Bad Guys!

Threats growing

Vulnerabilities Increasing

Internet now part of the social fabric

- Impact of major cyber-attack would be significant
- Cascading effects a major concern

Reactive response must give way to Proactive

preparation

2000 by Carnegie Mellon University Intelligence - page 2

 2000 by Carnegie Mellon University Intelligence - page 3
Threats
National Security
- Critical National Infrastructure
- Cyber-Warfare

Computer Crime
- Organized Crime
- Identity Theft
- Extortion

Non-State Actors
- Terrorists
- Political Activists

2000 by Carnegie Mellon University Intelligence - page 4

Recent Events
Release of malicious code from China - Each release
concurrent with political event

CodeRed In all its forms

CSI/FBI Survey: 90+% experience unauthorized use, 44%

did not report

G8 Finance Ministers estimate computer crime costing

$80 Billion per year

All point to a pervasive fundamental misunderstanding

of the Internet environment

2000 by Carnegie Mellon University Intelligence - page 5

Analytic Approaches
The systematic and broad-scale accumulation of
understanding for current and prospective behaviors on
the Internet.
Technical, Political, Economic, and Social triggers
Attacks and defenses
Vulnerabilities and corrections
Victims and perpetrators

Coupled with:
The systematic and broad-scale examination of Internet
activity to assess, predict and understand current and
prospective political, economic, societal, and
technological impacts (PEST).

2000 by Carnegie Mellon University Intelligence - page 7

 Attack Sophistication vs.
Intruder Technical Knowledge
new class of cross site tools

stealth / advanced
Tools
High scanning techniques

packet spoofing denial of service

sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Attackers
Low
1980 1985 1990 1995 2000
2000 by Carnegie Mellon University Intelligence - page 8
 New Threat Paradigm
Traditional Threat Definition:

- Threat = Capability + Intent

New Threat Definition:

- Threat = Capability + Intent + Knowledge

Capability includes tools and ability to access
Intent is the motivation
Knowledge is specific, sophisticated ability to
operate within a system/network after gaining
access

New Threat Paradigm most applicable to high level

threats
2000 by Carnegie Mellon University Intelligence - page 9
Incident Figures
CERT/CC Incidents Reported

- 1988-2000: 47,711
- 1999: 9,859
- 2000: 21,756
- Q1-Q3: 34,754

Vulnerabilities Discovered

- 1995-2000: 2,596
- 1999: 417
- 2000: 1,090
- Q1-Q3: 1,820

2000 by Carnegie Mellon University Intelligence - page 10

Emerging and Future Trends
Computer Network Operations being incorporated into
national military Strategies and Doctrines

Overlapping of Traditional Crime with Cyber-Crime

Use of Nuisance Tools for Overtly Criminal Purposes

Increasing Opportunities for Cyber-Extortion

DDoS Provides National CNO, Organized Crime and Terrorist

Groups a Weapon of Last Resort

Growing Use of Encryption

Exploitation of Jurisdictional Asymmetries

2000 by Carnegie Mellon University Intelligence - page 11

Dealing with the Threat - Analysis
Efforts
Technical Analysis

Fusion Analysis
- Country Studies
- Political, Social, Economic awareness
- Decision Maker support

Policy/Legal Analysis
- New Legislative efforts
- Lack of consistent policies

2000 by Carnegie Mellon University Intelligence - page 12

Low-Packet Filtering
TCP is a session-based protocol
Used for remote access, file transfers
Its hard to use TCP without generating a lot of packets
Negotiation, transmission, configuration, error
checking
Few legitimate low-packet sessions possible
Mostly web access

2000 by Carnegie Mellon University Intelligence - page 13

One Effort Looking Inside the
Noise
Network Activity Example

Overall Activity
Approx 2.5 Gbytes/day

Noise - Below the Radar

2000 by Carnegie Mellon University Intelligence - page 14

Low-Packet Traffic

2000 by Carnegie Mellon University Intelligence - page 15

Initial Results
Spikes usually mean a scan in progress
The peaks amount to <1% of the total byte traffic at any
time
400 Kb vs. 1.4 Gb
Fair results using a top 10 list approach
Identify and investigate 10 busiest low-packet sites per
hour

2000 by Carnegie Mellon University Intelligence - page 16

Future Work
Tighter Metrics
How many unique sessions before its a scan?
Synchronize with tcpdump data
Most single-packet scans exploit tcp flags

2000 by Carnegie Mellon University Intelligence - page 17

Projects - I
1. Routing Anomalies and Backdoors
Find and fix poor router configurations. Identify and
monitor/eliminate backdoors.
2. NetFlow/Collector Architecture
Better data for security analysis, engineering.
3. Detecting Stealth Scans
Identify all scans broad, deep, and stealthy

2000 by Carnegie Mellon University Intelligence - page 18

Projects - II
4. Empirical Baseline
Traffic-based definition of normality -> anomaly
detection
5. Topology Mapping and Maintenance
Create and maintain map of Network -> anomaly
detection
6. DNS Database
Rapid identification of domain names and locations
with history.
7. Laboratory
Discover signatures and experiment with policies

2000 by Carnegie Mellon University Intelligence - page 19

Projects - III
8. Incident Analysis
Identification of vulnerable or compromised hosts
9. Fusion Analysis for Social Adjacency
Discover social networks of cyber attackers
10.Sensor Hierarchy Architecture
Improved defense in depth
11.Analysis Toolkit
Modular architecture and tools for NSS and Sponsors

2000 by Carnegie Mellon University Intelligence - page 20

Dealing with the Threat - Analysis
Efforts
Technical Analysis

Fusion Analysis
- Country Studies
- Political, Social, Economic awareness
- Decision Maker support

Policy/Legal Analysis
- New Legislative efforts
- Lack of consistent policies

2000 by Carnegie Mellon University Intelligence - page 21

Fusion Efforts
Small Packet Probes analyzed
- Patterns emerged
- Identified potential threat

Analysis of CERT/CC Incident Data

- Identified possible link between state and hacker
groups
- Hacker communications assessment

Working on profiles, country studies, event analysis

2000 by Carnegie Mellon University Intelligence - page 22

Low-Packet Traffic

2000 by Carnegie Mellon University Intelligence - page 23

Results of Fused Analysis
What was determined?
- Data collected showed definite network indicators
- Methodology can be developed to provide possible
warning indicators
- Based on limited dataset, network indicators
suggest possible malicious probes by China

Network Indicators suggest number of motivations

- Exploitation
- Site mapping
- Intelligence gathering for further activity

2000 by Carnegie Mellon University Intelligence - page 24

 Pakistani/Indian Defacements

10/99 1/00 4/00 7/00 10/00 1/01 4/01

Well written Juvenile

No mention of terrorist organizations

Mentions terrorist organizations

2000 by Carnegie Mellon University Intelligence - page 25

Results of Fused Analysis
First indication of a national Intelligence Agency (ISI)
co-opting hacker groups

Malicious effort targeted against another nation-state

Capabilities increasing with experience

Potential use of cyber-weapons in future

2000 by Carnegie Mellon University Intelligence - page 26

Dealing with the Threat - Analysis
Efforts
Technical Analysis

Fusion Analysis
- Country Studies
- Political, Social, Economic awareness
- Decision Maker Support

Policy/Legal Analysis
- New Legislative efforts
- Lack of consistent policies

2000 by Carnegie Mellon University Intelligence - page 27

Policy and Legal Analysis
Lack of consistent policies

Clarify inter-dependencies between Public and Private

interests

Increase understanding of the global nature of the

Internet

Review proposed and enacted legislation

Analyze statutory conflicts both nationally and

internationally

2000 by Carnegie Mellon University Intelligence - page 28

Problems with Legislation
Lack of laws
- Two U.S. States have no cyberlaw
- Foreign laws vary widely

Ambiguous Laws
- Crime sometimes hard to
define

Lack of Precedent
- Case law limited at best

Conflicting Law
- Illegal in one state Legal in another
- Illegal in one country Legal in another

2000 by Carnegie Mellon University Intelligence - page 29

Problems with Legislation
(continued)
Knowledgeable Legislators?
- Lack of understanding of complexities
- Not technically up-to-date
- Knee Jerk reaction to visible threat

Slow Process
- Keeping up with Technology Trends
- Search Warrants

Authorized v. Unauthorized Access

Intent

2000 by Carnegie Mellon University Intelligence - page 30

Challenges to Analysis Research
Gathering sufficient datasets to make statistically valid
judgements

Developing automated technical analysis tools

Developing a reliable methodology for cyber-analysis

Overcoming organizational bias

against sharing information

Dealing with complex legal issues

Developing analytic professionals

2000 by Carnegie Mellon University Intelligence - page 31

Bottom Line
Time
to deal with the world as it is - Not how
we want it to be! The Monsters are real!

The threat is real, varied, growing, and

distributed

Multi-level, multi-discipline analysis critical

to success

No solutions without working partnerships

2000 by Carnegie Mellon University Intelligence - page 32