understanding cyber conflict - montgomeryunderstanding cyber conflict dr. panayotis a....
TRANSCRIPT
1
Understanding Cyber Conflict Dr. Panayotis A. Yannakogeorgos
Dean
Air Force Cyber College
The Character of Cyberspace
The cyber domain includes more than just the Internet, but all things relevant within cyberspace require some type of connectivity or networking.
The Internet is the manifestation of networking theory on a global scale.
Cyberspace has national borders, the same as every other domain.
In the cyber domain, at no time is the military likely to be in complete control of the battlespace.
Civilians will be a part of cyberwar, likely as victims whose computers will be placed at risk, but equally likely, they will be cyberwar participants.
Source: JP 3-12(R)
3
Modern Hacking Tactics and the `Cyber Terrain
So who actually owns the Internet?There are two answers to this question:1. Nobody2. Lots of people
• APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.
• In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries.
Spectrum of Operations in Cyberspace
Access/ExploitationDigital intelligence
Deletions/Denial of Service/Disruption/Digital DamageInterrupt the flow of information or function of information
systems without physical damage or injury
Physical EffectResults in physical damage or destruction, injury or death
Spectrum adapted from US Cyber Command, 2013
• Hacktivists
• Criminals
• Spies
• Terrorists
• Militaries
5
Cyber Threat Actors
6
Breakdown of Noteworthy Cyber Attacks in 2015Tracked by Hackmageddon.com
http://www.hackmageddon.com/2016/01/11/2015-cyber-attacks-statistics/
7
Hacktivists
• Operates anonymously and globally
• Objectives
– Entertainment – laughs
– Freedom, transparency, anti-corruption, etc.
• Unorganized, but blend of anarchy and power circles with factions and splintering
– Often regional and issue related factions
• Targets are global and have included
– Governments/countries
– Businesses
– Terrorists, especially ISIS
– Competing hacktivists
– Pedophiles
8
Criminals• Bangladesh Central Bank Heist• Criminals tried to withdraw $951 million from the bank’s US
account with the Federal Reserve, which is used for international settlements
• Criminals used stolen Bangladesh Bank credentials and ran malware on bank’s system to cover up tracks
• 35 requests were made for money transfers• 81 million successfully moved to casinos in the Philippines
Feb 4-5, 2016• Transfers stopped when Deutsche Bank detected typo in a
$20 million transfer to Sri Lankan organization Shalika Foundation (misspelled as “Fandation”)
• Philippines froze $68 million of stolen funds
• Junaid Hussain [TriCk] was involved in recruiting ISIL sympathizers
• Had significant technical skills and expressed a strong desire to kill Americans
• Compiled and published names, email addresses, phone numbers of US military and government staff urging lone wolves to “act and kill”
• Sent terror guidebooks including bomb-making instructions and information about domestic terror plots in the UK
9
Terrorists
10
Spies & Militaries
2010 Military Doctrine: “integrated use of military force and non-military capabilities, and a greater role for information warfare”
2011 Defense White Paper: “combat capability to win local wars in conditions of informationization”
2012 Supreme Council of Cyberspace tasked with the coordination of national cyberwarfare
Indicted on cyber espionage charges Chinese military officers from left to right Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu
FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government, and may indicate affiliation with Главное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence service.https://www.crowdstrike.com/blog/who-is-fancy-bear/
11
Actors and Authorities
12
Onion Routing
Complexity of Response
Hypothetical example for educational use.
Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source
Threat - Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service
Threat source - The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability
Source: Glossary definitions (Committee on National Security Systems, 2010)
14
What is a Vulnerability? How do they Relate to Threats?
Most hackers use posted vulnerabilities in pre-programmed exploit packages for their attacks. [HBGary’s Law].
Source: 2015 Verizon Data Breach Report
Anatomy of a Takeover
Target VictimsInstall
Malware
Target Services
(Intranet, etc.)Collect Data Initiate Effect
17
Malware Types• Trojan horse
– Deceptive
• Virus
– Attach to objects; spread w. objects
• Worm
– Spread (semi-)autonomously
• Logic bomb / time bomb
– Triggered by some condition
• Spyware
– Scoops up data
• Keylogger
– Records keystrokes
• Scareware
– Purports to be needed security tool
• Ransomware
– Encrypts & holds data hostage or locks screen
• Exploit or exploit code/kit
– Exploits security vulnerabilities
• Backdoor
– Gives attacker access to system
• Remote access tool (RAT)
– Gives attacker remote control
• Rootkit
– Contains backdoors & Trojans
• Sniffer
– Intercepts packets on network
• Downloader/Dropper
– Downloads/installs malware
• Wiper
– Destroys data on disk
• Ram scraper
– Steals payment data from POS RAM
• With the information that can be found about us and our coworkers on the Internet, hackers can craft a very believable malware laden email.
• Spoofing email addresses (or using email from a compromised system) is not hard. – If you received an email from the director of your
department, would you open it? – Would you open the PDF document, or follow the URL
to get registration information for an upcoming conference you plan to attend?
– If you weren’t sure if the email was legitimate would you follow up using a separate line of communication to confirm the email’s authenticity?
18
“Spearphishing”
19
Watering Holes
https://www.google.com/transparencyreport/safebrowsing
20
Syrian Electronic Army (SEA)Phishing Attack on Associated Press
What user saw – not actual link
21
RansomwareA type of malware that attempts to extort money by taking control of a victim’s computer or infecting the files and documents stored on it.
CryptoDefense Ransom Demand Locky Recovery Instructions
22
Point of SaleThis vector compromises POS terminals where customers
swipe a payment card at a checkout counter.
Data used to manufacture counterfeit cards
RAM (Remote Access Memory) scrapper malware is installed on a POS device:
• Captures payment card data while processed in memory before it is encrypted for storage or transmission.
• The data is written to a text file which is later sent to an offsite server.
• This credit or debit card data is offered for sale on the black market.
Often discovery of the breach does
not occur until the criminals are
noticed to be using the data for illicit
purposes by law enforcement or
fraud detection entities.
23
Point of Sale Attack(Target Corporation)
The retail giant Target confirmed some 70 million customer credit and debit accounts were compromised in December 2013.
Account numbers, expiration dates, cardholder names and credit verification value (CVV) were
compromised plus encrypted debit card PINs were stolen.
•Attackers installed a Hybrid of Kaptoxa and Reedum malware on Point of Service (card reader)
machines.
• Both derived from BlackPOS sold on crime forums for only $2,300 – designed to bypass
firewall software.
• The PINs are encrypted with Triple-DES (Data Encryption Standard) – somewhat vulnerable to
brute force cracking. two weeks.
Data Breach costs $61M in expenses and resulted in loss of $700M
of revenue from loss of consumer confidence to shop at Target.
• The second-biggest health insurer in the United States detected a breach on 29 Jan 2015 of a database containing personal information for 80 million customers and employees
• The breach exposed names, birthdays, addresses and Social Security Numbers but not medical information or financial account numbers. – Private health data used for extortion, fraud or
identity theft.– Not clear how hackers obtained systems admin
privileges– Hacked data tracked to an outside Web-storage
service. – Changing corporate attitude about rapid disclosures.
24
Exploitation of Data
Modern Botnets• Networks of compromised devices (zombies,
drones) acting as cyber robots (bots)– Devices are put under the command and control
(C2) of the botnet herder/owner– C2 servers issue commands to bots
• Botnets are used for– Spam– Distributed denial of service (DDoS) attacks– Stealing data – often sold in Bot Chop Shops– Fraud – e.g., click fraud and pay per install fraud– Computational tasks such as bitcoin mining
• Botnets are taken down by taking down their C2– Often multinational efforts
26
Size of DDoS Attacks
2014: 20% reported attacks over 50 Gbps
2015: 25% reported attacks over 100 Gbps
Arbor Networks, Worldwide Infrastructure Security Report 2015
27
Dyn DDOS Attack
Targeting of a vital Internet infrastructure provider
Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet
Infected Internet of Things devices all over the world infected with malware
September 2016, developer of Mirai bot released source code to hacking community
28
DDoS Revenue Loss and Attack Results
29
Ukraine Power Grid Blackout
SANS analysis of attack, http://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
30
Cyber-Physical Systems
Courtesy: Compass Security Germany GmbH
Cyber-physical systems are IT systems “embedded” in an application in the physical world
31
Cyber-Physical Systems
- Energy- Traffic control- Parking- Street lighting- Public transportation- Energy, Water and Waste managementSecurity- Street lighting- City management systems- M2M- Sensors (weather, pollution, seismic, - olfactory, flood, sound, etc. )
Almost everything is wireless- Custom protocol and encryption-related
issues (even in RF transceiver chips)- Huge and unknown attack surface- Complexity, interdependency, chain
reaction- Simple bugs can cause big problems and
have big impact- Wireless encryption problems
How do you monitor small PLCs? There is a big impact of little systems on national security
Differences in IT & ICSAttribute Information Technology Industrial Control Systems
Confidentiality (Privacy) High Low
Message Integrity Low-Medium Very High
Availability Medium Very High
Authentication Medium-High High
Lifetime 3-5 years 10-25 years
Operating Systems COTS (Windows, Linux,…) COTS at HMI, RTOS at field devices
Patching Standard and expeditious Non-standard and potentially long time
Adapted from: National Institute of Standards and Technology, SP 800-82.
33
NEST ThermostatHardware/Protocols• ZigBee/WiFiRadios [cyber/EW]• Display board• Graphics/UI, Networking• Chips:• ARM Cortex A8 app processor• USB OTG• RAM/Flash (2Gb)• Proximity Sensors• Hooks up to AC/Heating system.
SoftwareLinux Based platform
Implications• Full control over the house• Away detection• Network credentials• Zip Code• Remote exfiltration• Pivoting to other devices
Shodan: A special search engine that discovers computers based on software, geography, operating system, IP address and other specified options.
Shodan
35
From Vulnerability to Exploit to Physical Effects
https://go.recordedfuture.com/hubfs/reports/ics-scada.pdf
San Bruno, CA Pipeline Explosion
•September 9, 2010•Explosion excavated a crater 51m long, 7.9m wide 12m deep. •24 hours+ and 25 fire engines, 4 air tankers, 2 air attack planes, and 1 helicopter to contain fire.•32 Homes Destroyed, 8 lived lost.
37
Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain
• The range of trade secrets and other sensitive business information stolen in this case is significant
• State actors engaged in cyber espionage for economic advantage
• State-sponsored cyber thieves are accountable as any other transnational criminal organization that steals and breaks laws
indicted on cyber espionage charges Chinese military officers from left to right Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu
Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets.
38
North Korea / Guardians of Peace Cyber Attack Against Sony
• Took place late November 2014• Used spear phishing, a zero-day exploit, and wiper malware to erase all
data on infected computers• Stole & posted pre-release movies & sensitive data about company,
employees, and film stars• Sent threatening e-mails to employees• Demanded money, “equality,” and then later that “The Interview” not
be released• Said they planned to cause Sony to collapse• Issued threats of violence at theaters if film shown• US attributed to N Korea• Hacktivists took N Korea off the Internet• President Obama tightened sanctions against 10 individuals & 3
agencies in N Korea
• Wholly digital attack caused physical destruction of equipment
• The hack attack led to failures in plant equipment and forced the fast shut down of a furnace
• Attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment
39
Cyber Attack - German Steel Mill 2015
Source: Wired: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
40
Questions?