Welcome to Volume 3, Issue 13 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
Today, we present the third and final column of Jeff Stutzman's Attack Analysis series. Part I was an introduction to Triangulation. Part II was one methodology of implementing it. Part III is a Primer on Predictive analysis, and a simple way to implement it into your security posture. I hope you've enjoyed this series as much as I have.
Jeffery Stutzman
After nearly every attack, someone will wonder, "what if we had known it was coming?" Attacks happen nearly every day. Only about 20% are reported. What would you do if someone warned you that your system was to be the victim of a denial of service attack three days from now?
Several organizations are attempting to do just this. CERT-CC just announced that it would provide a subscription service for threat warnings. The costs range from $2500 to $70,000 per year for this subscription service. What makes CERT confident they can charge $70,000 per year for an early warning subscription service? Moreover, what makes them better than you or I at predicting attacks or trends? Basically, CERT-CC has data on attacks dating back to the Morris worm coupled with the ability to accurately mine the data, this attack histogram gives them the ability to perform predictive analysis.
Let's define predictive analysis. Predictive analysis is the act of tracking activities that will offer insight into the short-term threats and long-term risks. Early warning is the outcome of the predictive analysis activities, and the overarching goal. It provides time for preparation of defenses and countermeasures against an anticipated attack. For this paper I've broken the levels of predictive analysis and early warning into three categories of threats:
Several indicators will lead us to the conclusion that a threat is real. These fall into the realms of technical and non-technical. Technical indicators usually follow the attack continuum. If you haven't read Parts I or II of this three part series, let's take a moment and review the attack continuum:
Normally the technical indicators of an attack follow a certain pattern, beginning with reconnaissance and ending with an intrusion. The pattern usually takes the form of web surfing, followed by scanning the network, probing an individual host, followed by an attempted intrusion, intrusion, and finally escalation of privileges to root. These steps are often seen in logging. Some tools allow attackers to skip steps, however this is not always the case.
Non-technical indicators lie outside the attack continuum. This is the essence of the triangulation methodology of attack analysis. The triangulation model states that there are several other indicators of who, what, when, where, why and how an attack occurred. Those very same post-attack clues might also offer a hint that a threat is imminent. Items in the news are very good indicators that hackers will be active. For example, the Free Trade Area of the Americas (FTAA) Conference was scheduled in Quebec from April 20-22, 2001. Hackers opposed to the FTAA are more likely deface web pages of those in favor of the FTAA. Other actions are also likely. During the World Trade Organization (WTO) conference in Seattle last year, hackers performed defacements, denial of service (DoS), and cyber-sit-ins in protest of Chinese entry into the WTO. So by looking back at past trade conferences, we can draw conclusions about attacking activities that might be seen at future ones.
Participating members of the FTAA were lucky enough to receive the following e-mail, which was sent on the 17th of April:
***************************************
NOTICE OF IMMINENT ONLINE PUBLIC ACTION AFFECTING YOUR SERVER
From: the electrohippie collective <ehippies@gn.apc.org>
17th April, 2001, 23.00UTC (UK)
To whom it may concern,
THE FREE TRADE AREA OF THE AMERICAS (FTAA) CONFERENCE, QUEBEC, APRIL 20TH TO 22ND 2001
As part of the organisation of protests to mark the FTAA's conference in Quebec, the electrohippie collective are organising a number of online actions for the public to participate. This is in order that people may communicate their dissatisfaction about the issues being decided in their names at the FTAA conference.
The actions will begin late on the 19th of April, and will mostly be over by the 23rd of April. Some actions, involving online lobbying during the week following the conference, will take place on a smaller scale...
***************************************
In this situation, e-mail was sent to a list of web site owners, warning of the impending possible denials of service targeting their site. The target list included approximately twenty well-known sites including Cisco Canada and Sun Canada.
This type of warning is not unusual for hactivists. In 1997, the Electronic Disturbance Theatre (EDT) performed several grass-roots cyber-sit-ins in support of the Mexican Zapatista movement. In an effort to gain support, they posted their annual schedule of cyber-sit-ins to their web site, as well as a java-based tool that would be used to perform denial of service attacks against several high-profile sites, including the German Stock Exchange, the US military's defenselink.mil, and the web server of the former Mexican President, Ernesto Zedilla.
To perform predictive analysis, and gain an advantage of early warning, you must manage many moving parts. Although watching the IDS logs are great indicators of the imminent threat, I would argue that hacker motivation is the key to longer-term early warning. For every attack, there is a person sitting at the keyboard who has decided to hack YOUR system for a specific reason. The reason might simply be because you had an operating system someone knew how to hack, and yours happened to be in the hacker's radar. Other motivations include random acts, direct economic advantage (meaning theft of money), indirect economic advantage (extortion), espionage, bragging rights, warfare, political movements, and environmental causes. The list is endless.
Predictive Analysis: Methodology
Predicting Imminent Threats: 0-24 hours warning
Imminent Threats provide 0-24 hours of warning, hopefully more than 0. These describe newly discovered trends leading to a potential attack.
Imminent threats are usually predicted by watching technical indicators in intrusion detection system (IDS). IDS logs showing network scanning yesterday, followed by low and slow DNS probing on one host today might indicate an imminent threat. These are usually the easiest types of threats to predict -if you're paying attention. By collecting technical data over time, the security administrator will have a good idea of timing between steps in the attack continuum. Any variation might indicate an abnormality, therefore a threat.
The key to understanding the indicators in such a short-term threat profile is to not get to wrapped up in the indicator. It's not necessarily as important to know what kind of scanning is taking place, as it is to know that it is in fact scanning. First recognize the indicators of attempted intrusion, then think about how the attempt is going to unfold. Suppose you catch a hacker probing at port 53, or the domain name server (DNS). Next, you see he's making a run on your DNS. If you catch an attempt on DNS, you might have enough time to counter the attack, by removing the DNS from the network, performing due diligence and placing the host back in service safely. Capturing data over time, understanding your current security posture, and applying this type of model will allow you to predict your own short-term threats.
Predicting Close-in Threats: 24 hour-7 days warning
Close-in threat warnings take two forms: Type I warnings are those warnings that that are realized through the result of new technical security issues. Bugtraq reports for example provide warning of new vulnerabilities that may become a problem. Prediction of close-in threats is really what most administrators do by participating in ARIS, GIAC, Bugtraq, or the incidents lists. If you follow any of these sites or lists, you quickly realize that there is a lifecycle curve for each bug discovered.
By recognizing that each new vulnerability has a specific lifecycle, you can predict how long it will be before it's seen in your (IDS) logs. For example, both L1on and Adore showed evidence of testing several days before full launch. The first appearance of Adore for example, was approximately March 25, 2001. Further testing appeared around the 30th, with Adore hitting full swing around the 3rd of April. By the 8th, Adore appeared to die out. Adore was a self-propagating script, so we were able to watch the timing of the self-propagation, and apply that to future models.
Manual bugs don't work so fast. A week may elapse between the time the first vulnerability is discovered at the command line level, and when it's seen in beta script form. This time delay gives administrator time to prepare their systems. Sites like GIAC and ARIS offer collaboration between analysts to prepare technical analysis pieces that aid administrators in tracking and identifying the bug.
Type II warnings are those that are precipitated by something happening in the news, your company, or the environment in which you participate. Watch things that change your competitive environment, then figure out how someone might be affected by it. The question should always be asked, "If this happens, and is reported in the news, will someone's attitude toward us change?" If the answer is yes, attempt to determine how, and how much. If the atmosphere changes enough, might it cause someone to attempt to hack one of your systems? For example, On April 1, 2001, there was a mid-air collision between a US Navy EP-3 and a Chinese Fighter aircraft. We anticipated there would be some cyber sabre-rattling by both parties, but what should we expect? The last time there was activity involving the US military and China was during the Serbian air campaign when the Chinese Embassy was bombed. At the time, there was about a 2-day lag followed by defacements and denial of service attacks by patriotic and sympathetic hackers of both parties. Drawing a parallel from the bombing of the Embassy with the mid-air collision of the two planes, we predicted that we should expect a lag time of a couple of days, followed by defacements and denials of service. Both predictions came true. As expected, there was an outfall of patriotic hacking, both taunting and defending the actions of the US and China. In this situation, the activity escalated to a one-week "hacker war", in which hackers from both sides defaced as many sites as possible.
This methodology can be applied to nearly every situation that might effect your operating environment. I will warn you, this system is not easy to create or implement. The point is simply to think of different types of things that could happen to your network, then think about what it would look like prior to the attacks. Write down a list of things that might draw hackers to your site. We'll call this a list of "Motivators". This should include everything from new bugs to theft of critical information. Next, let's consider what might happen if one of these motivators were present. I've labeled this "What to expect". Last think about what kinds of things you would see if someone acted on a motivator to perform one of the actions listed in What to expect. Let's call this list "Indicators". The indicators might be technical or non-technical. For example, when an strike aircraft flies over a tank field, the aircraft looks for signs of movement -a dust trail, tracks, turning, etc. The same holds true for indications and warning. If military action takes place between two countries, one might expect hackers to become active. Indicators of future activity might include heightened reporting in the press, a higher level of political sensitivity than usual, growing political tensions between the two nations, and higher than usual public support for each side.
|
Motivator(s): |
Indicator(s) |
What to expect |
|
-Military action between 2 countries |
-Heightened reporting by the press |
-Based on last time, we should expect a slight delay, followed by activity such as defacements and denial of service attacks on government and military sites, as well as non-related sites that might be vulnerable to common defacement vulnerabilities. |
Predicting Over the horizon: 7-60 days of warning
Over the horizon threats are those that correspond to actions within your company, your company's business environment, or your competitors' environment that creates risk to your competitive posture.
RISK EQUALS THREAT
Lets assume that your company is involved in research of a new drug. This new drug has implications that are far reaching, and is completely revolutionary. On Tuesday morning, the Wall Street Journal (WSJ) reports that your company is involved in new research that will likely take much of the market share from your closest competitor. Recognizing that this information is critical to your company's competitive position, you take every measure to ensure your systems are locked down. On Wednesday, you begin seeing an abnormally high amount of activity in your web logs, showing surfers searching for information on your new drug. From a business perspective, the more visitors the better. From a security perspective, more visitors that are attracted to your site under these circumstances translate to a higher potential risk of attack. You should now consider yourself in a heightened state of risk. Based on web logs, you show increased activity on the systems, but none would be considered malicious -yet.
What might an indicator table have looked like for this?
|
Motivators: |
Indicators |
What to expect: |
|
Theft of critical information |
-Attention drawn to company secrets in the news |
-Increased web accesses |
|
Someone is unhappy with the Announcement |
-The amount of press surrounding the new drug draws more
attention to your company |
-Increased web accesses |
Obviously this is slightly exaggerated to make the point, but companies get hacked everyday for reasons ranging from random acts of graffiti to corporate espionage to simple mistakes. The trick to predicting "over the horizon" activity is to understand that things that affect your company also affect individual people, and when emotions are involved, any number of things can happen. So, watch for anything that might change someone's emotions toward your company.
Armed with this information, what can be done? The reason we worry about activity so far out is so we can plan for it. In the first case, we are stating we expect increased web accesses. Let's monitor them for abnormalities. We are expecting potential social engineering. So, let's offer a training program on countering social engineering. We anticipate hacks in support of, or against our discovery, drug, prices, etc. How might we counter this? From the security admin perspective, it's a matter of lining up the emergency response vehicles.
Conclusion
Make sure you have performed a good vulnerability analysis. Close as many of the commonly exploited weaknesses first, then begin work on the lesser known and exploited ones. These types of activities are considered anticipatory, meaning you still have time to react. It should lead the administrator to keep a heightened state of readiness on the networks. Be prepared for an incident. Ensure your incident response team is trained and ready.
Basic predictive tools allow you to focus your energy on being ready for the eventuality of the attack. You know what might cause a hacker to act, and know what to look for as an indicator that he is coming. You also have a plan for what to do to counter him. Hopefully, this series has provided you with a baseline understanding of the process. Take the time to extrapolate this out for your company's own situation. Incorporate it into your security posture. It's not easy, but it will be worth it in the end. You'll be glad you did.