Welcome to Volume 3, Issue 6 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In this issue, Jeff Stutzman explains how triangulation can be used in computer network attack analysis. Triangulation is a familiar concept to anyone who's been involved in SAR (Search And Rescue): it's a way of homing in on the location of a radio transmitter using multiple antennae I had a first-hand opportunity to see triangulation in action here in Hilton Head Island, where my Coast Guard Auxiliary unit runs 2 communications base stations. We use these along with antennae at US Coast Guard Stations Tybee Island and Charleston to help locate vessels in distress in the Coastal Carolina waters.You probably also know about triangulation if you've read Eye of the Needle or watched old movies where Germans tried to locate radios of the French Underground during World War II.
OK, I'm straying. Today's column is actually the first in a series of three that we'll publish over the next few months. I think you'll enjoy it.
Happy Reading!
J.L. Stutzman
In stressful incident response situations, administrators may lack time, skill, or resources, and may overlook or ignore clues to the true motivation of the hacker. Normal operations can wear out security administrators. As a result, they may become myopic during the discovery and analysis following an intrusion or attack. Often times they will make every attempt to gather and use all available clues presented to them, as long as those clues come from the computer that was attacked, or security devices installed, e.g., system, intrusion detection, and firewall logs, sniffers, installed network monitors, tripwires, etc. Unfortunately, by examining only this set of indicators, the administrator may end up becoming trapped in a thought process that leaves out several other indicators of the hacker's true motivation, activity or behavior.
Before we move on, let's identify the specific roles of each of the main players in incident response. First, we need to recognise that there are competing equities when responding to incidents, troubleshooting the system, obtaining evidence, and restoring the system. System administrators keep systems running smoothly and are considered to have failed if anything interferes with an end-user's ability to do work. During an incident, sysadmins want to see the system back to full operation as quickly as possible. Intrusion response teams are no different. The typical intrusion response team is charged with finding the problem, fixing the problem, and restoring the system. IR teams are required to quickly distinguish a true attack from a false one, determine how to block or thwart it immediately, and determine how to mitigate or eliminate the vulnerability to render all future attacks of this kind fruitless. Security administrators are interested in prevention of security problems, and will therefore want to consider the entire security system and take measures to restrict access and services in order to prevent future attacks.
Evidence gathering is usually a secondary concern, unless the attack is unique, debilitating or destructive. Rarely are intrusion analysts discussed as a real member of the team. Expert analysts can be used to bring together several competing equities, as well as identify other sources of information that may be used to investigate incidents, and potentially predict future attacks.
This first in a series of three TISC Insight columns discusses a multi-faceted approach to performing after the fact attack analysis, from an analyst's perspective. This column introduces the analyst to triangulation and its application to incident analysis. Part II discusses one methodology for analysis. Part III will offer an insight into predictive analysis.
Simply stated, triangulation is a navigation methodology used to determine an unknown point. The Federal Communications Commission uses triangulation to search for rogue radio transmitters by turning antennas in the direction of the strongest signal. The direction with the strongest signal is called one line of bearing. When several lines of bearing are taken, a triangle is formed at their intersection, creating a search area. This technique is commonly used to locate illegal ham radio stations, missing aircraft, and locating distressed ships at sea. Imagine what would happen if a distress signal was received from a distressed airliner, and only one line of bearing were used to locate the aircraft. To locate the aircraft, we would point an antenna in the direction of the strongest signal. A rescue team would have to fly or sail in the direction of the signal with no idea how far they would have to travel.
Triangulation in computer network attack analysis is multi-faceted, and includes both hard and soft science indicators. Performing post event attack analysis is very similar to triangulation. By relying solely on the analysis of a system administrator, analysis is limited on one line of bearing.
In triangulation, several factors must be considered. The easy way to think of triangulation in analysis is the timeless investigator's equation, 5W+H: Who, What, When, Where, Why, and How. To think in this fashion, however, we must avoid falling prey to tunnel vision.
As discussed above, there are several sources of technical indicators that may be used as a line of bearing in triangulation analysis. These technical sources might include intrusion detection, firewall, and system logs. Forensic analysis would also be included. Essentially, any information taken from transactional data or forensic analysis would be included in technical indicators. This information offers insights into the skill of the hacker, as well as potential motivations and consequences.
Non-IT departments in your company will likely also have equities in attack analysis. Some of those equities, as well as what might be gleaned from their perspective is discussed below.
Sales, Marketing, and Competitive Intelligence. Today, many companies have competitive intelligence (CI) professionals included in their marketing departments or possibly reporting directly to the CEO. This CI team will likely be interested in who and rather than how, and may want more information on what information was accessed, how much was downloaded, and the frequency of both visits and attacks (when). The marketing team at your firm will likely have some concerns. In today's competitive environment, marketing is very interested in who visits the web site, as compared to the details of attacks against it. Many times, incident analysis, followed by trend (or timeline) analysis will identify harvesting of web sites - the systematic downloading of all pages, or changes to the firm's web presence; potential theft of new product technologies or processes, or intellectual capitol.
The bottom line is this -nobody in your company knows your competition better than the sales, marketing, and CI teams. Your marketing team likely uses Internet research, web harvesting techniques, Usenet activity, and many other legal means (and in the extreme, possibly illegal means, a.k.a. netspionage) to identify, track, and counter potential competitive threats. The sales staff encounters competition on every sales call. They know who the competitive threats are, and how to counter the threats. Every salesperson worth his (or her) salt will understand the weaknesses in their competitor's product, and will exploit that weakness to their advantage. Here's something to think aboutÖ How did AMD know to launch their 1Ghz CPU only two days before Intel, thereby gaining the lion's share of publicity and also marketshare? Simple, they used competitive intelligence. Where did this information come from? Itís very possible they did not rely on a single source, but accumulated enough information from publicly available sources--newspapers, personal interviews (sometimes called Human Intelligence, HUMINT or social engineering), publicity and press releases--that they were able to make a confident, calculated guess as to Intelís launch date. Sales, marketing, and CI personnel in a firm are usually very responsive to requests for assistance when the attack may represent competitor actions to obtain critical corporate information.
Law enforcement/security. Law enforcement is interested in obtaining an arrest. They will likely want an image of the attacked system's hard drive. They may also want to use your system (or a substitute) as a honeypot or fishbowl, to allow the attacker limited or full access, to see how he operates, to watch as he takes information, and to gather enough evidence to obtain a warrant and arrest. In any event, the law enforcement team will be interested in forensics, technical evidence gathered from logs and files on the attacked machine. Law enforcement personnel are usually very responsive to aid in investigations, they are inundated in forensic computer evidence that must be analysed. Although great strides have been made in training law enforcement officers to perform computer crimes investigations and forensic analysis, the sheer amount of data that must be examined leave many smaller law enforcement offices at a disadvantage. However, that does not mean they should not be consulted. Law enforcement brings a unique perspective to attack analysis, and at the very least, security administrators should be aware of the need to preserve the integrity of evidence.
Operations. The operations management (manufacturing, purchasing, and control) staff is keenly aware of the processes used to generate profit in your organisation. Strategic planning, statistical control processes, business forecasting, budgeting, and possibly supply chain management all fall into the category of operations. Let's assume for a moment that you are a manufacturer relying on a just in time (JIT) inventory management system, and that your inventory levels and orders are handled via EDI over the Internet. Now think about the financial implications of delayed orders. If your firm's Internet connection was degraded by attackers by denial of service, bandwidth or resource theft, constant SYN scanning, or an intrusion, what would be the financial impact to company? Whether the attack leaves you with too little inventory or more inventory than was actually needed, both scenarios cost the company money. So, when considering attack analysis, one question that might be posed to the operations manager might be "What has been the quality or timeliness of your EDI interface with your supplier(s)?" If the answer is "degraded over the past several days", the attacks you detected may have been targeting delivery of an order. If the attacks are longer-term, you may be the victim of a competitor attempting to degrade your JIT system just enough to create long-term losses.
Finance and Legal. One of the frequent topics of discussion at security conferences is an attack scenario where your company is filing an initial public offering (IPO), the filing deadline is midnight on a specified date, and beginning at 11:00 PM the eve of your IPO, you experience a denial of service attack. The attack may have been simply random, or, they may have been aimed at keeping you from filing your IPO paperwork.
The bottom line is that each department in your company has an interest in what happens with the networks. Therefore, each department may have a reason someone may want to attack the system.
The successful analyst must always keep in mind that with the exception of the pure cracker/vandal, attackers have a purpose. Someone sitting at the keyboard is motivated by something to perform the action of hacking. There are several motivations including but not limited to:
In each of these cases, computer network attacks will almost always use the computer(s) as but one tool in a typically large toolbox. Information warfare, for example, uses computers as only one means of attack. According to the joint publication 3-13, information warfare is the integrated use of computer warfare, psychological operations (PSYOP), military deception, operations security (OPSEC), electronic warfare (EW), and physical destruction, mutually supported by intelligence.
In other words, during information warfare, computer attack is only one piece of the big picture. It is a means, not the ends.
The expert analyst can use triangulation, combined with other analysis tools (timeline, traffic, and link analysis for example) as a means of bringing together separate and diverse thoughts, that all lead to one conclusion. Simply stated, by looking at as many both hard and soft science indicators as possible, analysts will have a much better chance of answering the timeless 5W+H equation.
Part II of this paper discusses one methodology of triangulation.
© 2001 - 2006 Core Competence & Mactivity, Inc.