Download MATHER Slides - Council for Emerging National Security ...

censa.net
  • No tags were found...

Download MATHER Slides - Council for Emerging National Security ...

Cybersecurity and the Attribution Problem

Tim Mather

- co-author of Cloud Security &

Privacy

- former Chief Security Strategist

for RSA

- former Chief Information Security

Officer (CISO) for Symantec

1


Civil Cybersecurity

• No internationally agreed upon definition of

cyber warfare

• Terms often used loosely and somewhat interchangeably:

• Cyber crime

• Cyber espionage

• Cyber warfare

• In the case of Russia, there appears to be a link

between cyber crime and cyber warfare (e.g.,

Estonia in 2007, Georgia in 2008)

2


Military Cybersecurity - US

• Joint Publication 3-13, Information Operations

(13 February 2006)

Computer Network Operations (CNO)

- Computer Network Attack (CNA)

- Computer Network Defense (CND)

- Computer Network Exploitation (CNE)

- intelligence collection

3


Cybersecurity Problem is Getting Worse

• Number of attacks, though difficult to quantify, appears

to be increasing

• Number of reported vulnerabilities is decreasing;

however, number of 0 day attacks is increasing –

suggesting increase in total number of vulnerabilities

• Total amount of malware increasing dramatically – so

much so that absolute numbers are no longer published;

instead, industry tracks number of systems infected and

cleaned, and “market share”

4


Example: Electrical Grid

5


Example: F-35 Joint Strike Fighter

6


Trends in Malware

• Aggregate numbers are not the real problem

(e.g., variants and different packers used)

• Increasing commercialization (for profit) and

sophistication in recent years

– Formerly: mass | fast | noisy

– Now: targeted | slow | stealthy

• Problem for anti-malware vendors today: even

getting samples to create signatures

7


Internet Problem Categories

• Legal: no internationally agreed upon definition of

cyber warfare, and lack of consistent laws around

the world hindering prosecutions

• Technical: increasing sophistication, stealthiness

makes detection (and technical attribution) increasingly

difficult

• Social: attribution is difficult, and growing increasingly

important

8


Attribution: Technical vs. Social

• Technical: searching for 'system 0'

– Provides 'what' (analogous to SIGINT)

• Identification of attack type

• Information for defense

• Social: searching for 'person 0'

– Provides 'who' (analogous to HUMINT)

• Specific actor identification

• Prediction and prevention

• Intent

• Sponsorship

• Possibly future exploitation

9


The Problem of Social Attribution

July 5, 1993 issue of The New Yorker

10


Public Perception of the Problem

Identity Theft

11


Identity

• On-line identity often linked to physical identity

– Not always

– On-line identities often false (e.g., screen names)

– Often linked to non-authoritative physical

identification (e.g., credit cards)

– Are not unique

• Physical identity is almost always linked to physical

presence, and based on physical characteristics

(e.g., photographs, biometrics)

– Authoritativeness, based on uniqueness, is

paramount

– Identity 'collisions' are (generally) not authorized

12


Physical Identity

• Physical presence and photographs

9/11 hijackers reportedly had combined total of 63 driver's licenses from

at least three states (California, Florida, and Virginia), although exact

number is disputed.

13


Incorrect Physical Identification

Ali Hassan Salameh

On July 21, 1973, in the so-called Lillehammer

affair, a team of Mossad agents killed Ahmed

Bouchiki, a Moroccan man unrelated to the Munich

attack, in Lillehammer, Norway, after an informant

mistakenly said Bouchiki was Ali Hassan Salameh,

the head of Force 17 and a Black September

operative. Five Mossad agents, including two

women, were captured by the Norwegian

authorities, while others managed to slip away. The

five were convicted of the killing and imprisoned,

but were released and returned to Israel in 1975.

The Mossad later found Ali Hassan Salameh in

Beirut and killed him on January 22, 1979 with a

remote-controlled car bomb.

14


Incorrect Physical Identification

Radovan Karadzic

Former Bosnian Serb leader, captured on July 21, 2008 after 13 years on the run

and living openly in Belgrade, Serbia.

15


Incorrect Physical Identification

Ratko Mladić

Former military leader of the

Bosnian Serbs, he still has not

been captured after being on

the run since July 1995; during

that time he has attended

soccer matches, traveled

internationally, and even

received his state pension for

ten years after being indicted

for war crimes.

16


Incorrect Physical Identification

Osama Bin Laden (January 15, 2010)

U.S. Government's digitally enhanced image

showing what Osama Bin Laden could look

like today (above) and, Spanish politician

Gaspar Llamazares (right)

17


Physical Identification – Biometrics

Since our ability to correctly identify individuals

through physical presence and as attested to in

photographs and state-issued documents (e.g., driver's

licenses – hence REAL ID Act, and passports) has shown

itself to be fallible, then how about use of biometrics


Biometrics are generally good for authentication

(i.e., validating a known identity), but not for identification

(i.e., finding an 'unknown' identity – no sample on file)

18


Biometrics Not Infallible Either

• Fingerprints

– FBI's Integrated Automated Fingerprint Identification

System: largest biometric database in

world; contains fingerprints, corresponding

criminal history information for > 55 million

subjects (source: Bureau of Justice Statistics)

– IAFIS only covers 18% of U.S. Population

– Brandon Mayfield: Oregon attorney erroneously

linked to 2004 Madrid train bombings

• Arrested by FBI as material witness, and held > 2 weeks

• Never charged

• Ensuing lawsuits resulted in formal apology from U.S.

government, $2 million settlement, and overturning

provisions of USA PATRIOT Act on constitutional grounds

19


DNA is Better


FBI's CODIS (Combined DNA Index System) —

NDIS (National DNA Index System)


CODIS only covers 2.4% of U.S. population


NDIS contains > 7.5 million offender profiles,and

≈ 300K forensic profiles (source: Bureau of Justice Statistics)


“DNA Evidence Can Be Fabricated, Scientists Show”

- Israeli scientists published paper in journal Forensic

Science International, “Genetics”

- The New York Times, August 18, 2009

20


How Not To Do Attribution

Rep. Peter Hoekstra (R-Michigan), lead Republican on

House Intelligence Committee, said U.S. should conduct

“show of force or strength” against North Korea for supposed

role in attacks that hit numerous South Korean and

U.S. government and commercial Web sites in July 2009

21


How Not To Do Attribution

Rep. Peter Hoekstra (R-Michigan), lead Republican on

House Intelligence Committee, said U.S. should conduct

“show of force or strength” against North Korea for supposed

role in attacks that hit numerous South Korean and

U.S. government and commercial Web sites in July 2009

22


How Not To Do Attribution

Rep. Peter Hoekstra (R-Michigan), lead Republican on

House Intelligence Committee, said U.S. should conduct

“show of force or strength” against North Korea for supposed

role in attacks that hit numerous South Korean and

U.S. government and commercial Web sites in July 2009

23


Attribution Accusations Against China

A new approach to China

1/12/2010 03:00:00 PM

“...we detected a highly sophisticated and targeted attack on

our corporate infrastructure originating from China...”

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

24


Attribution Accusations Against China

First detailed public

report accusing China

of widespread cyber

espionage against

multiple diplomatic and

commercial targets

25


Attribution Accusations Against China

Second detailed public

report accusing China

of widespread cyber

espionage against

multiple diplomatic and

commercial targets

26


Attribution Accusations Against China

SecureWorks researcher

Joe Stewart

After examining the backdoor

Hydraq Trojan used in [Google]

hack, found that it used unusual

algorithm to check for data

corruption when it transmits

information. Source code for this

algorithm "only seems to be

found on Chinese Web sites,

which suggests that the person

who wrote it reads Chinese".

27


Social Attribution – Increasing Importance

• Defense alone is losing the 'war'

• Increasing public calls to conduct “active defense”

cyber operations – not just cyber espionage

• For any legitimacy, “active defense” must be in

response to attributed attacks from a person, group,

legal or state entity – not simply a system

28


Calls for “Active Defense”

“Now that the U.S. has a military command devoted to

cyberspace, the country should avoid the temptation to

focus narrowly on defensive measures in this newly

recognized domain.”

Retired LTG William Donahue, former director of communi-cations

and information at USAF headquarters

(source: C4ISR Journal; January 2010 issue; “Fearless about cyberspace”)

“A fortress mentality will not work in cyber. We cannot

retreat behind a Maginot Line of firewalls. We must also

keep maneuvering.”

William J. Lynn III, Deputy Secretary of Defense

(source: The New York Times, January 25, 2010; “In Digital Combat, the U.S. Finds No Easy Deterrent”)

29


Questions

30


Tools Used for Attribution

• Technical: searching for 'system 0'

– IP (Internet Protocol) address: Whois

– ASN (Autonomous System Network): RIPE,

Team CYMRU

– Various 'blacklists': SANS Internet Storm Center,

Spamhaus

• Social: searching for 'person 0'

– Social Web 2.0 and OSINT (open source)

– COMINT

– HUMINT

• Future: DARPA's Cyber Genome Program

31

More magazines by this user
Similar magazines