third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

Pobelka case Detection and incident response In December 2012, the NCSC received information from the investigative companies Digital Investigation and SurfRight regarding the Pobelka botnet, which was based on data from a C&C server. Pobelka is a botnet that, just like Dorifel, uses the Citadel distribution platform. The SurfRight report [130] showed that the vast majority of the computers infected by the Pobelka botnet are located in the Netherlands and Germany. The IP addresses were shared with the NCSC which then checked whether they are in use by the government and vital sector and, in accordance with agreements, these IP addresses were then shared with these parties, including the internet service providers. Media attention In February 2013 the NOS Journaal focused its attention on the Pobelka botnet. Journalists gained insight from Digital Investigation into the 750GB dataset that sat on the C&C server. The report shows how varied the information captured is. The information captured by the Pobelka botnet and Citadel is sensitive. After all, every piece of information sent through the internet browser was intercepted and sent to the C&C server. More detailed analysis In light of the media attention the decision was taken to have the dataset from Digital Investigation subsequently investigated by a taskforce, involving collaboration between the NCSC, the police, the Public Prosecutor (OM), the AIVD, the MIVD and the National Coordinator for Security and Counterterrorism (NCTV). The primary aim of Citadel botnets is to manipulate financial transactions. All other data collected can be seen as collateral damage. Pobelka also filmed internet banking sessions. This is a huge threat to privacy because the entire computer screen is visible including every movement of the mouse and every click. The data captured are personal identification details, company information, information about the computer and vulnerabilities in the software used by the organisation or individual concerned. Parts of this data are often used in bulk, and sometimes sold on for large amounts. Ready-to-use data collections that are relatively easy to sell are increasingly being offered for sale. Personal identification details are also used for identity fraud or to mislead people, for example with social engineering. Software publishers need to develop secure software and ensure that any vulnerabilities are patched. Website developers and administrators are expected to prevent websites from becoming infected (for example there are the Open Web Application Security Project (OWASP) [131] security recommendations for web applications) and act and communicate quickly if there is an infection. The Pobelka incident made it all the more evident that decisiveness on the part of the Dutch government should be expected in combating botnets. The unabated challenges remain primarily in the area of collaboration, both between public and private organisations as well as internationally. While in some cases a botnet is specifically targeted at certain countries, just as Dorifel and Pobelka targeted the Netherlands (see boxed text), most botnets spread across the whole world. The botnet administrators, C&C servers, hirers and ultimate targets can each be in different countries. This makes detection, combating and prosecution exceptionally complex. Indeed cyber criminals are often based in countries where the chance of being caught is low, certainly if there are other crime problems that are given precedence by the local authorities. [132] 3.5 Conclusion The best method of protection against botnets is still to prevent infections. Being able to prevent malware infection is all the more important given the difficulties in the area of combat. Both home users and organisations, as well as software and network providers have their own responsibility in this respect. Effective public/private collaboration is also very important. If combat is to become more effective, on the one hand a detection and information process needs to be set up so that end-users can be updated quickly in the case of an infection. On the other hand, cyber criminals must be detected and prosecuted. « Based on the data captured, no indications have been found that the nature of this botnet is different from other comparable (Citadel) botnets. Who is responsible for the botnet is not known at the time of writing. 130 http://www.surfright.nl/nl/hitmanpro/pobelka 131 www.owasp.org 132 http://www.f-secure.com/weblog/archives/00002530.html 66
Detailed section » 4 DDoS 4 DDoS » DDoS attacks have caused harm to the provision of services by organisations in the vital infrastructure (including the provision of online services from banks and airline companies). Furthermore, basic facilities such as iDeal and DigiD have also been affected by DDoS attacks. This demonstrates that malicious attackers can cause much harm using easily obtainable tools. 4.1 Introduction In the past year, public attention on DDoS attacks has increased considerably. This detailed section examines in greater depth the technical background, the actors who are (possibly) responsible and the measures that are implemented. DDoS is a means of attack by people with malicious intent that overloads the capacity of an organisation’s online services, websites or infrastructure by means of data traffic. The online services or infrastructure then become impossible or difficult for legitimate traffic to reach. Where in a DoS attack the actions are executed from a single system, with a DDoS the attack is launched from multiple locations and systems. [33: NCSC 2013-3] This detailed section examines in greater depth the issues and incidents caused by DDoS attacks. 4.2 Background DDoS attacks are not a new development and have been happening for more than ten years. However in recent years the number of attacks has been increasing In 2012 and the first quarter of 2013 the number of DDoS attacks rose and there was an enormous increase in the intensity of the attacks. [133] DDoS attacks are usually carried out by controlling an attack via a botnet [134] or multiple systems at the same time. The resources needed to launch a DDoS are relatively easy to come by and can be used by anyone with a sufficient knowledge of IT and the internet. The chance of an attack succeeding is very much dependent on the attacker’s level of knowledge and tools used, and on the measures that the target organisation has put in place. In many organisations there is a lack of knowledge and/or resources to take satisfactory and effective measures to restrict the impact and consequential harm caused by a DDoS attack. There is in reality little that can be done in the face of a DDoS attack other than to take measures to reduce the effect of the attack. 4.2.1 Actors and their motives DDoS attacks are carried out for a variety of reasons by various actors. The capacity and technology for a DDoS attack are available for sale on the internet. Cyber criminals offer a DDoS attack as a ‘service’. [135] The cost of using these services has fallen in recent years. [136] The actors do not themselves need many skills. Independently setting up a DDoS attack requires more knowledge and skills. Script kiddies A script kiddie’s motive for a DDoS attack is usually to increase self-esteem because a successful attack will be reported in the press. Hacktivists Hacktivists may carry out a DDoS attack against companies, organisations or governments that in their eyes are acting against their ideology or convictions. Criminals Criminals use DDoS attacks to blackmail companies carrying out a DDoS and then demanding money from the victim to stop the attack or avoid a long-term, more severe attack. DDoS attacks may also be used as a diversion from the ‘real’ attack, for example to camouflage espionage or criminal actions. However there has been no evidence of this in the Netherlands as yet. Organised criminals in a number of cases themselves possess the knowledge and skills or they buy in botnet services from a ‘botnet herder’. States A DDoS attack may also be carried out by a state for geopolitical reasons or as an element of cyber warfare. 4.2.2 Technique DDoS attack techniques come in various forms. There are dozens of forms of DDoS attack on the IP protocol alone. Types of attack are often combined, meaning that different techniques are deployed at the same time or in sequence, making it more difficult to detect the right type of attack and react to it. A distinction is generally made between two categories of attack: »» attacks targeted at a volume which flood the network’s bandwidth and the infrastructure; »» attacks at the application layer targeted at hitting specific services and exhausting resources with a much lower volume of messages. A number of common DDoS attacks are explained below. SYN flood A SYN message is sent by a computer, the source system, to a target system, for example a web server, to create a connection through the TCP protocol as a first step. SYN stands for ‘synchronise’. When the target system receives a SYN message it responds with a SYN-ACK message and the source system then sends back an ACK message. ACK stands for ‘acknowledge’. In this way, communication is 133 Prolexic Quarterly Global DDoS attack Report Q1-13 134 See the detailed section on botnets. 135 ‘Cyber attack for sale on the internet’, Trouw, 11 April 2013. http://www.trouw.nl/tr/nl/5133/ Media-technologie/article/detail/3423959/2013/04/11/Cyberaanval-te-koop-op-internet.dhtml 136 Chris Verhoef, information technology professor at the Vrije universiteit: de Volkskrant, 9 April 2013: ‘Cyber attacks: a nice nuisance on the internet’. 67
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67: Detailed section » 3 Botnets » Do
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?