Presentation on theme: "Information Attack IW -160 College of Aerospace Doctrine, Research, and Education."— Presentation transcript:
Information Attack IW -160 College of Aerospace Doctrine, Research, and Education
AF Information Operations defendattack exploitgain I S R INFORMATION OPERATIONS INFORMATION WARFARE INFORMATION IN WARFARE COUNTERINFORMATION WEATHER PRECISIONNAV OTHER INFO COLLECTION/ DISSEMINATION ACTIVITIES (Transmission, Storage, Public Affairs) DEFENSIVE COUNTERINFORMATION Information Assurance OPSEC Counter- Intelligence Counter- PSYOP Electronic Protection Counter- Deception Electronic Warfare PSYOP Deception Information Attack PSYOP Physical Attack OFFENSIVE COUNTERINFORMATION
Overview Definition The Threat The Arsenal Defensive Measures
Information Attack...activities taken to manipulate or destroy an adversary’s information or information systems without necessarily visibly changing the physical entity within which it resides. AFDD 2-5
Information Attack Benefits Used not only in combat, but also before. It offers … Ability to incapacitate an adversary early Reduce collateral damage Prevent adversary and friendly losses Information Attack capabilities and tools can save conventional sorties for other targets
Indirect –Effects the adversary’s perception, interpretation, and action by creating an information source –Depends on the adversary’s decision process Direct –Alters the adversary’s information –Does not depend on the adversary’s decision process Information Attack Types
Information Attack Goals Alter information to affect decision making Destroy the enemy’s confidence in the system Force an adversary to use less technical, and in most cases, less secure means to disseminate critical information Allow information to be exploited by friendly forces.
The Military Threat Formal, state-sanctioned offensive IW programs ongoing in Russia, China, France, India, Israel, and Cuba National Intel Estimate Development of Russia’s IW capability is second only to nuclear weapons in importance to future Russian military security Boris Yeltsin Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb National Research Council Report
The Adversary All sorts of people want to get your info - Curious - Hackers / Crackers - Telephone phreaks - Crooks WHY?
why NOT? Why would the bad guys not do awful things when we can’t catch them? - Think Attitude - Think Youth - Think anonymous remote control - NOW... - Think about our Adversaries - Think about our VULNERABILITIES
Hacked Web Sites TOTAL DEFACEMENTS…c/o
Hacked Web Sites DEFACEMENTS per DAY…c/o
Hacked - 17 Aug 96
Hacked - 1 Nov 96
Hacked - 29 Dec 96 This is what your gov’t is doing to you everyday
Disguised Attacks “ Hackers are scapegoats….. Hackers are also far too loud and attention-seeking to be anything more than an annoyance, because they always end up talking or drawing attention to themselves somehow. Industrial spies and saboteurs do not. You will never see them, you will never know they were there.” Chris Goggans ( aka Bloodaxe )
The Arsenal Clandestine Machine Code Mercenaries Repeat Dialers (Denial of Service) Trapdoors Sniffers Chipping Malicious Software
Clandestine Machine Code Allows programmers to insert code into the system that creates trapdoors; usually harmless - Word - Excel - what else?
Mercenaries Terrorists have entered the information age During the Gulf War Mercenaries contacted Sadam Hussein – Offered to sell Sadam valuable info on the U.S. and its allies logistic trails – Sadam refused – He didn’t appreciate the value of information
Repeat Dialers Denial of Service (DOS) Explicit attempt by attackers to prevent legitimate users of a service from using that service -attempts to flood a network, preventing legitimate network traffic -attempts to disrupt connections between two machines, preventing access to a service -attempts to disrupt service to a specific system or person ClientServer SYN SYN-ACK SYN-ACKACK Error 502 Remote server down or not responding.
Mechanism that’s built into a system by its designer -provides a way to sneak back into the system, circumventing normal system protection -what if …all US software could be equipped with a trapdoor that would allow IW agencies to explore systems and the stored data on foreign countries? Trapdoors (aka Backdoors)
Essentially a program that eavesdrops on network traffic. A sniffer looks for packets carrying login information -they run “silently”; the software is simply watching packets go by without sending anything itself -they are essentially packet analyzers; common tools that have been in world-wide use for years Sniffers
Making electronic chips vulnerable to destruction by designing in weaknesses -the chips could be built to so they fail after a certain time -blow up after they receive a signal on a specific frequency -send radio signals that allow identification of their exact location Chipping How do we get the “right” people to use the affected chips?
Virus: code fragment that copies itself into a larger program, modifying that program - ‘86 = less than 10 known- ‘97 = 14, ‘90 = new one every 2 days- ‘98 = 21, ‘95 = 6, ‘99 = 2,000,000+ Malicious Software Trojan Horse: code fragment that hides inside a program and performs a disguised function Logic Bomb: a type of Trojan Horse, used to release a virus, a worm or some other system attack
Scanner Shortfalls No scanner is 100% accurate or effective –They can only detect known viruses New viruses appear daily and may be undetectable –Updates to software are usually every month to month-and-a-half
Every military capability depends on computers and networks in one way or another!! Computers and Networks
Why do it? "I don't care how many millions of dollars you spend on hardware, if you don't have people trained properly I'm going to get in if I want to get in.” Hacker, Cyberpunk Magazine
Internet HQ Firewall AFNCC Controlled Connectivity Network Monitoring AF Network Control Center
AF NCC Single focal point for base network operations Performs fault, performance, configuration, accounting, network and security management Monitors networks for suspicious activity Reports incidents, data, and technical problems to MAJCOM and AFIWC Provides boundary protection, intrusion detection, internal controls, recovery from damages, and protection from denial of service attacks
Air Force Computer Emergency Response Team ASIM/IntrusionDetection JTF - CND AFOSICERTsAFNOCOther Base Suspicious Activity Reports ThreatTeam CountermeasuresTeam AssessmentTeams Advisories/Warning Incident Response/Recovery OLS/Assessments Indications&Warning
ASIM Automated Security Incident Measurement System Detect and identify network intrusive activity in time to prevent impact on Air Force Operations!
In 1999, hidden in 368 million suspicious connections on Air Force Networks were 71 incidents that attempted to disrupt or exploit Air Force Operations! 368 Million Suspicious Connections 2.6 Million Transcripts 1.4 Million Transcripts Evaluated 2474 SERs 2474 SERs User Intrusions 22 False Intrusions 3 Poor Security 5 False Positive 5 Denial of Service 2 ASIM Captured Event ASIM Event Assessment AFCERT Analysis Suspicious Event Reports Base Validation 71 Incidents in 1999 Validate AF NETWORK TRAFFIC 5-7 Billion Events Annually Root Intrusions 34
On-Line Survey (OLS) Close and lock the front doors... Structured Threat Unstructured Threat AFCERT Operations Base POC... to protect bases worldwide against exploitation and disruption!!
Detect system vulnerabilities Assess base ability to identify and report suspicious activity Advise MAJCOM/SC and commander of results within a week of survey completion Encourage MAJCOMs and bases to conduct surveys Exercise Air Force IP capabilities On-Line Survey (OLS)
Incident Response (IR) AFCERT Attacker Base Manage and coordinate IP operations Attacker! Need Help! Contain activity, recover systems, and apprehend perpetrators Air Force Response Forces AFCERT Incident Response (IR) Personnel Countermeasure Engineering Team Computer Security Engineering Team Major Command Network Operations and Security Center (NOSC) AF (Base) Network Control Centers AF Office of Special Investigations
Analyze unauthorized network activity Confirm incident details with base Notify AFOSI and DOD CERT Develop and recommend course of action lSecure and recover 3Monitor base recovery 3Remote recovery assistance 3Deploy to assist base recovery lPursue 3Fishbowl with law enforcement operations 3Law enforcement operations only Incident Response (IR)
AFOSI Threat Support FIRST AF Network Control Center Information Warfare Flight AF Major Command Standard Systems Group Service CERTs LEGEND DODAir ForceCivilian AFCERT Interfaces JTF-CND DOD CERT CERT AF Network Operations Center
Summary Definition The Threat The Arsenal Defensive Measures