1. CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 SEI is sponsored by the U.S. Department of Defense © 2001 by Carnegie Mellon University Intelligence - page 1 CERT Analysis Center: Research into Predictive Cyber Analysis Casey J. Dunlevy Team Lead

2. © 2000 by Carnegie Mellon University Intelligence - page 2 Why Analysis Research? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric -Impact of major cyber-attack would be significant -Cascading effects a major concern Reactive response must give way to Proactive preparation

3. © 2000 by Carnegie Mellon University Intelligence - page 3

4. © 2000 by Carnegie Mellon University Intelligence - page 4 Threats National Security -Critical National Infrastructure -Cyber-Warfare Computer Crime -Organized Crime -Identity Theft -Extortion Non-State Actors -Terrorists -Political Activists

5. © 2000 by Carnegie Mellon University Intelligence - page 5 Recent Events Release of malicious code from China - Each release concurrent with political event CodeRed – In all its forms CSI/FBI Survey: 90+% experience unauthorized use, 44% did not report G8 Finance Ministers estimate computer crime costing $80 Billion per year  All point to a pervasive fundamental misunderstanding of the Internet environment

6. © 2000 by Carnegie Mellon University Intelligence - page 6 A Problem Too Big Cannot remain technical specialty Cannot remain localized activity Cannot remain responsive to incidents Cannot remain centrally controlled or performed Distributed, ongoing, multifaceted problem demands distributed, ongoing, multifaceted strategy

7. © 2000 by Carnegie Mellon University Intelligence - page 7 Analytic Approaches The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet. Technical, Political, Economic, and Social triggers Attacks and defenses Vulnerabilities and corrections Victims and perpetrators Coupled with: The systematic and broad-scale examination of Internet activity to assess, predict and understand current and prospective political, economic, societal, and technological impacts (PEST).

8. © 2000 by Carnegie Mellon University Intelligence - page 8 Attack Sophistication vs. Intruder Technical Knowledge High Low 1980198519901995 2000 password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools new class of cross site tools

9. © 2000 by Carnegie Mellon University Intelligence - page 9 New Threat Paradigm Traditional Threat Definition: -Threat = Capability + Intent New Threat Definition: -Threat = Capability + Intent + Knowledge Capability includes tools and ability to access Intent is the motivation Knowledge is specific, sophisticated ability to operate within a system/network after gaining access New Threat Paradigm most applicable to high level threats

10. © 2000 by Carnegie Mellon University Intelligence - page 10 Incident Figures CERT/CC Incidents Reported -1988-2000: 47,711 -1999: 9,859 -2000: 21,756 -Q1-Q3: 34,754 Vulnerabilities Discovered -1995-2000: 2,596 -1999: 417 -2000: 1,090 -Q1-Q3: 1,820

11. © 2000 by Carnegie Mellon University Intelligence - page 11 Emerging and Future Trends Computer Network Operations being incorporated into national military Strategies and Doctrines Overlapping of Traditional Crime with Cyber-Crime Use of Nuisance Tools for Overtly Criminal Purposes Increasing Opportunities for Cyber-Extortion DDoS Provides National CNO, Organized Crime and Terrorist Groups a Weapon of Last Resort Growing Use of Encryption Exploitation of Jurisdictional Asymmetries

12. © 2000 by Carnegie Mellon University Intelligence - page 12 Dealing with the Threat - Analysis Efforts Technical Analysis Fusion Analysis -Country Studies -Political, Social, Economic awareness -Decision Maker support Policy/Legal Analysis -New Legislative efforts -Lack of consistent policies

13. © 2000 by Carnegie Mellon University Intelligence - page 13 Low-Packet Filtering TCP is a session-based protocol Used for remote access, file transfers It’s hard to use TCP without generating a lot of packets Negotiation, transmission, configuration, error checking Few legitimate low-packet sessions possible Mostly web access

14. © 2000 by Carnegie Mellon University Intelligence - page 14 One Effort – Looking Inside the Noise Network Activity Example Overall Activity Approx 2.5 Gbytes/day Noise - Below the Radar

15. © 2000 by Carnegie Mellon University Intelligence - page 15 Low-Packet Traffic

16. © 2000 by Carnegie Mellon University Intelligence - page 16 Initial Results Spikes usually mean a scan in progress The peaks amount to <1% of the total byte traffic at any time 400 Kb vs. 1.4 Gb Fair results using a “top 10” list approach Identify and investigate 10 busiest low-packet sites per hour

17. © 2000 by Carnegie Mellon University Intelligence - page 17 Future Work Tighter Metrics How many unique sessions before it’s a scan? Synchronize with tcpdump data Most single-packet scans exploit tcp flags

18. © 2000 by Carnegie Mellon University Intelligence - page 18 Projects - I 1.Routing Anomalies and Backdoors Find and fix poor router configurations. Identify and monitor/eliminate backdoors. 2.NetFlow/Collector Architecture Better data for security analysis, engineering. 3.Detecting Stealth Scans Identify all scans – broad, deep, and stealthy

19. © 2000 by Carnegie Mellon University Intelligence - page 19 Projects - II 4. Empirical Baseline Traffic-based definition of normality -> anomaly detection 5. Topology Mapping and Maintenance Create and maintain “map” of Network -> anomaly detection 6. DNS Database Rapid identification of domain names and locations with history. 7. Laboratory Discover signatures and experiment with policies

20. © 2000 by Carnegie Mellon University Intelligence - page 20 Projects - III 8. Incident Analysis Identification of vulnerable or compromised hosts 9. Fusion Analysis for Social Adjacency Discover social “networks” of cyber attackers 10.Sensor Hierarchy Architecture Improved defense in depth 11.Analysis Toolkit Modular architecture and tools for NSS and Sponsors

21. © 2000 by Carnegie Mellon University Intelligence - page 21 Dealing with the Threat - Analysis Efforts Technical Analysis Fusion Analysis -Country Studies -Political, Social, Economic awareness -Decision Maker support Policy/Legal Analysis -New Legislative efforts -Lack of consistent policies

22. © 2000 by Carnegie Mellon University Intelligence - page 22 Fusion Efforts Small Packet Probes analyzed -Patterns emerged -Identified potential threat Analysis of CERT/CC Incident Data -Identified possible link between state and hacker groups -Hacker communications assessment Working on profiles, country studies, event analysis

23. © 2000 by Carnegie Mellon University Intelligence - page 23 Low-Packet Traffic

24. © 2000 by Carnegie Mellon University Intelligence - page 24 Results of Fused Analysis What was determined? -Data collected showed definite network indicators -Methodology can be developed to provide possible warning indicators -Based on limited dataset, network indicators suggest possible malicious probes by China Network Indicators suggest number of motivations -Exploitation -Site mapping -Intelligence gathering for further activity

25. © 2000 by Carnegie Mellon University Intelligence - page 25 Pakistani/Indian Defacements 10/99 7/00 4/00 1/0010/00 4/01 1/01 Well writtenJuvenile No mention of terrorist organizations Mentions terrorist organizations

26. © 2000 by Carnegie Mellon University Intelligence - page 26 Results of Fused Analysis First indication of a national Intelligence Agency (ISI) co-opting hacker groups Malicious effort targeted against another nation-state Capabilities increasing with experience Potential use of cyber-weapons in future

27. © 2000 by Carnegie Mellon University Intelligence - page 27 Dealing with the Threat - Analysis Efforts Technical Analysis Fusion Analysis -Country Studies -Political, Social, Economic awareness -Decision Maker Support Policy/Legal Analysis -New Legislative efforts -Lack of consistent policies

28. © 2000 by Carnegie Mellon University Intelligence - page 28 Policy and Legal Analysis Lack of consistent policies Clarify inter-dependencies between Public and Private interests Increase understanding of the global nature of the Internet Review proposed and enacted legislation Analyze statutory conflicts – both nationally and internationally

29. © 2000 by Carnegie Mellon University Intelligence - page 29 Problems with Legislation Lack of laws - Two U.S. States have no cyberlaw - Foreign laws vary widely Ambiguous Laws -Crime sometimes hard to define Lack of Precedent -Case law limited at best Conflicting Law -Illegal in one state – Legal in another -Illegal in one country – Legal in another

30. © 2000 by Carnegie Mellon University Intelligence - page 30 Problems with Legislation (continued) Knowledgeable Legislators ? -Lack of understanding of complexities -Not technically up-to-date -Knee Jerk reaction to visible threat Slow Process -Keeping up with Technology Trends -Search Warrants Authorized v. Unauthorized Access Intent

31. © 2000 by Carnegie Mellon University Intelligence - page 31 Challenges to Analysis Research Gathering sufficient datasets to make statistically valid judgements Developing automated technical analysis tools Developing a reliable methodology for cyber-analysis Overcoming organizational bias against sharing information Dealing with complex legal issues Developing analytic professionals

32. © 2000 by Carnegie Mellon University Intelligence - page 32 Bottom Line Time to deal with the world as it is - Not how we want it to be! The Monsters are real! The threat is real, varied, growing, and distributed Multi-level, multi-discipline analysis critical to success No solutions without working partnerships