cert centers, software engineering institute carnegie mellon university pittsburgh, pa 15213-3890...
TRANSCRIPT
CERT Centers, Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
SEI is sponsored by the U.S. Department of Defense© 2000 by Carnegie Mellon University
Intelligence - page 1
Cyber Intelligence Analysis
© 2000 by Carnegie Mellon University Intelligence - page 2
A Different Internet
Armies may cease to march
Stock may lose a hundred points
Businesses may be bankrupted
Individuals may lose their social identity
Threats not from novice teenagers, but purposeful military, political, and criminal organizations
© 2000 by Carnegie Mellon University Intelligence - page 3
Purpose of Intelligence
1. Identify the need for action
2. Provide the insight and context for deciding among courses of action
3. Provide information on the effectiveness of pursuing the selected course of action
© 2000 by Carnegie Mellon University Intelligence - page 4
Change of View
© 2000 by Carnegie Mellon University Intelligence - page 5
Content / Context of Intelligence
© 2000 by Carnegie Mellon University Intelligence - page 6
What is Cyber Intelligence?
Internet Behavior
Intrusions/Responses
Threats/Counters
Vulnerabilities/Fixes
Operators/Groups Victims
Stimuli/MotivesOpportunities
© 2000 by Carnegie Mellon University Intelligence - page 7
Strategic Intelligence Analysis
• Provides “Big Picture” assessment
• Trend Analysis
• Sector Threat assessments
• Potential Damage assessments
• Categorization of Attacks and Attackers
• Identification of Anomalies
© 2000 by Carnegie Mellon University Intelligence - page 8
Tactical Intelligence Analysis
• Linking element between macro- and micro-level analysis
• Cluster and pattern analysis
• Temporal patterns
• Profiling
• Analysis of intrusion methods
• Commonality of targets
• Reinforces and compliments Strategic Analytic efforts
© 2000 by Carnegie Mellon University Intelligence - page 9
Using CERT/CC Data
• Year 2000 - 21,756 Incidents• 16,129 Probes/Scans• 2,912 Information Requests• 261 Hoaxes, false alarms, vul reports, unknown
• 2454 Incidents with substantive impact on target• Profiled 639 incidents, all active during July-Sept 2000
(profiling work is ongoing)
• Many different dimensions for analysis and trend generation (analysis work is ongoing)
© 2000 by Carnegie Mellon University Intelligence - page 10
Immediate Data Observations
Increasing trend of incidents per month(some incidents carry over between months)
Increasing diversity of ports used in incidents
Shifts in services used in incidents
Shifts in operating systems involved in incidents
Generic attack tools adapted to specific targets
Incidents
0
100
200
300
400
500
600
June July August Sept October
Year 2000
Inc
ide
nts
Ac
tiv
e
Ports
01020304050
Year 2000
Po
rts
in In
cid
en
ts
© 2000 by Carnegie Mellon University Intelligence - page 11
Service Shifts
0
10
20
30
40
50
60
Ju
ne
Ju
ly
Au
gu
st
Sep
tem
ber
DNS
HTTP
FTP
RPC
IRC
© 2000 by Carnegie Mellon University Intelligence - page 12
70
60
50
40
30
20
10
0
6/24/0
0
7/1/
00
7/8/
00
7/15
/00
7/22
/00
7/29
/00
8/5/
00
8/12
/00
8/19
/00
8/26
/00
9/2/
00
9/9/
00
9/16
/00
Weekly Incidents
© 2000 by Carnegie Mellon University Intelligence - page 13
Weekly Incidents by Target
0
10
20
30
40
50
60
70
user
org
misc
isp
intl
gov
fin
edu
eat
com
© 2000 by Carnegie Mellon University Intelligence - page 14
Monthly Incidents by Target
0
50
100
150
200
250
J uly August September
User
Com
eat
edu
fin
gov
intl
isp
misc
org
© 2000 by Carnegie Mellon University Intelligence - page 15
Weekly Incidents by OS
0
10
20
30
40
50
60
70
unknown
Un
So
NT
MO
misc
LX
IR
© 2000 by Carnegie Mellon University Intelligence - page 16
Monthly Incidents by Operating System
0
20
40
60
80
100
120
J uly Aug Sep
UNKNOWN
IR
LX
misc
MO
NT
So
Un
© 2000 by Carnegie Mellon University Intelligence - page 17
Weekly Incidents by Impact
0
10
20
30
40
50
60
70
Distort
Disrupt
disclosure
Destruct
Deception
© 2000 by Carnegie Mellon University Intelligence - page 18
Monthly Incidents by Impact
0
20
40
60
80
100
120
140
160
180
J uly August September
Deception
Destruct
Disclosure
Disrupt
Distort
© 2000 by Carnegie Mellon University Intelligence - page 19
Drivers for Weekly Incidents
70
60
50
40
30
20
10
0
6/24/0
0
7/1/
00
7/8/
00
7/15
/00
7/22
/00
7/29
/00
8/5/
00
8/12
/00
8/19
/00
8/26
/00
9/2/
00
9/9/
00
9/16
/00
Independence Day
LaborDay
Advisory/Alert
NewToolkits
DefCon
© 2000 by Carnegie Mellon University Intelligence - page 20
Operational Intelligence Analysis
• Overlaps with Tactical Analysis
• Technical assessments of intrusion methods
• Specific investigation of intruders
• Identification of vulnerabilities to support mitigation
• Attribution
© 2000 by Carnegie Mellon University Intelligence - page 21
Example: Signed Defacement
Defaced Health-care web site in India
"This site has been hacked by ISI ( Kashmir is ours), we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat.
Post-dates activity by Pakistani Hackers Club
Level of activity is not significant
Claim of identity may be significant
© 2000 by Carnegie Mellon University Intelligence - page 22
Example: Coordinated Automated Attack
Probe
Victim2
Identity
Victim
Compromise & Coopt
Probe
• Remote, fast-acting
• Adapts existing tools
• Limited deployment
• Sophisticated reporters
© 2000 by Carnegie Mellon University Intelligence - page 23
A Problem Too Big
Cannot remain technical specialty
Cannot remain localized activity
Cannot remain responsive to incidents
Cannot remain centrally controlled or performed
Distributed, ongoing, multifaceted problem demands distributed, ongoing, multifaceted strategy
© 2000 by Carnegie Mellon University Intelligence - page 24
Cyber Intelligence Products
Fused analysis reports
Demographics and situational awareness
In-depth studies
Technology of intelligence
© 2000 by Carnegie Mellon University Intelligence - page 25
For Further Contact
24-hour hotline: +1 412 268 7090
FAX: +1 412 268 6989
Email: Tim Shimeall - [email protected] - [email protected]
Direct voice: +1 412 268 7611
US mail: CERT Analysis CenterSoftware Engineering Institute
Carnegie Melon University4500 Fifth Avenue
Pittsburgh, PA 15213-3890 USA