= C.A =
C h a r a c t e r i z a t i o n
AUDITING THE HACKER MIND
Tom Parker, Matthew G. Devost, Marcus H. Sachs, Eric Shaw, Ed Stroz
 |
| Cyber Adversary Characterization |
Author
Tom Parker is one of Britain’s most highly prolific security consultants.
Alongside providing integral security services for some of
the world’s largest organizations,Tom is widely known for his vulnerability
research on a wide range of platforms and commercial
products. His more recent technical work includes the development
of an embedded operating system, media management system and
cryptographic code for use on digital video band (DVB) routers
deployed on the networks of hundreds of large organizations around the globe.
In 1999,Tom helped form Global InterSec LLC, playing a
leading role in developing key relationships between GIS and the
public and private sector security companies.Tom has spent much of
the last few years researching methodologies aimed at characterizing
adversarial capabilities and motivations against live, mission critical
assets. He also provides aid in identifying adversarial attribution in
the unfortunate times when incidents do occur. Currently working
as a security consultant for NetSEC, a provider of managed and professional
security services,Tom continues to research practical ways
for large organizations to manage the ever-growing cost of security
by identifying where the real threats exist.
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Contents
Preface . . . . . . . . . .xiii
Foreword by Jeff Moss . . . . .. . . .xxvii
Chapter 1 Introduction
Cyber Adversary Characterization . . . . . . . . . 2
Case Study 1: A First-Person Account from Kevin D. Mitnick
“I Put My Freedom on the Line for Sheer Entertainment …” . . .4
Case Study 2: Insider Lessons Learned
Cyber Terrorist: A Media Buzzword? . . . . . . 8
Failures of Existing Models . . . . . .. 12
High Data Quantities . . . . . . .. .13
Data Relevancy Issues . . . .. .13
Characterization Types . . . . . . .14
Theoretical Characterization . . . . . .15
Post-Incident Characterization . . . . .16
Introduction to Characterization Theory . . 17
Chapter 2 Theoretical Characterization Metrics
Introduction . . . 20
The Adversary Object Matrix . . . . 21
Adversary Property Relationships . .. . . 23
Environment Property to Attacker Property . . .. .23
Attacker Property to Target Property . . . .24
Other (Conditional) Adversarial Property Relationships 24
The Adversary Model—“Adversary Environment Properties” 25
Political and Cultural Impacts . . . . . . . . .25
Nothing to Lose—Motivational Impacts on
Attack Variables . . . . .. .28
Associations and Intelligence Sources . . . .. .31
Environment Property/Attacker Property Observable
Impacts . . . . . . . . . . .33
Adversarial Group, not “Hacker Group”! .. . .34
The Adversary Model—“Attacker Properties” . . . 37
Resources Object . . . . . .38
The Time Element . . . . . .39
Skills/Knowledge Element . . . .. .39
“You Use It—You Lose It” . . . . .39
Finance Element . . . . .40
Initial Access Element . . . . .40
Inhibitor Object . . . .41
Payoff/Impact Given Success (I/S) . . .. .41
Perceived Probability of Success Given an
Attempt (p(S)/A) .. . . .42
Perceived Probability of Detection Given an
Attempt (p(d)/A) . . . .42
Perceived Probability of Attribution (of Adversary)
Given Detection (p(A)/d) . . .43
Perceived Consequences to Adversary Given
Detection and Attribution (C/(d)) . . .44
Adversary Uncertainty Given the Attack
Parameters (U/{P}) .. .45
Driver/Motivator Object . . .45
Payoff/Impact Given Success (I/S) . .46
Perceived Probability of Success Given an
Attempt (p(S)/A) .. .46
Summary . .. 48
Chapter 3 Disclosure and the Cyber Food Chain
Introduction . . . .. 50
Vulnerability Disclosure and the Cyber Adversar. 50
“Free For All”: Full Disclosure . .51
“This Process Takes Time” . .53
Disclosure Attack Capability and Consideratin . . 53
Probability of Success Given an Attempt. . .55
Probability of Detection Given an Attempt . . .56
“Symmetric” Full Disclosure. . .56
Responsible Restricted “Need to Know” Disclosure . . .58
Responsible, Partial Disclosure and Attack
Inhibition Considerations .. . .59
“Responsible” Full Disclosure . . . .60
Responsible, Full Disclosure Capability and Attack
Inhibition Considerations . . . .61
Security Firm “Value Added” Disclosure Model . .62
Value-Add Disclosure Model Capability and Attack
Inhibition Considerations . .63
Non-Disclosure . . .65
The Vulnerability Disclosure Pyramid Metric. . . 66
Pyramid Metric Capability and Attack Inhibition . . .67
Pyramid Metric and Capability:A Composite Picture
Pyramid . . . .68
Comparison of Mean Inhibitor Object Element Values .71
The Disclosure Food Chain . . . . 72
Security Advisories and Misinformation . . .73
Summary . . . . 76
Chapter 4 Rating the Attack:
Post-Incident Characterization Metrics
Introduction:Theoretical Crossover and the Attack Point
Scoring Systems . . . . 78
The Source of the Problem . . . . 78
Variables of Attack Tools to Consider . . . 80
Tool-Scoring Metrics . .. .80
Attack Tool-Scoring Metrics Alone Are Not an
Accurate Measure of Capability . . .. .81
The Ease With Which an Attack Tool Is Used . . . .82
Types of Technical Ability or Skill . . . .82
Technical Ability/Skill Levels . . . .83
The Availability of an Attack Tool . . . .83
Nontechnical Skill-Related Prerequisites . .. .84
Common Types of Attack Tools . . . 84
Mass Rooters .. . .84
Typical Skill Level Required . . ..85
The Availability of the Attack Tool . . .85
Nontechnical Skill Prerequisites . . .86
Adversary Profile . .. .86
Port-Scanning Tools . . .86
Typical Skill Level Required . . .87
The Availability of the Attack Tool . . .87
Adversary Profile ..87
Operating System Enumeration Tools . . . .87
Typical Skill Level Required . . . . .88
The Availability of the Attack Tool . . . . ..88
Adversary Profile . . . .88
Software Exploits . . . . 89
The Ease With Which the Attack Tool Is Used . . . .90
The Availability of the Attack Tool . . . . 90
Adversary Profile . . .. .90
Commercial Attack Tools . . . .90
Typical Skill Levels Required . . .. .91
The Availability of the Attack Tool . .91
Adversary Profile . . . . .91
Caveats of Attack Tool Metrics . . . . 91
Attack Technique Variables . . . . 92
Nontechnological Resources Required . . .. .92
The Distribution Level of the Attack Technique . . . ..92
Any Attack Inhibitors Reduced Through the Use of
the Attack Technique . . .. .93
The Ease With Which the Attack Technique Is
Implemented . . . .94
Technique-Scoring Metrics . . . .94
Common Types of Attack Techniques . . . .95
Network Service and Vulnerability Enumeration
Techniques . . . . .95
Common Technique Differentiators . . .95
Operating System Enumeration Techniques . . .98
Natural-Cover OS Enumeration . . .98
Nonpassive OS Enumeration . . .98
Technique Differentiators . . .99
Automated and Mass-Exploitation Techniques . . .99
Technique Differentiators . . .99
Automated Agent Attitude to Attack Inhibitor
Deductions . . . . . .100
Perceived Probability of Detection Given Attempt 100
Perceived Probability of Attribution Given Detection 101
Web Application Exploitation Techniques . . . . . .101
Technique Differentiators . . . . . .102
Additional Attack Scoring Examples . . . . . .103
Caveats: Attack Behavior Masquerading . . . .104
Summary . . . 105
Chapter 5 Asset Threat Characterization
Introduction . . . . . . 108
The Target Property . . . . . . 109
Who Cares About Your Systems Today? . . . . . ..110
Attack Preference Tables . . . . . .110
Target Properties: Attack Driver and Inhibitor Influence . . 111
Target Environment Property Influences . ..111
Geographical and Physical Location . .111
Targets Owners and Defenders . . 113
Target Technical Property Influences . . 115
Information System Software and Operating
System(s) . . .115
The Asset Threat Characterization . . . 116
Preparing for the Characterization . . ..116
Identifying What’s Relevant to You . . . 118
Different Targets Mean Different Adversaries . . . 118
Different Targets Mean Different Motivations . . .119
Different Assets Mean Different Skill Sets . . . 119
Waiter,There’s a Fly in My Attack Soup! . . .121
Attacking Positive Attack Inhibitors . . .122
Fictional Asset Threat Characterization Case Study . .. 122
Does a Real Threat Exist? . . .123
Influences on Attack InhibitorsThrough Variables
in Environment Profile #1 . . . 124
Influences on Attack Drivers Through Variables in
Environment Profile #1 . . ..125
Influences on Attack Drivers Through Variables
in Environment Profile #2 . . . 127
Influences on Attack Drivers Through Variables in
Environment Profile #3 . . . 130
Case Study Conclusions . . .131
Summary . .. 136
Chapter 6 Bringing It All Together:
Completing the Cyber Adversary Model
Introduction . . . . 138
Intermetric Component Relationships. . . . 138
Filling in the Blanks. . . . .138
Internet Metric Relationship Result Reliability
Calculations . . . .141
Summary. . . . 143
Chapter 7 WarmTouch:
Assessing the Insider Threat and Relationship Management
Introduction . . . 146
The Challenges of Detecting the Insider Threat . . . 146
An Approach to the Insider Problem. . . .148
Case Illustrations . . 149
Case 1:
Detecting Insider Risk and Deception—A Bank Systems Administrator. . .149
Case 2:
Robert Hanssen at the FBI . .153
Case 3:
Identifying the Source of Anonymous Threats—Are They from the Same Author? . . .157
Case 4:
Extortion Attempt by a Russian Hacker Against Bloomberg Financial . . .158
Case 5:
Monitoring a Cyber Stalker. . .161
Case 6:
Relationship Management. . .163
Summary . . . 168
References . . 169
Footnote. . . 170
Chapter 8 Managing the Insider Threat
Introduction: Setting the Stage . . . 172
Prevention. . . 176
Screening and Its Weaknesses. . .176
Hire A Hacker? . . .178
Education and Prevention . . .179
Effective Policies and Practices. . .180
Persuasive Components. .180
Real-World Cases. . .182
Detection. . . 184
Detection Challenges. . .184
Detection Challenges Along the Critical Pathway . . . 184
At-Risk Characteristics. . . .185
The Next Step on the Critical Pathway: Personal
and Professional Stressors. . .188
Maladaptive Emotional and Behavioral Reactions . .190
Detection Delays. . . .190
Subject Escalation. . .191
Detection Indicators and Challenges by Subject Subtype 193
Insider Case Management. . . 199
Summary . . . 203
References . . . 203
Chapter 9 The Cyber Adversary in Groups:
Targeting Nations’ Critical Infrastructures
Introduction . . . . 206
Historical Context. . . . 208
The General Public and the Internet. . . .209
Increasing Threats and Vulnerabilities . . . 210
Critical Infrastructure Vulnerabilities . . .212
Terrorist Attacks of September 2001. . . .214
Eligible Receiver and Solar Sunrise . . . .216
New Organizations and New Discoveries . . .218
Identifying and Characterizing the Cyber Threat. . . 220
Nation States . . .222
Terrorists. . .223
Espionage . . .223
Organized Crime . . .224
Insiders . . .225
Hackers . . .226
Summary . . 228
Chapter 10 Characterizing the Extremes—Terrorists and Nation States
Introduction .. . . . 232
The Nation State Cyber Adversary . . . . 232
Nation State Cyber Adversary Attractors. . . .233
Low Cost . . . . .233
Timely and Not Location Specific . . .233
Anonymity . . . .234
Minimal Loss of Human Life . . . .234
First Strike Advantage . . . .235
Offensive Nature of Information Warfare . . . .236
Nation State Cyber Adversary Deterrents . . . .236
Economic Interdependence . . . .236
Fear of Escalation . . . .238
Qualifying the Nation State Threat. . .239
China. . . .239
Russia. . . . .240
Other Nation States . . . .241
International Terrorists and Rogue Nations . . . 241
Single-Issue Terrorist Organizations/Hacktivists . . . .246
The Al Qaeda Threat—Kill With a Borrowed Sword . .249
Direct Compromise. . . .250
Indirect Compromise. . . .251
Compromise Via a Customized Attack Tool. . . .252
Physical Insider Placement . . . 253
Data Interception/Sniffing/Info Gathering . . .254
Malicious Code . . .254
Denial of Service Code. . .255
Distributed Denial of Service . .255
Directed Energy . . .256
Physical Threats to Information Technology Systems . .256
Differentiation of the Cyber Terrorist Adversary . . .257
Summary. . . . . . 259
Footnotes and References . . . . . 260
Chapter 11 Conclusions
A Look Back. . . . 264
Kevin D. Mitnick: Attack,Weighed and Measured!. . . . 264
Kevin’s Environment Property Examined . . . .264
Environment Property Influences on Attacker
Resources Object. . . .265
Initial Target Reconnaissance . . . .265
Acquisition of the DEC VAX/VMS Update Tape . .266
Modification of the VAX/VMS Update Tapes .. . .266
Delivery of the DEC Update Tapes . . .267
Environment Property Influences on Attacker
Inhibitor & Driver Object(s) . . .268
Perceived Probability of Detection Given Attempt .268
Perceived Probability of Attribution Given Detection 269
Perceived Probability of Success . .269
Summary . . . 270
And Now for Something a Little Different! . . . 270
Chapter 12 Return on Investment
Playing the Market . . . 273
Information Leakage at the Packet Level . . . 274
Corrupted by Greed . . . 277
Revenge of the Nerd. . . 278
A Lead from Las Vegas . . . 280
The Call of Opportunity . . . 281
Initial Reconnaissance . . . 282
Shrax:The Ultimate Rootkit . . . 284
Throwaway Account . . . 288
Seeking the Prize. . . . 293
Hacking .MIL . . . 298
Triumph and New Toys. . . 302
Endnotes . . 303
Aftermath…The Investigation Continues. . . 304
Final Words. . . .309
Acknowledgements . . . 310
Glossary . . .311
Index .. . .313
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 4,243 KB |
Pages
|
359 p |
File Type
|
PDF format |
ISBN
| 1-931836-11-6 |
Copyright
|
2004 by Syngress Publishing, Inc.
|
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
