Cyberterrorism

Tim Shimeall, Ph.D.

CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890
SEI is sponsored by the U.S. Department of Defense 2002 by Carnegie Mellon University
CoC - page 1

Overview
Introduction Definitions Examples Observations Summary

2002 by Carnegie Mellon University

CoC - page 2

A Different Internet
Armies may cease to march Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations

2002 by Carnegie Mellon University

CoC - page 3

Cyber Threats
Out-of-the-box Linux PC hooked to Internet, not announced: [30 seconds] First service probes/scans detected

[1 hour] First compromise attempts detected

[12 hours] PC fully compromised: Administrative access obtained Event logging selectively disabled System software modified to suit intruder Attack software installed PC actively probing for new hosts to intrude Clear the disk and try again!
2002 by Carnegie Mellon University CoC - page 4

Attack Sophistication vs. Intruder Technical Knowledge

High

Auto Coordinated

Cross site scripting stealth / advanced scanning techniques packet spoofing denial of service sniffers Intruder Knowledge sweepers

Tools
Staged

distributed attack tools www attacks automated probes/scans GUI

back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code

Low
1980

password guessing

Intruders
1995 2000
CoC - page 5

1985

1990

2002 by Carnegie Mellon University

Vulnerability Exploit Cycle

Novice Intruders Use Crude Exploit Tools Crude Exploit Tools Distributed Advanced Intruders Discover New Vulnerability Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits

2002 by Carnegie Mellon University

CoC - page 6

Definitions
Cyberterror: The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons. Cyber-utilization: The use of on-line networks or data by terrorist organizations for supportive purposes. Cybercrime: The deliberate misuse of digital data or information flows.

2002 by Carnegie Mellon University

CoC - page 7

Sophistication of Cybercrime
Simple Unstructured: Individuals or groups working with little structure, forethought or preparation

Advanced Structured: Groups working with some structure, but little forethought or preparation
Complex Coordinated: Groups working with advance preparation with specific targets and objectives.

2002 by Carnegie Mellon University

CoC - page 8

Example: Zapatista Cyberstrike

Mid-1990s rebellion in Mexico Military situation strongly favored Mexican Army Agents of influence circulated rumors of Peso instability Peso crash forced government to negotiating table Compounded by intrusions into Mexican logistics

2002 by Carnegie Mellon University

CoC - page 9

Example: Signed Defacement

Defaced Health-care web site in India "This site has been hacked by ISI ( Kashmir is ours), we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat Post-dates activity by Pakistani Hackers Club Linked to G-Force Pakistan Part of larger pattern of influenced hacker activity (3Q99 - 4Q01) Differing expertise Multiple actors/teams Transnational collaborations
2002 by Carnegie Mellon University CoC - page 10

Pakistani/Indian Defacements

More
10/99 1/00 4/00

7/00

10/00

1/01

4/01

Well written

Juvenile

No mention of terrorist organizations Mentions terrorist organizations

2002 by Carnegie Mellon University

CoC - page 11

Cyber Trends
CERT/CC Year 2000 - 21,756 Incidents 16,129 Probes/Scans 2,912 Information Requests 261 Hoaxes, false alarms, vul reports, unknown 2454 Incidents with substantive impact on target Profiled 851 incidents, all active during July-Oct 2000 (plus some preliminary June data, profiling work is ongoing) Many different dimensions for analysis and trend generation (analysis work is ongoing)

2002 by Carnegie Mellon University

CoC - page 12

Immediate Data Observations

Incidents Active

Seasonal trend of incidents per month (some incidents carry over between months) Varying diversity of ports used in incidents

Incidents 600 500 400 300 200 100 0

Shifts in services used in incidents

Ports in Incidents

Shifts in operating systems involved in incidents Generic attack tools adapted to specific targets

100 80 60 40 20 0

2002 by Carnegie Mellon University

Ju l-0 Au 0 g0 Se 0 p0 O 0 ct N 00 ov -0 D 0 ec -0 Ja 0 n0 Fe 1 b01
CoC - page 13

Ju

n0

l-0 Au 0 gSe 00 p0 O 0 ct -0 N 0 ov D 00 ec -0 Ja 0 n0 Fe 1 b01

n0 Ju

Ju

Ports

Weekly Incidents by Target

100 90 80

70

60

50

40

30

com g ov ed u in tl u ser is p o rg fin k12 m is c o th e r

20

10

00

00

00

00

00

00

00

00

01

/0

/0

/0

/0

/0

/0

/0

01

4/

8/

1/

5/

8/

5/

2/

3/

6/

24

22

19

16

30

/9

20

3/

/1

/2

/1

/2

7/

8/

9/

/2

1/

12

6/

7/

8/

9/

9/

1/

2/

10

10

11

11

12

2002 by Carnegie Mellon University

2/

17

CoC - page 14

/0

100

10

20

30

40

50

60

70

80

90

6 /2 4 /0 0

7 /8 /0 0

7 /2 2 /0 0

8 /5 /0 0

8 /1 9 /0 0

Weekly Incidents by OS

2002 by Carnegie Mellon University

9 /2 /0 0 9 /1 6 /0 0 9 /3 0 /0 0 1 0 /1 4 /0 0 1 0 /2 8 /0 0 1 1 /1 1 /0 0 1 1 /2 5 /0 0 1 2 /9 /0 0 1 2 /2 3 /0 0 1 /6 /0 1 1 /2 0 /0 1 2 /3 /0 1 2 /1 7 /0 1

CoC - page 15

u n kn ow n LX NT SO UN IR MO O th e r m is c

100

10

20

30

40

50

60

70

80

90

6 /2 4 /0 0

7 /8 /0 0

7 /2 2 /0 0

8 /5 /0 0

8 /1 9 /0 0

Weekly Incidents by Impact

2002 by Carnegie Mellon University

9 /2 /0 0 9 /1 6 /0 0 9 /3 0 /0 0 1 0 /1 4 /0 0 1 0 /2 8 /0 0 1 1 /1 1 /0 0 1 1 /2 5 /0 0 1 2 /9 /0 0 1 2 /2 3 /0 0 1 /6 /0 1 1 /2 0 /0 1 2 /3 /0 1 2 /1 7 /0 1

CoC - page 16

D is r u p t D is t o r t d is c l o s u r e D e s tru c t D e c e p t io n U n kn ow n

6/ 2

100

10

20

30

40

50

60

70

80

90

Conventions

Socio-Political Activity

2002 by Carnegie Mellon University

Debates Election Inauguration Controversy

4/ 0 7/ 0 1/ 0 7/ 0 8/ 7/ 00 15 7/ /00 22 7/ /00 29 / 8/ 00 5 8/ /00 12 8/ /00 19 8/ /00 26 /0 9/ 0 2/ 0 9/ 0 9/ 9/ 00 16 9/ /00 23 9/ /00 30 10 /00 / 10 7/0 /1 0 10 4/0 /2 0 10 1/0 /2 0 8 11 /00 / 11 4/0 /1 0 11 1/0 /1 0 11 8/0 /2 0 5 12 /00 /2 12 /00 / 12 9/0 /1 0 12 6/0 /2 0 12 3/00 /3 0/ 0 1/ 0 6/ 1/ 01 13 1/ /01 20 1/ /01 27 /0 2/ 1 3/ 2/ 01 10 2/ /01 17 /0 1
CoC - page 17

Best Fit

Campaign

Holidays

Summary
Majority of on-line threat is cybercrime Cyberterror is still emerging Evolving threat Integrating critical missions with general Internet Increasing damage/speed of attacks Continued vulnerability of off-the-shelf software Much confusion of descriptions and definitions Widely viewed as critical weakness of Western nations

2002 by Carnegie Mellon University

CoC - page 18