Information Assurance Foundations - SANS ©2001 1Information Warfare Security Essentials The SANS Institute "Warfare" can be broadly defined as "the waging of armed conflict against an en
Trang 1Information Assurance Foundations - SANS ©2001 1
Information Warfare
Security Essentials The SANS Institute
"Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this module we will consider what warfare means in the context of today's information systems and networks We will see that the fundamental principles of warfare known for thousands of years are still relevant on today's new battleground
Trang 2Information Warfare - SANS ©2001 2
Trang 3Information Warfare - SANS ©2001 3
What is Information Warfare?
Information warfare is the offensive and defensive
use of information and information systems to
deny, exploit, corrupt, or destroy, an adversary's
information, information-based processes,
information systems, and computer-based
networks while protecting one's own.
Such actions are designed to achieve advantages
over military or business adversaries.
Dr Ivan Goldberg
We start our discussion with a definition of information warfare The definition above simply maps our intuitive definition of warfare (subvert the enemy while protecting ourselves) into the realm of computers and networks This definition has been provided by Dr Ivan Goldberg, who leads the
"Institute for the Advanced Study of Information Warfare" The institute's website has a number of white papers and reports on information warfare topics
http://www.psycom.net/iwar.1.html
Eric Hrovat provides some interesting perspectives on information warfare in his paper, "Information Warfare: The Unconventional Art in a Digital World" published by SANS:
http://rr.sans.org/infowar/infowar.php
Trang 4Information Warfare - SANS ©2001 4
Examples of Information Warfare
• A company breaking into a competitor’s
computer system to find out their list of
customers
• An R&D company putting false
information about research on their web
site to mislead the competition
• A foreign government stealing tapes
containing classified information
There are many possible forms of information warfare, the above slide provides three examples Any time someone uses information as a weapon against an adversary, that is information warfare The distinguishing factors are only how the information is obtained, how it is used, and to what impact
We consider theft of information a form of information warfare, but the most critical issue is how the stolen information is used against its rightful owner In terms of the examples, a company who discovers a list of their competitor's customers might send false or misleading information to the customers, might market to these people specifically, or might simply see to it that the customers are harassed by telemarketers and spam (so the recipients think that the company they trusted released their information without permission)
A foreign government stealing classified backup tapes might be able to discover detailed technical information concerning the capabilities of their adversary's weapons, or might obtain documents detailing strategies, names of informants, or maps of secret testing facilities The possibilities are endless
A startup tech company that has a next generation product to release might post information stating that their product will not be ready for several months Such a posting might lull the company's competitors into a false sense of not needing to hurry their own development cycles When the startup releases its product months earlier than advertised, the competition is caught flat-footed
Trang 5Information Warfare - SANS ©2001 5
Key Points From the Examples
• Information Warfare can be:
– Theft – Deception – Sabotage
• Does not have to be technical or
weaknesses and attack those first and most vigorously For example, sometimes social engineering or packet flooding attacks most effectively accomplish an attacker's goals, but neither of these attacks requires any sophisticated technical skills
Trang 6Information Warfare - SANS ©2001 6
Why is it Important?
• Affects all governments and companies,
and even individuals
• Can be devastating
• Risks are often not well understood
• Can be difficult to predict or detect
• Defenses must be custom tailored
• Raises questions of legalities and liabilities
In today's world, information warfare impacts everyone, whether they own a computer or not Consider identity theft, where one person is able to impersonate another, resulting in destroyed credit histories, undeserved criminal records, misassigned debt and liability, false healthcare documents, and more Most people and organizations are not fully aware of the risks that surround them,
although the results of an attack can be devastating
Because each organization is different, there is no "one size fits all" defense system The only way to design a good defense is to understand the offensive tactics used by attackers, and to understand the defensive tactics and tools available to us We will explore both offensive and defensive tactics in this module, and see how (fortunately) a few basic principles can be applied across a large number of situations Interestingly, our most useful principles come not from information theory, but from a compilation of warfare strategies written well over two thousand years ago: Sun Tzu's "Art of War" These strategies are as relevant today as when they were first written
Trang 7Information Warfare - SANS ©2001 7
How Dangerous is it Really?
A few facts from the Honeynet project concerning
break-ins between April and December 2000:
• Seven default Red Hat 6.2 servers were attacked
within 3 days of connecting to net
• Fastest time for any server to be compromised was
15 minutes from first connection to net
• Default Win98 box compromised in less than 24
hours from first connection, and compromised
another four times in the next three days
But lets back up a minute Perhaps we are over-reacting Is it really all that dangerous on the internet today? Are there really that many "evil-doers" out to do me ill when I connect to the internet? Unfortunately, yes The Honeynet project (a group that sets up and monitors whole networks of honeypots of all different operating systems) recently reported some statistics concerning the rate of break-ins to their small network over a period of 9 months The full information concerning the stats above is quoted from the paper below
http://project.honeynet.org/papers/stats/
-• Between April and December 2000, seven default installations of Red Hat 6.2 servers were
attacked within three days of connecting to the internet Based on this, we estimate the life
expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours The last time we attempted to confirm this, the system was compromised in less than eight hours The fastest time ever for a system to be compromised was 15 minutes This means the system was scanned, probed, and exploited within 15 minutes of connecting to the internet Coincidentally, this was the first honeypot
we ever setup, in March of 1999
• A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations The honeypot was compromised in less than twenty four hours In the following three days it was successfully compromised another four times This makes a total of five successful attacks in less than four days
-These facts (and other information in the paper) demostrate the hostility of today's networks even to
a simple home user Even "grandma" needs to be aware of the dangers of the online environment today As an example, consider that many of us use home computers to fill out year-end income tax forms An attacker able to access that information would know enough to cause significant problems Today's networks are infested with worms and automated attack programs that relentlessly seek out and compromise vulnerable computers, reporting back to a human only after accomplishing a
successful compromise Companies and governments must be secured against these threats, as well
as against more sophisticated attackers specifically targeting their organization
Trang 8Information Warfare - SANS ©2001 8
How Would you be Impacted?
• Consider the following scenario:
– You go into work tomorrow and all of your
computers are gone and there is no internet
connection.
• Could you handle the situation?
• Do you have backups? Uncontaminated
backups? Is there a restore process?
• Could your organization survive the loss?
Is your organization prepared for an attack? Either from the internet or from a natural disaster or terrorist act? Part of information warfare is planning for the worst and having a recovery plan in place Many of us would be in a lot of trouble if a particular building burned down for example that building being the one holding the primary information and all of its backup copies The September11th tragedy demonstrated how critical backups can be to a company's survival
When we ask about "uncontaminated backups", does that make sense to you? Consider a virus that spreads rapidly but remains undetected because it does not do anything observable The virus infects several computers, but because it is not detected the virus program is copied onto the backup tapes along with legitimate information Time passes Ten months later the virus' payload goes into action and starts destroying files and laying waste to operating systems You think, no problem, I've got backups going back 6 months Oh no! All the backups are contaminated too! What do we do now?
Do you have insurance against information loss? A recent Information Week article (January 2, 2002) explains how many insurance providers have decided to exclude online assets and terrorism-related damages from their IT policy offerings
http://www.informationweek.com/story/IWK20020102S0004
Trang 9Information Warfare - SANS ©2001 9
Threats
• Internal threats
– Employees – Contractors – Visitors
• External threats
– Anyone connected to the internet
The threat to a company could really be anything Threats are typically broken down into internal and external threats Internal threats are attacks launched by internal attackers, contractors, or even visitors to your facility External threats could really be anyone that is connected to the internet Threats can also range from intentional to unintentional events Unintentional events, like floods or fires, could also be a threat that impacts a company Even though these threats are not meant to hurt the company, the net result is the same Therefore it is important to understand and react to all possible threats that are posed to your company
Trang 10Information Warfare - SANS ©2001 10
Offensive Tactics
• Using publicly available information maliciously
• Stealing confidential information
• Destroying or corrupting important data
• Denial of Service attacks against business or
livelihood
• Providing false information in order to deceive,
mislead, or confuse
• Impersonation and slandering
• Public embarrassment (e.g website defacement)
Let us begin our consideration of information warfare concepts by looking at the offensive side of the game Defensive strategies will be covered later
The slide above lists several common ways information can be involved in an attack against an organization or individual At first glance it may seem that these attack methods are specific to the information age In the next few slides we will take a closer look at several of the specific tactics and show that the concepts behind them have been well-known to warriors for centuries
Trang 11Information Warfare - SANS ©2001 11
Public but Sensitive Information
"It is always necessary to begin by finding out the names of
the attendants, the aides-de-camp, and door keepers and
sentries of the general in command." - Sun Tzu
• There are many sources of information
is an important first step in warfare Things haven't changed very much
Given today's internet, it is possible for an attacker to find out a great deal about an adversary without breaking any laws or even raising any eyebrows If an attacker is interested in an individual
or a company, internet white page directories can provide names, addresses, phone numbers, street maps, and even satellite photographs Attackers can often gain access to legal, healthcare, and credit history databases without too much trouble A google.com search for an individual's email address can provide links to newsgroup postings which contain information about the individual's interests, habits, friends, employer, etc Information-rich messages posted to security mailing lists such as "I work for company XYZ and our main www.xyz.com IIS 5.0 web server has been hacked and is backdoored " can be very useful
In addition, companies love giving out information to help fuel growth, but often fail to realize the negative impact that information could have to the company For example, an ISP who just built a new network wants to advertise it to help get additional business So they have a press release that describes their new computers what brand, what operating systems, what versions, etc An attacker can easily use the information to build an attack list for breaking into the ISP's systems Similarly, a company that posts a list of employee names provides an attacker with information useful in
username/password guessing attacks
Public databases can also provide a wealth of information For example, publicly traded companies are required to disclose certain information to the SEC The SEC information is posted online in the EDGAR database These documents could be used to obtain the names of key executives, which could be used in social engineering attacks
Another common practice is for attackers to notice that a merger or acquisition has taken place, and capitalize on the ensuing organizational confusion For example, lets say our attacker's desired target XYZ has recently acquired Acme Widgets Inc., and the two company's technologies are being integrated Our attacker simply phones up an XYZ engineer (name obtained via the company directory) and says that he is from Acme Widgets and that Executive So-And-So (name obtained from EDGAR) wanted him to call to get the latest product specifications and development timelines
Trang 12Information Warfare - SANS ©2001 12
Stealing Confidential Information
"Though the enemy be stronger in numbers, we may prevent
him from fighting Scheme so as to discover his plans and
the likelihood of their success." -Sun Tzu
• Espionage is a real problem
• Many foreign governments have admitted to launching corporate espionage attacks
against US companies to give their local
companies a competitive advantage.
A critical part of warfare, information or otherwise, lies in discovering the enemy's plans Sun Tzu notes that even a strong adversary can be crushed if his plans are known in advance Online
espionage is the modern embodiment of this tactic, and it works as well today as ever
One legal method of performing corporate intelligence gathering is to get the employees talking A recent news article describes how today's corporate spies rely heavily on forming online friendships with target employees to gain information According to one corporate intelligence professional, 85 percent of people will share sensitive information about themselves and their companies with perfect strangers The statistic is calculated based on the results of 78,000 recorded conversations with people worldwide
Further, companies have been known to hire agents to sit next to traveling executives on planes, where they can read business information over the executive's shoulder, or engage in seemingly innocent chit-chat Experience has shown that executives are particularly vulnerable to questions from brainless admirers
http://www.al.com/news/huntsville/Apr2000/30-e27547.html
And of course the true hack-in-and-steal-something method is wildly popular For example, the articles linked below describe an incident where attackers stole source code from Microsoft in October of 2000 A Microsoft spokesperson called the incident "a deplorable act of industrial espionage"
http://news.zdnet.co.uk/story/0,,s2082221,00.html
http://news.cnet.com/news/0-1005-200-3308084.html
Interestingly, two of the main concerns in the Microsoft incident were that the attackers would implant backdoors in the Windows source code (they had access to the data for three months), and that the attackers would analyze the source code and discover vulnerabilities that no one else knows about Other concerns included the notion that a rival company might try to market the stolen software as their own, or use the proprietary algorithmic and programming techniques to advance their own products These concerns illustrate a few of the dangers of proprietary information theft
Trang 13Information Warfare - SANS ©2001 13
False Information
"All warfare is based on deception The one who is skillful
maintains deceitful appearances, according to which the
enemy will act." -Sun Tzu
• If you know someone is watching you, why
not give them misleading information?
– False press releases
– False company information
– False server banners
This warfare tactic has the goal of misleading the enemy The hope is that the enemy will use the false information to influence their actions to our advantage For example, a company might "leak" the fact that they are going to submit a proposal for a particular job at the price of $5 million The competition, upon hearing this information, decides to bid $4.5 million When the original company actually bids $4 million (instead of the "leaked" $5 million figure) the spying competitor finds themselves underbid
As another example of misinformation in the information age, consider the case of an attacker who fabricated a false press release that led to a publicly traded company temporarily losing more than $2 million in market value The bogus press release was submitted via email to InternetWire and picked
up and distributed by a number of major news organizations The press release stated that the company in question (Emulex) was under investigation by the SEC, had revised its latest earnings reports to show a loss instead of a profit, and was losing its CEO The result was that investors started to dump the company's stock en masse, sending Emulex's stock plummeting as much as 62% The company lost as much as $2.5 billion in market value before the fraud was discovered and Nasdaq halted its trading
http://www.usdoj.gov/criminal/cybercrime/emulex.htm
http://www.ecommercetimes.com/perl/story/4426.html
In general, the misinformation strategy is quite interesting and complex The complexities arise the same as in any other lie, how to lie to some people, while telling the truth to others and keep it all straight? An organization employing these methods can easily lose control, or become liable for damages resulting from the false statements The techniques can be quite effective however
Trang 14Information Warfare - SANS ©2001 14
Honeypots
"Learn the principle of the enemy's activity or inactivity
Force him to reveal himself By holding out advantages
to him, cause him to approach of his own accord."
-Sun Tzu
• Honeypots are sacrificial computers,
purposely left vulnerable
• The computers are carefully instrumented
to record attackers' actions and gather
copies of the tools they use
Another example of deception in information warfare is the use of honeypots The idea of a honeypot
is twofold
First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's methods and goals By leaving a few machines purposely vulnerable but instrumented, we can allow attackers to break in and then watch what they do By observing what files they look for we may be able to guess what they are after, and by watching the tools they use we gain an idea of their
capabilities and methods of operation For example, if the attacker exploits a MS SQL server
vulnerability to gain access, we would want to be sure to patch that vulnerability on all relevant systems across the enterprise Further, if we notice that the attacker likes to set up a Trojan SSH server on port 50000/tcp, we might want to scan the internal networks for port 50000 listeners Second, honeypots can provide a way of diverting an attacker’s attention away from critical systems for long enough to strengthen the defense An attacker is likely to go after the "low hanging fruit", that is, the easily compromised hosts on an enterprise, before moving on to more difficult targets By letting the attacker have a few sacrificial machines, we buy some time to learn about the attacker's capabilities and react appropriately Of course, Sun Tzu has a quote for this aspect of the strategy too: "Sacrifice something, that the enemy may snatch at it."
Trang 15Information Warfare - SANS ©2001 15
Denial of Service Attacks
"So in war, the way is to avoid what is strong and
strike at what is weak." -Sun Tzu
• Easy to wage
• Difficult to defend against
• Can result in lost revenue
• Can hurt public image
Most of us remember the infamous Distributed Denial of Service (DDoS) attacks waged by a Canadian teenager in February of 2000 resulting in an estimated total loss of $1.7 billion to several
US companies The attacker, known as "mafiaboy," flooded the webservers of Ebay, Dell, Amazon, and Yahoo (among others) with meaningless traffic in order to overload the target networks and prevent the servers from responding to legitimate requests Because each of the targeted
organizations relies heavily on its internet presence as a source of revenue, Mafiaboy's Denial of Service attack was quite damaging
A news article on the topic:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1541000/1541252.stm
The important thing to take away from the example is that Mafiaboy didn't need any sophisticated technical skills to wage these attacks In fact, the tools he used and others like them are publicly available on many websites These tools do not take any special skills to run
On the other hand the sites that were attacked all employ heavy security and would be difficult to break into Mafiaboy employed Sun Tzu's concept of avoiding what is strong (the site's security defenses) and striking at what is weak (fundamental behavior of IP networks) Most Denial of Service attacks are simple to wage, but difficult to defend against Why not take the easy route to inflicting damage on an enemy? Part of defensive information warfare comes in identifying our own weaknesses and strengthening our defenses accordingly
Trang 16Information Warfare - SANS ©2001 16
Understand the Risks
"He who exercises no forethought but makes light of his
opponent is sure to be captured by them." -Sun Tzu
• Attackers have a complete arsenal of
weapons to use against a network's
defenses
• An understanding of an attacker's offensive
warfare tactics is essential
The point of intersection between offense and defense comes in understanding the offensive in order
to better defend In information warfare, this concept is very important It has been estimated that new vulnerabilities were being discovered at the rate of 200 per month by mid 2001
Trang 17Information Warfare - SANS ©2001 17
Finally, while each of these attacks can be used by itself, you will very often see them used in combination, or see one attack used as the basis for another For example, many of the attacks are based on some form of Denial of Service
Trang 18Information Warfare - SANS ©2001 18
Denial of Service
• Keeping the computer or network
from doing anything useful
• Attack can cause a system to crash
or consume excessive resources
• Very hard to prevent
• Attacker does not need to be
skilled to wage the attack
Denial of Service, or DoS, is one of the most common attacks in use today It works just like it
sounds: It is used to deny service to a system or network Denial of Service attacks are aimed at preventing a computer or network from performing its normal duties This can take the form of crashing a computer, but more often it takes the form of flooding the network or computer with hundreds, or even millions, of information or service requests The computer quickly gets
overwhelmed and can’t handle the load Once this happens, service is denied to legitimate users of the service because they can’t seem to get the server’s attention
Denial of Service attacks are appealing to attackers for a number of reasons First, they are
deceptively simple to do As we shall see shortly when we talk about SYN flooding, the methods for performing a DoS attack are not that difficult to learn or perform Second, depending on how the DoS is performed, all you are doing is preventing legitimate traffic from getting to the server You do not necessarily have to crash the machine or ruin any of the server’s resources The attacker
mentality will say that this is no more harmful than driving slowly on the highway or taking your time at the drive-in line at the bank Well, tell that to Yahoo, eBay, or any one of the dozen other large internet sites that got hit with DDoS attacks in the Spring of 2000 To them, the damage and the losses were very real
Classic DoS attacks occur when a single system floods your network with packets or sends
maliciously crafted packets designed to crash or hang target systems These attacks can be stopped
by instructing your routers or firewalls not to accept packets from the attacking system However, a
new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS.
We’ll look at Distributed Denial of Service later, after considering a few of the "single shot" crafted packet attacks that can crash systems A fundamental difference between the two types of Denial of Service attacks (flooding and crafted packet) arises from the differing principles on which the attacks are based Crafted packet attacks take advantage of the fact that the programmer who built the vulnerable software did not properly handle an "impossible" case a type of packet that should never arise under normal network conditions Packet flooding attacks exploit a fundamental property
of TCP/IP networks and client-server communications How can a server distinguish legitimate service requests from bogus ones?
Trang 19Information Warfare - SANS ©2001 19
Land Attack
• Attacker sends a single spoofed packet
• Result: Crashed old Win boxes and
Cisco routers
Src IP = Dst IPSrc Port = Dst PortTCP SYN
This attack is very simple, but when land.c was first released in a posting to Bugtraq, the tool caused
a lot of problems The idea was to spoof the source address on a TCP packet to be the same as the destination address Also, a Land packet has the SYN flag set and must be received by an open port
on the target
When a vulnerable host receives these packets, it enters an infinite loop and has to be physically rebooted The attack worked very well against Windows 95 machines, locking them up completely, and also crashed Cisco routers and switches Once the exploit was released, Cisco engineers had work around the clock to through Thanksgiving to isolate the problem, test equipment, and work on fixes
A 1997 Network World news story about the problems caused by Land:
Trang 20Information Warfare - SANS ©2001 20
• If packets are larger than a network can handle,
they are fragmented in multiple parts
• Fragmented parts are reassembled at destination
IP Fragmentation
MTU limited
IP datagrams IP fragments reassembled at destination
In the IP protocol, there are allowances for the fact that there may be many different types of
equipment, computers, and networks connected together For instance, a computer may want to transmit packets of 1 kilobyte (1024 bytes) in size, but the routers between the computer and the destination may only be able to handle packets of 512 bytes in size If this is the case, IP will
automatically split the original packet into smaller pieces that will be able to make it all the way
across the network This process is called fragmentation Once the fragments reach their
destination, they are reassembled to recreate the original packet Fragmentation is good because it ensures the accurate transmission of information in a way that is transparent to the user or
application
However, packet fragmentation has also been used for evil purposes as a way of attacking computers and slipping past firewalls Since it is computationally intensive for a network intrusion detection system or firewall to reassemble fragmented transmissions, attackers can often hide their evil deeds
by forcing all of their communications to be fragmented Further the process of fragment reassembly can be rather complicated (consider missing fragments, overlapping fragments, out-of-order
fragments, etc.) and naturally some bugs have crept into the fragment handling routines of various operating systems Attackers discovered that they could crash systems in many cases by building and sending streams of fragments that do not reassemble correctly Further attackers discovered they could sometimes trick firewalls into passing traffic that should not be allowed by sending very very small fragments that do not contain all the information the firewall needs to make its filtering decision correctly
Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic example of the technical lengths and the in-depth knowledge attackers will seek in order to work their evil
Trang 21Information Warfare - SANS ©2001 21
Ping of Death
attacker
constructs fragments
target
receives fragments
assemblesfragmentsInternet
buffer
65535 bytes
last frag is too large - bufferoverflows POOF!
The Ping of Death Denial of Service attack is a classic fragmentation attack that exploits a
vulnerability in fragment reassemblers The attack causes a buffer to overflow on the target host by sending an ICMP echo request packet (a "ping") that is larger than the maximum IP packet size of
65535 bytes The problem comes when the receiving system attempts to write the last fragment's data outside of the allocated reassembly buffer which is only 65535 bytes long
In order to generate such an “impossible packet”, the attacker uses special tools to craft fragments and send them to the target Because no intermediary network devices will attempt to reassemble the fragments, the packets are simply forwarded until they reach the specified destination address When the target host receives these fragments and tries to reassemble them or process the reassembled datagram, its operating system may crash or hang Some Ping of Death tools attempt to further compound the effect by creating and sending fragments that do not overlap properly
More information regarding the attack may be found in the CERT advisory: