Information Warfare

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:42

lượt xem

Information Warfare

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

"Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this module we will consider what warfare means in the context of today's information systems and networks. We will see that the fundamental principles of warfare known for thousands of years are still relevant on today's new battleground.

Chủ đề:

Nội dung Text: Information Warfare

  1. Information Warfare Security Essentials The SANS Institute Information Assurance Foundations - SANS ©2001 1 "Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this module we will consider what warfare means in the context of today's information systems and networks. We will see that the fundamental principles of warfare known for thousands of years are still relevant on today's new battleground. 5-1
  2. Agenda • What is Information Warfare? • Why is it Important? • Offensive Tactics • Introduction to Network Attacks • Defensive Tactics Information Warfare - SANS ©2001 2 After introducing the concept of information warfare, we will be concentrating on warfare principles and strategies. We will discuss both offensive and defensive tactics, both theory and practice. As a concrete example of offensive tactics, a quick introduction to TCP/IP network attacks is provided. 5-2
  3. What is Information Warfare? Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries. Dr. Ivan Goldberg Information Warfare - SANS ©2001 3 We start our discussion with a definition of information warfare. The definition above simply maps our intuitive definition of warfare (subvert the enemy while protecting ourselves) into the realm of computers and networks. This definition has been provided by Dr. Ivan Goldberg, who leads the "Institute for the Advanced Study of Information Warfare". The institute's website has a number of white papers and reports on information warfare topics. Eric Hrovat provides some interesting perspectives on information warfare in his paper, "Information Warfare: The Unconventional Art in a Digital World" published by SANS: 5-3
  4. Examples of Information Warfare • A company breaking into a competitor’s computer system to find out their list of customers • An R&D company putting false information about research on their web site to mislead the competition • A foreign government stealing tapes containing classified information Information Warfare - SANS ©2001 4 There are many possible forms of information warfare, the above slide provides three examples. Any time someone uses information as a weapon against an adversary, that is information warfare. The distinguishing factors are only how the information is obtained, how it is used, and to what impact. We consider theft of information a form of information warfare, but the most critical issue is how the stolen information is used against its rightful owner. In terms of the examples, a company who discovers a list of their competitor's customers might send false or misleading information to the customers, might market to these people specifically, or might simply see to it that the customers are harassed by telemarketers and spam (so the recipients think that the company they trusted released their information without permission). A foreign government stealing classified backup tapes might be able to discover detailed technical information concerning the capabilities of their adversary's weapons, or might obtain documents detailing strategies, names of informants, or maps of secret testing facilities. The possibilities are endless. A startup tech company that has a next generation product to release might post information stating that their product will not be ready for several months. Such a posting might lull the company's competitors into a false sense of not needing to hurry their own development cycles. When the startup releases its product months earlier than advertised, the competition is caught flat-footed. 5-4
  5. Key Points From the Examples • Information Warfare can be: – Theft – Deception – Sabotage • Does not have to be technical or sophisticated • Attackers will always go after the weakest link Information Warfare - SANS ©2001 5 Abstracting the previous examples a level, we can list out a few fundamental concepts. Theft, espionage, blackmail, deception, sabotage, destruction -- these are all common goals in information warfare attacks. As in other forms of warfare, a skilled attacker will seek out his opponent's weaknesses and attack those first and most vigorously. For example, sometimes social engineering or packet flooding attacks most effectively accomplish an attacker's goals, but neither of these attacks requires any sophisticated technical skills. 5-5
  6. Why is it Important? • Affects all governments and companies, and even individuals • Can be devastating • Risks are often not well understood • Can be difficult to predict or detect • Defenses must be custom tailored • Raises questions of legalities and liabilities Information Warfare - SANS ©2001 6 In today's world, information warfare impacts everyone, whether they own a computer or not. Consider identity theft, where one person is able to impersonate another, resulting in destroyed credit histories, undeserved criminal records, misassigned debt and liability, false healthcare documents, and more. Most people and organizations are not fully aware of the risks that surround them, although the results of an attack can be devastating. Because each organization is different, there is no "one size fits all" defense system. The only way to design a good defense is to understand the offensive tactics used by attackers, and to understand the defensive tactics and tools available to us. We will explore both offensive and defensive tactics in this module, and see how (fortunately) a few basic principles can be applied across a large number of situations. Interestingly, our most useful principles come not from information theory, but from a compilation of warfare strategies written well over two thousand years ago: Sun Tzu's "Art of War". These strategies are as relevant today as when they were first written. 5-6
  7. How Dangerous is it Really? A few facts from the Honeynet project concerning break-ins between April and December 2000: • Seven default Red Hat 6.2 servers were attacked within 3 days of connecting to net • Fastest time for any server to be compromised was 15 minutes from first connection to net • Default Win98 box compromised in less than 24 hours from first connection, and compromised another four times in the next three days Information Warfare - SANS ©2001 7 But lets back up a minute. Perhaps we are over-reacting. Is it really all that dangerous on the internet today? Are there really that many "evil-doers" out to do me ill when I connect to the internet? Unfortunately, yes. The Honeynet project (a group that sets up and monitors whole networks of honeypots of all different operating systems) recently reported some statistics concerning the rate of break-ins to their small network over a period of 9 months. The full information concerning the stats above is quoted from the paper below. ---------------- • Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the internet. Coincidentally, this was the first honeypot we ever setup, in March of 1999. • A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days. ---------------- These facts (and other information in the paper) demostrate the hostility of today's networks even to a simple home user. Even "grandma" needs to be aware of the dangers of the online environment today. As an example, consider that many of us use home computers to fill out year-end income tax forms. An attacker able to access that information would know enough to cause significant problems. Today's networks are infested with worms and automated attack programs that relentlessly seek out and compromise vulnerable computers, reporting back to a human only after accomplishing a successful compromise. Companies and governments must be secured against these threats, as well as against more sophisticated attackers specifically targeting their organization. 5-7
  8. How Would you be Impacted? • Consider the following scenario: – You go into work tomorrow and all of your computers are gone and there is no internet connection. • Could you handle the situation? • Do you have backups? Uncontaminated backups? Is there a restore process? • Could your organization survive the loss? Information Warfare - SANS ©2001 8 Is your organization prepared for an attack? Either from the internet or from a natural disaster or terrorist act? Part of information warfare is planning for the worst and having a recovery plan in place. Many of us would be in a lot of trouble if a particular building burned down for example -- that building being the one holding the primary information and all of its backup copies. The September11th tragedy demonstrated how critical backups can be to a company's survival. When we ask about "uncontaminated backups", does that make sense to you? Consider a virus that spreads rapidly but remains undetected because it does not do anything observable. The virus infects several computers, but because it is not detected the virus program is copied onto the backup tapes along with legitimate information. Time passes. Ten months later the virus' payload goes into action and starts destroying files and laying waste to operating systems. You think, no problem, I've got backups going back 6 months. Oh no! All the backups are contaminated too! What do we do now? Do you have insurance against information loss? A recent Information Week article (January 2, 2002) explains how many insurance providers have decided to exclude online assets and terrorism- related damages from their IT policy offerings. 5-8
  9. Threats • Internal threats – Employees – Contractors – Visitors • External threats – Anyone connected to the internet Information Warfare - SANS ©2001 9 The threat to a company could really be anything. Threats are typically broken down into internal and external threats. Internal threats are attacks launched by internal attackers, contractors, or even visitors to your facility. External threats could really be anyone that is connected to the internet. Threats can also range from intentional to unintentional events. Unintentional events, like floods or fires, could also be a threat that impacts a company. Even though these threats are not meant to hurt the company, the net result is the same. Therefore it is important to understand and react to all possible threats that are posed to your company. 5-9
  10. Offensive Tactics • Using publicly available information maliciously • Stealing confidential information • Destroying or corrupting important data • Denial of Service attacks against business or livelihood • Providing false information in order to deceive, mislead, or confuse • Impersonation and slandering • Public embarrassment (e.g. website defacement) Information Warfare - SANS ©2001 10 Let us begin our consideration of information warfare concepts by looking at the offensive side of the game. Defensive strategies will be covered later. The slide above lists several common ways information can be involved in an attack against an organization or individual. At first glance it may seem that these attack methods are specific to the information age. In the next few slides we will take a closer look at several of the specific tactics and show that the concepts behind them have been well-known to warriors for centuries. 5 - 10
  11. Public but Sensitive Information "It is always necessary to begin by finding out the names of the attendants, the aides-de-camp, and door keepers and sentries of the general in command." -Sun Tzu • There are many sources of information – Press releases – Employment ads – Company descriptions – Public databases (whois, legal, edgar, healthcare, whitepages) Information Warfare - SANS ©2001 11 Over two thousand years ago Sun Tzu noted that deploying spies to gather information such as the names of people in the enemy organization, and the types of sentries (read defense mechanisms here) is an important first step in warfare. Things haven't changed very much. Given today's internet, it is possible for an attacker to find out a great deal about an adversary without breaking any laws or even raising any eyebrows. If an attacker is interested in an individual or a company, internet white page directories can provide names, addresses, phone numbers, street maps, and even satellite photographs. Attackers can often gain access to legal, healthcare, and credit history databases without too much trouble. A search for an individual's email address can provide links to newsgroup postings which contain information about the individual's interests, habits, friends, employer, etc. Information-rich messages posted to security mailing lists such as "I work for company XYZ and our main IIS 5.0 web server has been hacked and is backdoored..." can be very useful. In addition, companies love giving out information to help fuel growth, but often fail to realize the negative impact that information could have to the company. For example, an ISP who just built a new network wants to advertise it to help get additional business. So they have a press release that describes their new computers -- what brand, what operating systems, what versions, etc. An attacker can easily use the information to build an attack list for breaking into the ISP's systems. Similarly, a company that posts a list of employee names provides an attacker with information useful in username/password guessing attacks. Public databases can also provide a wealth of information. For example, publicly traded companies are required to disclose certain information to the SEC. The SEC information is posted online in the EDGAR database. These documents could be used to obtain the names of key executives, which could be used in social engineering attacks. Another common practice is for attackers to notice that a merger or acquisition has taken place, and capitalize on the ensuing organizational confusion. For example, lets say our attacker's desired target XYZ has recently acquired Acme Widgets Inc., and the two company's technologies are being integrated. Our attacker simply phones up an XYZ engineer (name obtained via the company directory) and says that he is from Acme Widgets and that Executive So-And-So (name obtained from EDGAR) wanted him to call to get the latest product specifications and development timelines. 5 - 11
  12. Stealing Confidential Information "Though the enemy be stronger in numbers, we may prevent him from fighting. Scheme so as to discover his plans and the likelihood of their success." -Sun Tzu • Espionage is a real problem • Many foreign governments have admitted to launching corporate espionage attacks against US companies to give their local companies a competitive advantage. Information Warfare - SANS ©2001 12 A critical part of warfare, information or otherwise, lies in discovering the enemy's plans. Sun Tzu notes that even a strong adversary can be crushed if his plans are known in advance. Online espionage is the modern embodiment of this tactic, and it works as well today as ever. One legal method of performing corporate intelligence gathering is to get the employees talking. A recent news article describes how today's corporate spies rely heavily on forming online friendships with target employees to gain information. According to one corporate intelligence professional, 85 percent of people will share sensitive information about themselves and their companies with perfect strangers. The statistic is calculated based on the results of 78,000 recorded conversations with people worldwide. Further, companies have been known to hire agents to sit next to traveling executives on planes, where they can read business information over the executive's shoulder, or engage in seemingly innocent chit-chat. Experience has shown that executives are particularly vulnerable to questions from brainless admirers. And of course the true hack-in-and-steal-something method is wildly popular. For example, the articles linked below describe an incident where attackers stole source code from Microsoft in October of 2000. A Microsoft spokesperson called the incident "a deplorable act of industrial espionage".,,s2082221,00.html Interestingly, two of the main concerns in the Microsoft incident were that the attackers would implant backdoors in the Windows source code (they had access to the data for three months), and that the attackers would analyze the source code and discover vulnerabilities that no one else knows about. Other concerns included the notion that a rival company might try to market the stolen software as their own, or use the proprietary algorithmic and programming techniques to advance their own products. These concerns illustrate a few of the dangers of proprietary information theft. 5 - 12
  13. False Information "All warfare is based on deception...The one who is skillful maintains deceitful appearances, according to which the enemy will act." -Sun Tzu • If you know someone is watching you, why not give them misleading information? – False press releases – False company information – False server banners Information Warfare - SANS ©2001 13 This warfare tactic has the goal of misleading the enemy. The hope is that the enemy will use the false information to influence their actions to our advantage. For example, a company might "leak" the fact that they are going to submit a proposal for a particular job at the price of $5 million. The competition, upon hearing this information, decides to bid $4.5 million. When the original company actually bids $4 million (instead of the "leaked" $5 million figure) the spying competitor finds themselves underbid. As another example of misinformation in the information age, consider the case of an attacker who fabricated a false press release that led to a publicly traded company temporarily losing more than $2 million in market value. The bogus press release was submitted via email to InternetWire and picked up and distributed by a number of major news organizations. The press release stated that the company in question (Emulex) was under investigation by the SEC, had revised its latest earnings reports to show a loss instead of a profit, and was losing its CEO. The result was that investors started to dump the company's stock en masse, sending Emulex's stock plummeting as much as 62%. The company lost as much as $2.5 billion in market value before the fraud was discovered and Nasdaq halted its trading. In general, the misinformation strategy is quite interesting and complex. The complexities arise the same as in any other lie, how to lie to some people, while telling the truth to others and keep it all straight? An organization employing these methods can easily lose control, or become liable for damages resulting from the false statements. The techniques can be quite effective however. 5 - 13
  14. Honeypots "Learn the principle of the enemy's activity or inactivity. Force him to reveal himself ... By holding out advantages to him, cause him to approach of his own accord." -Sun Tzu • Honeypots are sacrificial computers, purposely left vulnerable. • The computers are carefully instrumented to record attackers' actions and gather copies of the tools they use Information Warfare - SANS ©2001 14 Another example of deception in information warfare is the use of honeypots. The idea of a honeypot is twofold. First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's methods and goals. By leaving a few machines purposely vulnerable but instrumented, we can allow attackers to break in and then watch what they do. By observing what files they look for we may be able to guess what they are after, and by watching the tools they use we gain an idea of their capabilities and methods of operation. For example, if the attacker exploits a MS SQL server vulnerability to gain access, we would want to be sure to patch that vulnerability on all relevant systems across the enterprise. Further, if we notice that the attacker likes to set up a Trojan SSH server on port 50000/tcp, we might want to scan the internal networks for port 50000 listeners. Second, honeypots can provide a way of diverting an attacker’s attention away from critical systems for long enough to strengthen the defense. An attacker is likely to go after the "low hanging fruit", that is, the easily compromised hosts on an enterprise, before moving on to more difficult targets. By letting the attacker have a few sacrificial machines, we buy some time to learn about the attacker's capabilities and react appropriately. Of course, Sun Tzu has a quote for this aspect of the strategy too: "Sacrifice something, that the enemy may snatch at it." 5 - 14
  15. Denial of Service Attacks "So in war, the way is to avoid what is strong and strike at what is weak." -Sun Tzu • Easy to wage • Difficult to defend against • Can result in lost revenue • Can hurt public image Information Warfare - SANS ©2001 15 Most of us remember the infamous Distributed Denial of Service (DDoS) attacks waged by a Canadian teenager in February of 2000 resulting in an estimated total loss of $1.7 billion to several US companies. The attacker, known as "mafiaboy," flooded the webservers of Ebay, Dell, Amazon, and Yahoo (among others) with meaningless traffic in order to overload the target networks and prevent the servers from responding to legitimate requests. Because each of the targeted organizations relies heavily on its internet presence as a source of revenue, Mafiaboy's Denial of Service attack was quite damaging. A news article on the topic: The important thing to take away from the example is that Mafiaboy didn't need any sophisticated technical skills to wage these attacks. In fact, the tools he used and others like them are publicly available on many websites. These tools do not take any special skills to run. On the other hand the sites that were attacked all employ heavy security and would be difficult to break into. Mafiaboy employed Sun Tzu's concept of avoiding what is strong (the site's security defenses) and striking at what is weak (fundamental behavior of IP networks). Most Denial of Service attacks are simple to wage, but difficult to defend against. Why not take the easy route to inflicting damage on an enemy? Part of defensive information warfare comes in identifying our own weaknesses and strengthening our defenses accordingly. 5 - 15
  16. Understand the Risks "He who exercises no forethought but makes light of his opponent is sure to be captured by them." -Sun Tzu • Attackers have a complete arsenal of weapons to use against a network's defenses • An understanding of an attacker's offensive warfare tactics is essential Information Warfare - SANS ©2001 16 The point of intersection between offense and defense comes in understanding the offensive in order to better defend. In information warfare, this concept is very important. It has been estimated that new vulnerabilities were being discovered at the rate of 200 per month by mid 2001.,14179,2803105,00.html A recent CERT report provides the following figures concerning numbers of reported vulnerabilities for the past three years: 1999: 417 vulnerabilities 2000: 1090 vulnerabilities 2001: 2437 vulnerabilities CERT further reports that the number of incidents has doubled between 2000 and 2001. 21,756 incidents were reported in 2000, while 52,658 incidents were reported in 2001. Less than 10,000 incidents were reported in 1999.,4125,NAV47_STO67318,00.html Clearly it is important to keep up with information on new vulnerabilities, patches, and exploits. It is also important to understand the fundamental techniques employed by attackers (e.g. buffer overflows, improperly formatted packets, weak password exploitation, etc.) so that we can spot vulnerabilities ourselves before an attacker finds them. The administrator who believes that "it couldn't happen to them" is sure to be in for a rough ride. 5 - 16
  17. An Introduction to Network Attack Methods • Denial of Service • SYN Flooding • Distributed DoS • Smurf • Session Hijacking • Teardrop • IP Spoofing • Land • TCP Sequence • Man in the Middle Prediction • Session Replay • IP Fragmentation • Ping of Death Information Warfare - SANS ©2001 17 In the following few slides, we are going to talk about various types of attacks that have occurred over the internet in the past. But before we begin, I should point out a couple of important facts. First, we will not be going into very technical depth about each of these attacks. Some of them can get quite complicated, but we will stick to the high-level description as much as possible. Second, many of these attacks have many variations that have been used over time. You may hear of them referred to in several different ways in your continuing security education. In the interests of time, we will restrict our discussion to the original attack, and mention any variations only as necessary for clarification. Finally, while each of these attacks can be used by itself, you will very often see them used in combination, or see one attack used as the basis for another. For example, many of the attacks are based on some form of Denial of Service. 5 - 17
  18. Denial of Service • Keeping the computer or network from doing anything useful • Attack can cause a system to crash or consume excessive resources • Very hard to prevent • Attacker does not need to be skilled to wage the attack Information Warfare - SANS ©2001 18 Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it sounds: It is used to deny service to a system or network. Denial of Service attacks are aimed at preventing a computer or network from performing its normal duties. This can take the form of crashing a computer, but more often it takes the form of flooding the network or computer with hundreds, or even millions, of information or service requests. The computer quickly gets overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of the service because they can’t seem to get the server’s attention. Denial of Service attacks are appealing to attackers for a number of reasons. First, they are deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for performing a DoS attack are not that difficult to learn or perform. Second, depending on how the DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do not necessarily have to crash the machine or ruin any of the server’s resources. The attacker mentality will say that this is no more harmful than driving slowly on the highway or taking your time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other large internet sites that got hit with DDoS attacks in the Spring of 2000. To them, the damage and the losses were very real. Classic DoS attacks occur when a single system floods your network with packets or sends maliciously crafted packets designed to crash or hang target systems. These attacks can be stopped by instructing your routers or firewalls not to accept packets from the attacking system. However, a new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS. We’ll look at Distributed Denial of Service later, after considering a few of the "single shot" crafted packet attacks that can crash systems. A fundamental difference between the two types of Denial of Service attacks (flooding and crafted packet) arises from the differing principles on which the attacks are based. Crafted packet attacks take advantage of the fact that the programmer who built the vulnerable software did not properly handle an "impossible" case -- a type of packet that should never arise under normal network conditions. Packet flooding attacks exploit a fundamental property of TCP/IP networks and client-server communications. How can a server distinguish legitimate service requests from bogus ones? 5 - 18
  19. Land Attack • Attacker sends a single spoofed packet • Result: Crashed old Win boxes and Cisco routers Src IP = Dst IP Src Port = Dst Port TCP SYN Information Warfare - SANS ©2001 19 This attack is very simple, but when land.c was first released in a posting to Bugtraq, the tool caused a lot of problems. The idea was to spoof the source address on a TCP packet to be the same as the destination address. Also, a Land packet has the SYN flag set and must be received by an open port on the target. When a vulnerable host receives these packets, it enters an infinite loop and has to be physically rebooted. The attack worked very well against Windows 95 machines, locking them up completely, and also crashed Cisco routers and switches. Once the exploit was released, Cisco engineers had work around the clock to through Thanksgiving to isolate the problem, test equipment, and work on fixes. A 1997 Network World news story about the problems caused by Land: CERT advisory 97.28: Bugtraq summary of vulnerable systems: Original exploit posting by m3lt: Cisco advisory: 5 - 19
  20. IP Fragmentation reassembled IP datagrams IP fragments at destination MTU limited • If packets are larger than a network can handle, they are fragmented in multiple parts • Fragmented parts are reassembled at destination Information Warfare - SANS ©2001 20 In the IP protocol, there are allowances for the fact that there may be many different types of equipment, computers, and networks connected together. For instance, a computer may want to transmit packets of 1 kilobyte (1024 bytes) in size, but the routers between the computer and the destination may only be able to handle packets of 512 bytes in size. If this is the case, IP will automatically split the original packet into smaller pieces that will be able to make it all the way across the network. This process is called fragmentation. Once the fragments reach their destination, they are reassembled to recreate the original packet. Fragmentation is good because it ensures the accurate transmission of information in a way that is transparent to the user or application. However, packet fragmentation has also been used for evil purposes as a way of attacking computers and slipping past firewalls. Since it is computationally intensive for a network intrusion detection system or firewall to reassemble fragmented transmissions, attackers can often hide their evil deeds by forcing all of their communications to be fragmented. Further the process of fragment reassembly can be rather complicated (consider missing fragments, overlapping fragments, out-of-order fragments, etc.) and naturally some bugs have crept into the fragment handling routines of various operating systems. Attackers discovered that they could crash systems in many cases by building and sending streams of fragments that do not reassemble correctly. Further attackers discovered they could sometimes trick firewalls into passing traffic that should not be allowed by sending very very small fragments that do not contain all the information the firewall needs to make its filtering decision correctly. Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic example of the technical lengths and the in-depth knowledge attackers will seek in order to work their evil. 5 - 20
Đồng bộ tài khoản