Understanding Cyber Conflict Dr. Panayotis A. Yannakogeorgos Dean Air Force Cyber College 1 The Character of Cyberspace The cyber domain includes more than just the Internet, but all things relevant within cyberspace require some type of connectivity or networking. The Internet is the manifestation of networking theory on a global scale. Cyberspace has national borders, the same as every other domain. In the cyber domain, at no time is the military likely to be in complete control of the battlespace. Civilians will be a part of cyberwar, likely as victims whose computers will be placed at risk, but equally likely, they will be cyberwar participants. Source: JP 3-12(R) Modern Hacking Tactics and the `Cyber Terrain So who actually owns the Internet? There are two answers to this question: 1. Nobody 2. Lots of people • APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months. • In the last two years we have observed APT1 establish a minimum of 937 Command and Control (C2) servers hosted on 849 distinct IP addresses in 13 countries. 3 Spectrum of Operations in Cyberspace Access/Exploitation Deletions/Denial of Service/Disruption/Digital Damage Physical Effect Digital intelligence Interrupt the flow of information or function of information Results in physical damage or systems without physical damage or injury destruction, injury or death Spectrum adapted from US Cyber Command, 2013 Cyber Threat Actors • Hacktivists • Criminals • Spies • Terrorists • Militaries 5 Breakdown of Noteworthy Cyber Attacks in 2015 Tracked by Hackmageddon.com http://www.hackmageddon.com/2016/01/11/2015-cyber-attacks-statistics/ 6 Hacktivists • Operates anonymously and globally • Objectives – Entertainment – laughs – Freedom, transparency, anti-corruption, etc. • Unorganized, but blend of anarchy and power circles with factions and splintering – Often regional and issue related factions • Targets are global and have included – Governments/countries – Businesses – Terrorists, especially ISIS – Competing hacktivists – Pedophiles 7 Criminals • Bangladesh Central Bank Heist • Criminals tried to withdraw $951 million from the bank’s US account with the Federal Reserve, which is used for international settlements • Criminals used stolen Bangladesh Bank credentials and ran malware on bank’s system to cover up tracks • 35 requests were made for money transfers • 81 million successfully moved to casinos in the Philippines Feb 4-5, 2016 • Transfers stopped when Deutsche Bank detected typo in a $20 million transfer to Sri Lankan organization Shalika Foundation (misspelled as “Fandation”) • Philippines froze $68 million of stolen funds 8 Terrorists • Junaid Hussain [TriCk] was involved in recruiting ISIL sympathizers • Had significant technical skills and expressed a strong desire to kill Americans • Compiled and published names, email addresses, phone numbers of US military and government staff urging lone wolves to “act and kill” • Sent terror guidebooks including bomb-making instructions and information about domestic terror plots in the UK 9 Spies & Militaries FANCY BEAR’s profile closely mirrors the strategic 2010 Military Doctrine: interests of the Russian government, and may “integrated use of military indicate affiliation with Главное Разведывательное force and non-military Управление (Main Intelligence Department) or GRU, capabilities, and a greater role for information warfare” Russia’s premier military intelligence service. https://www.crowdstrike.com/blog/who-is-fancy- bear/ Indicted on cyber espionage 2011 Defense White Paper: “combat capability to win charges Chinese military officers local wars in conditions of from left to right informationization” Gu Chunhui, Huang Zhenyu, Sun Kailiang, Wang Dong, and Wen Xinyu 2012 Supreme Council of Cyberspace tasked with the coordination of national cyberwarfare 10 Actors and Authorities 11 Onion Routing 12 Complexity of Response Hypothetical example for educational use. What is a Vulnerability? How do they Relate to Threats? . Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source . Threat - Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service . Threat source - The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability Source: Glossary definitions (Committee on National Security Systems, 2010) 14 Most hackers use posted vulnerabilities in pre-programmed exploit packages for their attacks. [HBGary’s Law]. Source: 2015 Verizon Data Breach Report Anatomy of a Takeover Target Install Target Victims Services Collect Data Initiate Effect Malware (Intranet, etc.) Malware Types • Trojan horse • Exploit or exploit code/kit – Deceptive – Exploits security vulnerabilities • Virus • Backdoor – Attach to objects; spread w. objects – Gives attacker access to system • Worm • Remote access tool (RAT) – Spread (semi-)autonomously – Gives attacker remote control • Logic bomb / time bomb • Rootkit – Triggered by some condition – Contains backdoors & Trojans • Spyware • Sniffer – Scoops up data – Intercepts packets on network • Keylogger • Downloader/Dropper – Records keystrokes – Downloads/installs malware • Scareware • Wiper – Purports to be needed security tool – Destroys data on disk • Ransomware • Ram scraper – Encrypts & holds data hostage or locks – Steals payment data from POS RAM screen 17 “Spearphishing” • With the information that can be found about us and our coworkers on the Internet, hackers can craft a very believable malware laden email. • Spoofing email addresses (or using email from a compromised system) is not hard. – If you received an email from the director of your department, would you open it? – Would you open the PDF document, or follow the URL to get registration information for an upcoming conference you plan to attend? – If you weren’t sure if the email was legitimate would you follow up using a separate line of communication to confirm the email’s authenticity? 18 Watering Holes https://www.google.com/transparencyreport/safebrowsing 19 Syrian Electronic Army (SEA) Phishing Attack on Associated Press What user saw – not actual link 20 Ransomware A type of malware that attempts to extort money by taking control of a victim’s computer or infecting the files and documents stored on it. CryptoDefense Ransom Demand Locky Recovery Instructions 21 Point of Sale This vector compromises POS terminals where customers swipe a payment card at a checkout counter. RAM (Remote Access Memory) scrapper malware is installed on a POS device: • Captures payment card data while processed in memory before it is encrypted for storage or transmission. Data used to manufacture counterfeit cards • The data is written to a text file which is Often discovery of the breach does later sent to an offsite server. not occur until the criminals are noticed to be using the data for illicit • This credit or debit card data is offered purposes by law enforcement or for sale on the black market. fraud detection entities. 22 Point of Sale Attack (Target Corporation) The retail giant Target confirmed some 70 million customer credit and debit accounts were compromised in December 2013. Account numbers, expiration dates, cardholder names and credit verification value (CVV) were compromised plus encrypted debit card PINs were stolen. • Attackers installed a Hybrid of Kaptoxa and Reedum malware on Point of Service (card reader) machines. • Both derived from BlackPOS sold on crime forums for only $2,300 – designed to bypass firewall software. • The PINs are encrypted with Triple-DES (Data Encryption Standard) – somewhat vulnerable to brute force cracking. two weeks. Data Breach costs $61M in expenses and resulted in loss of $700M of revenue from loss of consumer confidence to shop at Target. 23 Exploitation of Data • The second-biggest health insurer in the United States detected a breach on 29 Jan 2015 of a database containing personal information for 80 million customers and employees • The breach exposed names, birthdays, addresses and Social Security Numbers but not medical information or financial account numbers. – Private health data used for extortion, fraud or identity theft. – Not clear how hackers obtained systems admin privileges – Hacked data tracked to an outside Web-storage service. – Changing corporate attitude about rapid disclosures. 24 Modern Botnets • Networks of compromised devices (zombies, drones) acting as cyber robots (bots) – Devices are put under the command and control (C2) of the botnet herder/owner – C2 servers issue commands to bots • Botnets are used for – Spam – Distributed denial of service (DDoS) attacks – Stealing data – often sold in Bot Chop Shops – Fraud – e.g., click fraud and pay per install fraud – Computational tasks such as bitcoin mining • Botnets are taken down by taking down their C2 – Often multinational efforts Size of DDoS Attacks 2014: 20% reported attacks over 50 Gbps 2015: 25% reported attacks over 100 Gbps Arbor Networks, Worldwide Infrastructure Security Report 2015 26 Dyn DDOS