Network Attacks, Vulnerabilities, and Applicability to Critical Infrastructure

1
Network Attacks,Vulnerabilities, and
Applicability to Critical Infrastructure

• Mark Fabro, CISSP
• Chief Security Scientist, Enterprise Security
  Group
• American Management Systems

2

• "Attacks in cyberspace blur traditional
  boundaries between nations and private interests,
  cannot be foreseen or tracked via classical
  intelligence methods, and are all but
  indistinguishable from accidents, system failures
  or even hacker pranks.
• -RAND

3
Why Use Cyber Attacks?

• Cascading and quick
• Attack triviality
• Lack of network dynamics reduce prep time
• Reconnaissance phase undetected
• Ability to see damage and possible policy
  influence
• Psychological impact
• No attribution (or relayed attribution)
• Obvious viability based on current open-source
  information
• Perfect compliment to CLI/CHI asymmetric attacks

4
Cyber Attacks Follow Traditional Attacks

• Pakistan India conflict
• Israel Palestine
• Yugoslavia NATO/Kosovo conflict
• U.S. China (plane/embassy/etc.)
• Post Sept. 11 (Afghanistan, Pakistan, Iraq/Iran)
• Dispatchers
• Iron Guard (Hezbollah, al-Muhajiron)
• Unix Security Guards, EHU, 4ffix
• Future concerns regarding cyber-terror timing
• Precede physical attacks?
• Coordinated attacks?
• 2002 5.5 Million Service scans on DoD

5
Cyber- terrorism Is it Real?

• Formal terrorist statements indicating
  computer-based weapons
• Electronic Disturbance Theatre and Class 2
  InfoWar (Corporate Information Warfare)
• MOSES, IMP, MTN2k, Moonlight Maze
• Who stands vulnerable? Who has been hit?

NYSE Schwab/TDW/TSE FAA IRS DoD AEC NASA State
Department
CNN NOAA Whitehouse DOE - LLNL/LANL VA ATT/Verizo
n HHS
6
Targets

• Financial Infrastructure
• Information poisoning
• Trading floor corruption
• Personal data confidentiality
• Communications Infrastructure
• NCS
• Satellite / Cell / Radio
• Military Infrastructure
• Network service Interruptions
• GPS jamming
• Health Infrastructure / Transportation
• NAVCAN / runways / communications
• Water / Power / Energy Infrastructure
• Chlorine content, water levels, fuel levels
• Manufacturing
• Private Exchanges / Component integrity / Shipping

7
Foreign States

• Russia
• Scanning more than 5 Million DoD servers
• Focus on manufacturing and finance sectors
• China
• Active IW and Critical Infrastructure recon
  effort
• Cuba
• Manufacturing and SATCOM focus
• Japan
• Know to target manufacturing
• France
• Germany
• Historical U.S. industry-specific (finance,
  trade, mfg.)
• Iraq
• Sophisticated operation NOT in capitals, some out
  of country
• Israel
• Leverage connectivity to U.S. Infrastructure
  (DoD)
• Bulgaria
• Virus creation labs (100 per day)

8
Defining Cyber-terror

• The premeditated, politically motivated attacks
  against networked infrastructure components,
  resulting in violence against non-combatant
  targets in furtherance of political or social
  objectives.

9
Denial of Service

• Exploits of protocol, thus can attack root
  connection mechanism (applicable to almost all
  communications)
• Direct attacks, but indirect traceback
• Indirect Mobile code / Agent attacks
• Prey on perimeter mentality
• Strike network infrastructure, regardless of VPN
• High Profile attack targets
• News
• Financial
• Cellular routers
• Weather (Telephonic systems)
• Low Profile targets
• National Routers (October 21 TLD router DDoS)
• Use of unprotected mail servers to act as relays

10
DNS Cache Poisoning

• Corruption of principle Name server mapping
• Redirection of traffic
• Redirect to bogus page
• Null pointing (send request to nowhere or loop
  it)
• Redirect to adversary
• Redirect to propaganda page
• Design of DNS-specific virus and worm
• Can result in DoS
• Targets include
• Central VPN tunnel points
• National Routers (top level domains)
• Associated Press / Reuters / CNN
• News/Info/Communications/Weather

11
Sniffing

• Man-in-the-middle attack
• Collection of network traffic
• Can compromise VPN
• Multiple capture points gathering more than just
  username/password
• Sniffing engines have been inserted YEARS ago
• Covert channel with other sniffing agents
• Data amalgamation and correlation
• Targets include
• Critical Infrastructure connection channels
• Military-centric public communications channels
• Wireless network environments

12
Session Hijacking

• Uses sniffing for the monitoring of traffic,
  spoofing for the generation of trusted packets
• Man in the Middle attack - have to be on the
  wire
• collection of key session data (packet sequence
  numbers, IP addresses, routing information, SNMP)
• attacker creates and injects his own data into
  the session, assuming the role of one of the two
  parties
• Delete data, add permissions, alter routing maps
  etc.
• once attack has been verified, attacker can take
  over session
• Attacks occur between
• - bank and client (Firewall may be useless)
• - contractor and agency (trusted router)
• - Any B2B session

13
Other attacks

• Packet fragmentation
• Bypass firewalls and perimeter security
• Denial of Service
• ftp bounce attacks
• Trust exploitation in privileged servers
• Targets Federal machines tied to legacy systems
• core dumping
• Authentication race attacks
• Kerberos replay attack
• IDS Unicode bypass exploits
• Remote Procedure Call (RPC) exploits
• Default SNMP community strings

14
Web Deployment Vulnerabilities

• Data harvesting
• Statistic manipulation
• Vti_stat
• Favicon.ico exploit
• Open stats pages - Determine invisible networks
• Search engines calling embedded server
  configurations
• Leverage root compromise to launch more attacks
• ISAPI / RDS
• Build connectivity tables via ACL storming
• Information modification via ASP and SSI
• Disinformation attacks plaguing
• Cross site scripting
• Brute Force Session ID attacks
• Majority of problems are user-based privileges

15
Directed Attacks

• Cross Site Scripting
• Unauthorized insertion of tags and scripts
• Trust violation exploitation
• SSL happens AFTER tag presentation
• Cookie poisoning
• Session cookie hijacking
• SQL Injection
• Error manipulation
• Stored procedure calls
• Method Switching
• Filter bypassing
• Defeating WebIDS
• Double HEX encoding
• Directory traversal
• Session splicing

16
Telephony (telcom) Attacks

• War dialing (rogue modem access)
• Remote Supervisory Control and Data Acquisition
  software (SCADA)
• 1992 Oroville Dam
• Voicemail/PBX hijacking
• Mailboxes used to exchange cell information
• System overrides for LD calling (Direct Inward
  System Access)
• Scotland Yard (1996), FBI (1994)
• Targets
• Hydro / Nuclear / Water/ Power control
• Manufacturing
• Emergency Services
• HVAC (possible Bio-terror?)
• March 1997 Worcester Airport
• Disabling loop carriers with bogus data (6 hr
  outage)
• Disable radio transmitter to aircraft (no runway
  lights)

17
Threat Trends

• Threats More Complex as Attackers Proliferate

18
Impact to CIP
Electrical Power
Gas Oil Storage Distribution
Banking Finance
Physical Distribution
Vital Human Services

• Telecomm site power

• Fuels for backup power

• Corporate finance

• Vehicles routes for system service response

• Cooling water
• 911 systems
• Emergency response control

Telecommunications Electronic Distribution

• Control systems
• Emergency coordination

• Fuels for primary or backup power

• Corporate finance

• Vehicles routes for system service response

• Power to key services
• Backup power

Electrical Power

• Control systems
• Comms

• Power for systems facilities
• Emergency backup power

• Corporate finance

• Vehicles routes for system service response

• Energy for heating

Gas Oil Storage Distribution

• Transactions
• Control systems
• Comms

• Power for systems facilities
• Emergency backup power

• Fuels for backup power

• Transport of canceled checks, etc.

• Funding for emergency program responses

Banking Finance
Physical Distribution

• Control systems
• Comms

• Power for systems facilities
• Emergency backup power

• Energy for distribution systems
• Fuels for backup power

• Corporate finance

• Delivery of emergency response equipments

• Power for systems facilities
• Emergency backup power

• Fuels for system support

• Corporate local government finance

• Vehicles routes for system service response

19
Question Why assassinate a politician or
indiscriminately kill people when an attack on
electronic switching will produce far more
dramatic and long lasting results. -Walter
Laquer
20
Creating Defenses

• Defeating global terror demands effective
  Information Assurance
• - Ken Percell, CIO AFMC

Todays IA is only feasible through effective
Information Intelligence and Correlation
21
Intelligence and Correlation Engines (ICE)
NIDS
NIDS
NIDS
Critical Host/App
HIDS
HIDS
AppIDS
Critical Host/App
HIDS
HIDS
AppIDS
Critical Host/App
Graphical Link Analysis
HIDS
AppIDS
ICE
True-Positives Properly Correlated Between
Network, Host, and Application
Integrated AI-Based Analysis and Scanning Filter
10s of thousands of events per day
99.9 of False-Positives Eliminated
Correlations And Link Analysis
Higher quality monitoring / Greatly reduced cost
of operations
22
Cyber-Security Intelligence CollectionManagement
System
Critical Security Events Only
Department Top Level NSOC
Sample Critical Infrastructure Elements
WATER
POWER
Govt Operations
Services
Communications
Military
Finance
Event Traffic Volume
RCERT
RCERT
RCERT
RCERT
Supported By...
Regional NOC
Local IDS Systems
Emergency Service Systems
100s of Thousands of Events Per Hour
TELECOM - Access - Alarms
Communications LAN
Operational LAN
Research LAN
App IDS
Network IDS
Host IDS
Logging and Auditing
Transaction Monitoring
23
Sample Connection Analysis View
24
AMS Application Security Model Supports Computer
Network Defense (CND)

• TRAIGE
• INCIDENT HANDLING
• RELATIONAL ANALYSIS
• FUNCTIOINAL ANALYSIS
• PREDICTIVE ANALYSIS

25
Application-specific Security Support at TRIAGE
phase

• AppIDS and Appsec
• Determine the real severity of an event as
  determined by Policy
• Immediate correlation to other events
  (network/host/physical)
• Verification of successful attack of system
  configuration error
• Reduce false-positives
• AppIDS/ICE is a fully integrated security
  management solution that can logically respond
  against known and unknown attacks

26
Support at INCIDENT HANDLING Phase

• Support of escalation procedure (adhere to
  organizational policy)
• Enable/support corrective action
• Architecture reconfiguration
• Targeted connection termination
• Verify response effectiveness
• Malleable format report generation
• Impact analysis

27
Support at RELATIONAL ANALYSIS Phase

• Determination of attack pattern
• Event correlation and active linking of
  event/source
• Active recommendation for next steps
• Defensive action
• Offensive action

28
Support at FUNCTIONAL ANALYSIS Phase

• Recursive monitoring of IDS activity
• Storage and verification
• Ranking (categorizing) relevant to stored threat
  knowledge (from DBs)
• Fulfill DB contribution protocols (reporting)

29
Predictability Analysis

• Increased granularity in attack recognition
• Immediate application-specific response
• Fingerprint by action, not source or signature
• Fully supportive of profile continuity
• Updates master profile using anomaly-based logic
• Verifies trust relationships with other
  applications/hosts

30
Intelligence and CorrelationSupporting
Predicative Analysis

• Provide All Source and Monitoring Tool data
  to Event/Incident Profile/Vulnerability DBs
• APIs connect effectively with OeSP-like engines
• Can develop Link-node granular data
• Auto-correction of policy and defenses
• Will push to any analysis tool (Advizor, Watson
  Pro, Starlight)

31
Infrastructure Collaboration and Reporting
Environment

• SUMMARY ISSUES
• Low Performance
• Insecure communications
• No interoperability
• Increased Capital
• Investment
• No transaction integrity

Corporate Application System
PKI System
Government Agency Application System
Partner Application System
PKI System
Other Security System
Access Control System
Crypto Engine
Other Corporate Application System
32
Infrastructure Collaboration and Reporting
Environment
SUMMARY BENEFITS Reduced effort Reduced
cost Secure Interoperability Secure data
transmission
Corporate Application System
PKI System
CMS Broker
Government Agency Application System
Partner Application System
CMS Broker
CMS Broker
PKI System
Other Security System
Access Control System
CMS Broker
Crypto Engine
Other Corporate Application System
33
Infrastructure Collaboration and Reporting
Environment
Legacy Application Systems
Custom Enterprise Applications
Purchased Applications Packages
J2EE .NET
CMS Broker
CRM Sales Order MGMT ERP Customer Billing
CRM Sales Order MGMT ERP Customer Billing
Rules
Rules
Web Server
Internet
Web Applications
34
Summary

• Continued deployment of COTS product will
  contribute to problem
• Intelligence and Correlation provide effective
  interpretation of security data
• The technology to support ICE efforts and CND are
  available today
• Senior level awareness is critical to success

35
Thank you

• Mark Fabro, CISSP
• Chief Security Scientist, Enterprise Security
  Group
• Mark.fabro_at_ams.com