No Slide Title
Download
Report
Transcript No Slide Title
College of Aerospace
Doctrine, Research,
and Education
Information
Attack
IW -160
AF Information Operations
INFORMATION OPERATIONS
INFORMATION IN WARFARE
gain
INFORMATION WARFARE
defend
exploit
attack
COUNTERINFORMATION
ISR
WEATHER PRECISION
NAV
OTHER INFO COLLECTION/
DISSEMINATION ACTIVITIES
(Transmission, Storage,
Public Affairs)
DEFENSIVE
COUNTERINFORMATION
Information CounterAssurance Intelligence
OPSEC
Electronic
Protection
CounterPSYOP
CounterDeception
OFFENSIVE
COUNTERINFORMATION
Electronic
Warfare
PSYOP
PSYOP
Deception
Physical
Attack
Information
Attack
Overview
• Definition
• The Threat
• The Arsenal
• Defensive Measures
Information Attack
AFDD 2-5
...activities taken to manipulate or destroy an
adversary’s information or information
systems without necessarily visibly changing
the physical entity within which it resides.
Information Attack Benefits
Used not only in combat, but also before. It offers …
• Ability to incapacitate an adversary early
• Reduce collateral damage
• Prevent adversary and friendly losses
Information Attack capabilities and tools can
save conventional sorties for other targets
Information Attack Types
• Indirect
– Effects the adversary’s perception, interpretation,
and action by creating an information source
– Depends on the adversary’s decision process
• Direct
– Alters the adversary’s information
– Does not depend on the adversary’s decision
process
Information Attack Goals
• Alter information to affect decision making
• Destroy the enemy’s confidence in the system
• Force an adversary to use less technical, and in
most cases, less secure means to disseminate
critical information
• Allow information to be exploited by friendly
forces.
The Threat
•
•
•
•
•
•
EXTERNAL
INTERNAL
Terrorists
Drug-traffickers
Organized crime
Transnational
Nation-State actors
Hackers / Crackers /
Crooks
• Disgruntled employees
• Agents
• Unintentional errors
The Military Threat
Formal, state-sanctioned offensive IW programs
ongoing in Russia, China, France, India, Israel,
and Cuba
National Intel Estimate
Development of Russia’s IW capability is second only
to nuclear weapons in importance to future
Russian military security
Boris Yeltsin
Tomorrow’s terrorist may be able to do more damage
with a keyboard than with a bomb
National Research Council Report
The Adversary
All sorts of people want to get your info
- Curious
- Hackers / Crackers
- Telephone phreaks
- Crooks
WHY?
why NOT?
Why would the bad guys not do awful
things when we can’t catch them?
- Think Attitude
- Think Youth
- Think anonymous remote control
- NOW ...
- Think about our Adversaries
- Think about our VULNERABILITIES
Hacked Web Sites
TOTAL DEFACEMENTS…c/o www.attrition.org
Hacked Web Sites
DEFACEMENTS per DAY…c/o www.attrition.org
DOJ Homepage
Hacked - 17 Aug 96
CIA Homepage
Hacked - 1 Nov 96
AF Homepage
Hacked - 29 Dec 96
This is what your gov’t is doing to you everyday
Disguised Attacks
“ Hackers are scapegoats….. Hackers are also
far too loud and attention-seeking to be
anything more than an annoyance, because
they always end up talking or drawing
attention to themselves somehow. Industrial
spies and saboteurs do not. You will never see
them, you will never know they were there.”
Chris Goggans ( aka Bloodaxe )
The Arsenal
Clandestine Machine Code
Mercenaries
Repeat Dialers
(Denial of Service)
Trapdoors
Sniffers
Chipping
Malicious Software
Clandestine Machine Code
• Allows programmers to insert code into the
system that creates trapdoors; usually harmless
- Word
- Excel
- what else?
http://www.EEGGS.com
Mercenaries
• Terrorists have entered the information age
• During the Gulf War Mercenaries contacted
Sadam Hussein
– Offered to sell Sadam valuable info on the U.S.
and its allies logistic trails
– Sadam refused
– He didn’t appreciate the value of information
Repeat Dialers
Denial of Service (DOS)
• Explicit
by attackers to prevent legitimate
Errorattempt
502
users
of a service
service
Remote
server from
downusing
or notthat
responding.
- attempts to flood a network, preventing legitimate network
traffic
- attempts to disrupt connections between two machines,
preventing access to a service
- attempts to disrupt service to a specific system or person
Client
Server
SYN
SYN-ACK
ACK
Trapdoors
(aka Backdoors)
• Mechanism that’s built into a system by its
designer
- provides a way to sneak back into the system,
circumventing normal system protection
- what if …all US software could be equipped with a
trapdoor that would allow IW agencies to explore systems
and the stored data on foreign countries?
Sniffers
• Essentially a program that eavesdrops on network
traffic. A sniffer looks for packets carrying login
information
- they run “silently”; the software is simply watching
packets go by without sending anything itself
- they are essentially packet analyzers; common tools that
have been in world-wide use for years
Chipping
• Making electronic chips vulnerable to destruction
by designing in weaknesses
- the chips could be built to so they fail after a certain time
- blow up after they receive a signal on a specific frequency
- send radio signals that allow identification of their exact
location
How do we get the “right” people to use the affected chips?
Malicious Software
• Virus: code fragment that copies itself into a
larger program, modifying that program
- ‘86 = less than 10 known
- ‘97 = 14,137+
- ‘90 = new one every 2 days - ‘98 = 21,000+
- ‘95 = 6,800+
- ‘99 = 2,000,000+
• Trojan Horse: code fragment that hides inside a
program and performs a disguised function
• Logic Bomb: a type of Trojan Horse, used to
release a virus, a worm or some other system
attack
Scanner Shortfalls
• No scanner is 100% accurate or effective
– They can only detect known viruses
• New viruses appear daily and may be undetectable
– Updates to software are usually every month to
month-and-a-half
Computers and Networks
Every
military
capability
depends on
computers
and
networks in
one way or
another!!
Why do it?
"I don't care how many millions of dollars
you spend on hardware, if you don't have
people trained properly I'm going to get in
if I want to get in.”
Hacker, Cyberpunk Magazine
Organizations
AF Network Control Center
HQ
Firewall
Internet
AFNCC
•Controlled Connectivity
•Network Monitoring
AF NCC
• Single focal point for base network operations
• Performs fault, performance, configuration,
accounting, network and security management
• Monitors networks for suspicious activity
• Reports incidents, data, and technical problems
to MAJCOM and AFIWC
• Provides boundary protection, intrusion
detection, internal controls, recovery from
damages, and protection from denial of service
attacks
Air Force Computer Emergency Response Team
Indications
&
Warning
ASIM/Intrusion
Detection
JTF - CND
AFOSI
CERTs
AFNOC
Other
Incident Response/Recovery
Base Suspicious
Activity Reports
Threat
Team
Assessment
Teams
Countermeasures
Team
Automated Security Incident Measurement System
ASIM
Detect and identify network intrusive activity . . .
. . . in time to prevent impact on
Air Force Operations!
AF NETWORK TRAFFIC
5-7 Billion Events Annually
368 Million Suspicious Connections
ASIM Captured Event
ASIM Event Assessment
2.6 Million Transcripts
1.4 Million Transcripts Evaluated
Suspicious Event Reports
2474 SERs
Validate
AFCERT Analysis
Base Validation
71 Incidents
in 1999
False Positive
Denial of Service
5
2
Poor Security False Intrusions
5
3
User Intrusions
Root Intrusions
22
34
In 1999, hidden in 368 million suspicious connections on Air Force Networks
were 71 incidents that attempted to disrupt or exploit Air Force Operations!
On-Line Survey (OLS)
AFCERT Operations
Structured Threat
Close and
lock the front doors . . .
. . . to protect bases worldwide
...
Base POC
. . . against exploitation
and disruption!!
Unstructured Threat
On-Line Survey (OLS)
• Detect system vulnerabilities
• Assess base ability to identify and report
suspicious activity
• Advise MAJCOM/SC and commander of
results within a week of survey completion
• Encourage MAJCOMs and bases to
conduct surveys
• Exercise Air Force IP capabilities
Incident Response (IR)
Air Force Response Forces
AFCERT Incident Response (IR) Personnel
Countermeasure Engineering Team
Computer Security Engineering Team
Major Command Network Operations and Security Center (NOSC)
AF (Base) Network Control Centers
AF Office of Special Investigations
Attacker! Need Help!
Base
AFCERT
Attacker
Incident Response (IR)
•
•
•
•
Analyze unauthorized network activity
Confirm incident details with base
Notify AFOSI and DOD CERT
Develop and recommend course of action
Secure and recover
Monitor base recovery
Remote recovery assistance
Deploy to assist base recovery
Pursue
Fishbowl with law enforcement operations
Law enforcement operations only
AFCERT
Interfaces
Threat Support
Service CERTs
Information Warfare Flight
JTF-CND
AF Network Control Center
AF Major Command
DOD CERT
Standard Systems Group
CERT
AF Network Operations Center
AFOSI
FIRST
LEGEND
DOD
Air Force
Civilian
Summary
• Definition
• The Threat
• The Arsenal
• Defensive Measures