Infiltrated dot Net

Nine Deadly Cyberwarfare Sins
Written by Jesus Oquendo   

According to National Military Strategic Plan for the War on Terrorism (NMSP-WOT) [1], "terrorist and other adversary networks comprise nine basic components: leadership, safe havens, finance, communications, movement, intelligence, weapons, personnel, ideology." Under the often abused term of "cyberwarfare," many of those components are not necessarily needed, to be trusted and or even used. Definition-wise, cyberwarfare is a term with many different meanings to different individuals, all are correct and all are wrong. Public sector and media will usually describe a denial of service as an "act of cyberwarfare" however, these types of attacks are nothing more than a nuisance. On the same token, a denial of service with repeated calls to an emergency center (911) could and perhaps should be categorized as an act of cyberwarfare. In the latter type of attack, the results could be catastrophic as legitimate calls for emergencies will be hindered. In any event, cyberwarfare used in this writing will simple be defined as an act of aggression. Regardless if this aggression stems from a nation state, rogue activist group or bored teenager.

By defining cyberwarfare in such a broad scope, we can begin to see that there are a lot of problems associated with cyberwarfare and identifying attackers. If identification were that simple, compromises of systems across the world would be dwindle. Hackers would see arrests being made and perhaps think twice about compromising a system. The reality in a situation like that would likely to be that attackers would grow more sophisticated. We need to remember that rules and laws mean nothing to someone who does not care to play by the rules nor follow laws. There are laws against murder, extortion, trespassing and so on, yet people continue to murder, extort and trespass. The same logic follows suit in the "electronically connected" domain which we call "cyber."

Leadership

Breaking down the nine components in an effort to make sense of the NMSP-WOTs "nine basic components," and how we can apply them to the "cyber" realm, I begin with leadership. Historically, wars have been fought physically, actors were known, targets somewhat visible, however, in the "cyber" domain, a target is usually nothing more than a number, or an Internet Protocol address (IP). Because we are assuming that an IP address is some form of identifier, we end up with a predefined, often impossible summary: "Nation State X attacked us, we know so because we have tracked down the IP and it comes from their country" Assume that for a moment that an individual inside "Nation State X" did indeed attack a machine in our infrastructure, there is little to no indication as to who from that nation-state was involved, what or why did they begin attacking us in the first place. All that can be inferred is that an attack occurred from Nation State X yet to blame Nation State X could not only be dangerous but absurd.

Imagine the following incident: Nation State X launches a "cyberwarfare" against the Pentagon in retaliation for what they perceive as attacks FROM the Pentagon and other
government networks within the United States. Would this be an offensive act by Nation State X or a defensive one? Why they would do so would be the same reason
that we need to think about and exercise caution when 'naming names', they used IP as an identifier. From Nation State Xs perspective, five sites from the United States targeted their infrastructure and they retaliated against us: secureweb2.hqda.pentagon.mil [2], www.quantico.usmc.mil [3], armyg1-dev-intranet.hqda.pentagon.mil [4], dccw.hqda.pentagon.mil [5], dol.hqda.pentagon.mil [6].

Because those sites [2-6] were compromised in some form, it could have been possible that an attacker was capable of launching an attack aimed at Nation State X from any of those five machines. The result is, Nation State X as well as the United States government are both victims. The attack was aimed at Nation State X to which they responded with a counter cyberattack. See the dilemma? Reliance of IP as an identifier is a horrible, dangerous and reckless practice. We cannot identify the leadership of any cyberwarfare attack using IP. So what alternatives might we look for? To answer this, I will create a fictitious company called "Generic Organization."

Generic Organization creates airplanes with special engines. They have 4 competitors vying for contracts for a government agency that is seeking airplanes with ... special engines. Because Generic Organization is at the forefront of winning a bid, it is likely to be targeted by a competitor for industrial espionage purposes. The same rules apply to governments, at least from my perspective. In a conventional war, there will be casualties, in a "cyber-war," those casualties will likely be non-existent. In a conventional war, most superpowers still have deterrents: nuclear weapons, financial fallout and so on. In a cyberwar, there are no deterrents. There are nothing more than imagined deterrents because as an attacker, anonymity will reign supreme. Any deterrents that one can think of do not apply on the cyber battlefield.

Generic Organization does have a bit of trump card that they can use to determine whether or not a specific competitor is targeting them, however, they may not be versed in using that trump card. Because competitors are likely to be targeting a specific item - perhaps the plans for the engine - Generic Organization can set up a false flag server with bogus copies of data on that server. The administrators of Generic Organization can re-direct visitors from their network and analyze who connects from where, what browsers are used and what data is sought. Same applies for governments in the instances of espionage, server configurations are not difficult. So jumping slightly on the technical side, here is how Generic Organization could accomplish this using mod_security. We will place Rogue Corporation at 10.100.200.10 and create a rule that will redirect them to a bogus file. The configuration

<IfModule mod_security.c>

SecFilterSelective REQUEST_METHOD "^GET$" chain
SecFilterSelective REQUEST_URI "/secret.txt" chain
SecFilterSelective REMOTE_ADDR "10.100.200.10$" redirect:http://genericorganization.com/bogusfiles.txt

</IfModule>

While normal visitors will be sent to secret.txt, anyone coming from 10.100.200.10 will be redirected to http://genericorganization.com/bogusfiles.txt. This however only works because we know where the attackers are coming from, however, we can cherry pick where to send visitors on our servers. We will never fully know whom is behind IP, however, we can gather more information. For example, we know that Rogue Corporation is based somewhere outside of the United States, let us say China, what do our records say? An Apache log will yield the following in its log:

10.200.200.10 - - [02/May/2011:13:12:34 -0500] "GET /bogusfiles.txt HTTP/1.1" 200 200 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.18) Gecko/20110319 Firefox/3.5.18 (.NET CLR 3.5.30729)"

What is the red flag in the above connection? What is it we need to hone in on. Here is another entry, same connection retrieving the same file:

10.200.200.10 - - [02/May/2011:13:12:34 -0500] "GET /bogusfiles.txt HTTP/1.1" 200 200 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.18) Gecko/20110319 Firefox/3.5.18 (.NET CLR 3.5.30729)"

If you haven't noticed the difference, it is in the "preferred" language setting of this browser: en-US versus zh-CN. The initial visitor prefers English versus the second entry which is Chinese. There is a huge difference when analyzing data and because IP is what it is, we need more than just an initial: "They came from country X." Hence leadership being difficult to place. Even if the preferred language of a browser was set to Chinese, there is nothing stopping an attacker from changing their language, however, we now have two potential identifiable bits of information yet still, no method of attributing leadership.

Now speaking from a forensic, incident response, analyst role, timing is everything. Unless one can act on an IP address immediately then the information is somewhat useless. Unless of course an attacker is consistent in their attacks coming from the same IP address. If one cannot act immediately (real-time), which is almost impossible, any effort will usually be worthless. Even if the attacker did re-use the same address, there is a high likelihood that the attacking machine is likely to be compromised. The theory being, a skillful attacker would not re-use the same entry-points. That would be absurd and similar to an attacker painting a target on themselves. Dilemmas galore.

Leadership is a tough area in making sense from data. All we know is that a connection is being made from one machine to another. We can speculate, but there is a high likelihood we would be wrong. Take for example the case of Gary McKinnon [7], McKinnon compromised networks in NASA in search of UFO material. From an incident response perspective, there was likely an immediate identification based on IP. This would be the obvious choice however, what might a system engineer at NASA thought if they had seen a connection coming from the Pentagon? Same rules apply when it comes to identifying a server in say Nation State X's infrastructure. They just might NOT be the leaders you think they are. While McKinnon burrowed his way through NASA, what would have happened if he pivoted through machines in China. Would China have been hacking NASA?

Suffice to say, we know, or at least we are told, that North Korea is constantly attacking South Korea with cyberattacks [8]. It is not doubtful that this is really the case, however, it should be known as fact and remembered: anyone can be anyone else anywhere else online. There is no mechanism to "unmask" a perpetrator in similar fashion to say, someone who pulled off an armed robbery. In that instance, there are physical identifiers: "he was about 6' weighing 200lbs... He was Caucasian, I saw his skin through the mask." There are no concrete identifiers on the Internet.


Safe Havens

As indicated previously (2,3,4,5,6) the entire world is a safe haven for a "cyber" attacker. Because of the fact that there are many insecure networks, attackers have a wide range of attacking points. Those compromised machines are as much of a victim as the victim of the actual attack. Financially, it would be impractical, costly and time consuming to chase ghosts on the wire but this does not mean that an analyst should overlook them. An analyst must determine what data is relevant and what is not which is a costly and time consuming process. It is not a static process and must always be changed constantly. It must be noted, if not already obvious, that in computing, we are talking about millions of bits of data versus hundreds or thousands of pieces of data that a normal (non computing) analyst may be used to. While there are plenty of programs capable of parsing data, none are capable of using common sense or intuition.

Because it would be difficult, time consuming and costly to sit around parsing much of the information generated by computers (log files, checksums and so on), minimization of this data can be achieved with proper defenses in place. Going back to the Generic Organization example, we can state the following: "Generic Organization does business with the following continents: Europe [9] and Latin America [10] ." With this bit of information we can create a modified defense plan, allow connections from those countries and block all others. Now using Linux as an example, I will get the relevant IP information for those continents and block all of the others:


/ BEGIN

site=http://bgp.potaroo.net/ipv4-stats/allocated-

wget -qO - "$site"ripe.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 80,443 -j ACCEPT'|\
grep -v "<\|IPv4" | sh

wget -qO - "$site"lacnic.html|\
awk -F ">" '{print $2}'|sed 's:/:.0.0.0/:g'|\
awk '/./{print "iptables -A INPUT -s "$1" -p tcp -m multiport --dports 80,443 -j ACCEPT'|\
grep -v "<\|IPv4" | sh

iptables -A INPUT -s 0.0.0.0/0 -p 80,443 -j DROP

/ END

These rules only allow addresses allocated to networks in RIPE [9] and LACNIC [10] while blocking all other connections. Using the above defense as a starting point, I can begin to filter the noise. I can now isolate specifics and any data coming in thereafter, will likely hold more weight. In my company example, I stated that Rogue Company was based in China, and I now know that any direct connections from their network will be blocked, however, this does not defend against someone using a proxy server or compromised host nor will these generic rules block against a client side attack [10] from any trusted country. However, beginning with some form of defensive framework, I may have the capability of getting a better glimpse of a potential attacker. After all, if I see a connection coming from say Germany where the browser preference is say Chinese, that to me would indicate that the information I am now seeing is worth investigating a little more. So save havens do not really apply in this realm (cyber) and while I can seek to find a way to use captured data as an advantage, it too has too many flaws to be taken serious.

Finance

Unlike conventional wars, there is little to no cost to starting a "cyber" war. This is with regards to denial of service attacks. The cost associated with "television based" cyberwarfare would be phenomenal. By "television based" cyberwarfare, I mean attacks often seen in movies [12]. Assume for a moment that I wanted to launch a television based attack on Christmas Island [13]. What would I need to accomplish movie-like goals? I would want to control their water, financial and emergency systems. I would need to understand what systems they have in each facility, what software runs on those systems and I would then need specific exploits for them. Let's assume that there is Software A running on Windows 2003 server. I would need to 1) get into the Windows machine and 2) exploit something on the Windows machine - two simple steps yet at what cost? Same goes for the financial system and emergency systems: Access to machine and exploit FOR the machine. In the real world, this would not pan out. It would likely be too costly and too big of a project to manage.

Financially, I could spend huge sums of money and time figuring out how to exploit say, System Z running Software B but there is no guarantee that there will be installations symmetricly across Christmas Island. Even if they were, the likelihood of symmetry across the differing realms I need to attack - water, finance and emergency services - would likely be non-existent. As an attacker, I would need multiple types of exploits, multiple mechanisms to covertly control these systems and something to bond it all together when I needed to attack, lest of course I have hundreds of bodies clicking a mouse simultaneously. After I have all of those systems compromised and under my control, I need to make sure any backups, secondary and tertiary systems are also compromised. This is to ensure that if they pull the plug on one machine, I will control any and all of the next ones without having to go back and re-compromise. Under a government sponsored "cyberwarfare team" this can probably be accomplished but the likelihood of it remaining secretive are sketchy. The costs to maintain, phenomenal.

The programming, networking and social engineering involved with this type of "cyber theme" would have to be top-notch, well-funded not to forget that there would need to be the utmost loyalty and secrecy from anyone involved with this program. Any hiccup and all of the planning and financing would go down the drain. One can assume that all forms of finance is being poured into "cyberwarfare" from the offensive perspective, but I believe that real world deterrents dictate the only outcome - a losing one. Across the entire globe, it will be a lose-lose situation. We need to think about facts, in a well designed system, I can pull the network cable on a machine in an instance. Since it is properly designed, its backup will take over. Little nuances like this must be remembered as well otherwise as the Internet meme goes: 'You're Doing It Wrong." If someone attacked an entire infrastructure, in order to make it a home run perfect compromise, they better make sure any backups or secondary machines are also infected. Otherwise again, if the plug is pulled, the attacker's connection is gone. Money down the tubes.

Now non-state actors are more difficult to gauge when it comes to the financial theories. While state actors can be audited through the banking system - irregular transfers between countries and or individuals - this does not apply to activist groups, terrorist groups and so on. Here is another example: at any point in time, we can estimate quite conservatively, that there will be say fifty thousand attackers targeting say the Pentagon. If we take that number and state that at least five percent of those attackers are "advanced," we will have 2,500 attackers. Of those 2,500 attackers, if they each spent one work week sharpening their attack skills, at the US federal minimum wage rate, their budget would be $725,000.00. The reality is, many attackers spend much more time harnessing their skills and there are many more attackers to contend with. This money however, is non-existent, there is no paper trial, all there is, is time spent by an attacker which collectively would overwhelm any defense industry. This coupled with the fact that depending on the attack, I could lunch thousands of hours worth of attacks in minutes.

Thousand of hours worth of attacks in minutes?!? Suppose I have a machine with an application capable of calling a telephone every second. Now suppose I launch ten instances of this application. You would receive 60 calls per second if I attacked your number. The same rules apply for attacks such as a denial of service (DoS) attack. Calculating any financials behind a cyber attacker is likely to be riddled with huge gaps and errors. Namely, we still have no idea of who an attacker is, why the are attacking and where they are attacking from. What we are left with is fuzzy math.

Communications, movement

Communications as shown throughout some of my writings are a hard topic to cover. It has been established and proven that an attacker can be anyone they want to be. While we should monitor the communications to and from our machine, unless you have access to ECHELON, what can you really do? Even if you did have access to ECHELON, there are hurdles like encryption, stegonagraphy and other covert channels to overcome. Movement, it does not apply in cyberspace. Now one could make an allusion to an attacker changing an IP address as movement, but a skillful attacker will be adept at being covert. They will likely never connect to a target from an infrastructure, computer and or network they own. After all, this is placing a target on themselves.

Intelligence

Intelligence was explained in: "Advanced Analysis - Fail" [14] and "Cyberwarfare Analysis - You're Doing it Wrong. [15]" No need to re-invent wheels.

Weapons

Weapons can be anything and everything online. Protocols are protocols and those never change. What this means is that one needs to start understanding attack vectors from the protocol level as opposed to the "medium used to deliver the attack" perspective. From 1998 through 2000, I started a theoretical based document I called "Theories in DoS" (Denial of Service) and in it, I theorized about protocol level attacks against networking as whole. At the time I had begun CCIE studies at the book level and I was fascinated at how the technology interconnected yet puzzled at how engineers came to overlook many risks. I created a "proof of concept" tool I called TIDCMP.c whose purpose was to disconnect two machines from each other.

In IP - the protocol - there is Internet Control Message Protocol (ICMP). ICMP's main goal is maintenance and error messaging. There was one particular type of message that caught my eye, an ICMP Type 4 message otherwise known as a source quench [15]. A source quench basically tells another machine: "slow down, I'm taking too much information..." At the time, I wondered what would happen if as an attacker I created an attack that told two machines - one to another: "hey slow down, I can't take anymore data..." I am sure that at the time, source quench messages made sense for slow networks however, in today's network, there technically is no need for this type of message. That was well over 10 years ago yet I saw about three years ago, an operating system developer decide that it was about time to remove that source quench ICMP capability. The purpose of these last two paragraphs was to make a point, if you understand the protocol levels, attacks are easier to create and easier to defend against. Anything can be a weapon online.

Personnel

Personnel should be viewed much like the leadership and safe havens. What do we "really" know. If you made it this far ask yourself, are you receiving sixty phone calls from sixty people? It is equally hard to gauge.

Ideology

Same rules as leadership and personnel apply to ideology. You really will not know who you are up against therefore you cannot truly measure this


Summarily, the media and vendor portrayal of "cyberwarfare" and government's interpretation based on those portrayals need to be seriously examined and revised. Also of note, reliance on specific vendors' interpretation of cyberwarfare should ALWAYS be viewed with hints of skepticism. Remember a vendor's main goal is primarily to make money. Their bottom line will always differ from the governments. Most individuals who speak on behalf of a vendor will not take the time to process anything outside of the usual herd they follow. While my comment may be highly opinionated, I find it to be accurate. I have met "security pros" at some pretty big companies who knew little more than nothing outside of the cheatsheets they were given to make sales. There are far more factors involved than the typical: "they came from China" stance we are using abusing. This is not to state that China or any other country is not looking for a foot in the door, this is simply to state that we need to start applying a bit more intelligence and analysis into defense in order to understand the offense. What we think we know about attacks is 50/50 and depending on how you began your analysis, you could be doing it wrong from the beginning.

Anyhow, I wrote this document after reading "Assessing Irregular Warfare - A Framework for Intelligence Analysis" [17] and I hope that it assists in perhaps opening up discourse on the "cyberwarfare" arena. Much of what I read on this topic (cyberwarfare) is filled with a lot of error from the technological perspective. My only goal, was to present an alternative point of view. I may or may not revise this document at some point, but chances are I will mesh/combine it into another online chapter of sorts.

[1] http://www.dtic.mil/ndia/2006solic/renuart.pdf
[2] http://www.zone-h.org/mirror/id/13221244
[3] http://www.zone-h.org/mirror/id/9987112
[4] http://www.zone-h.org/mirror/id/9867055
[5] http://www.zone-h.org/mirror/id/7772295
[6] http://www.zone-h.org/mirror/id/7717604
[7] http://www.wired.com/techbiz/it/news/2006/06/71182
[8] http://techland.time.com/2011/05/03/north-korea-accused-of-cyber-terror/
[9] http://www.ripe.net/
[10] http://lacnic.net/en/index.html
[11] http://www.honeynet.org/node/157
[12] http://www.imdb.com/title/tt0337978/plotsummary
[13] http://en.wikipedia.org/wiki/Christmas_Island
[14] http://www.infiltrated.net/index.php?option=com_content&view=article&id=25&Itemid=31
[15] http://www.infiltrated.net/index.php?option=com_content&view=article&id=22&Itemid=28
[16] http://en.wikipedia.org/wiki/ICMP_Source_Quench
[17] http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=978-0-8330-4322-1&x=0&y=0