5 - 1 Information Assurance Foundations - SANS ©2001 1 Information Warfare Security Essentials The SANS Institute "Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this module we will consider what warfare means in the context of today's information systems and networks. We will see that the fundamental principles of warfare known for thousands of years are still relevant on today's new battleground. 5 - 2 Information Warfare - SANS ©2001 2 Agenda •What is Information Warfare? • Why is it Important? • Offensive Tactics • Introduction to Network Attacks • Defensive Tactics After introducing the concept of information warfare, we will be concentrating on warfare principles and strategies. We will discuss both offensive and defensive tactics, both theory and practice. As a concrete example of offensive tactics, a quick introduction to TCP/IP network attacks is provided. 5 - 3 Information Warfare - SANS ©2001 3 What is Information Warfare? Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries. Dr. Ivan Goldberg We start our discussion with a definition of information warfare. The definition above simply maps our intuitive definition of warfare (subvert the enemy while protecting ourselves) into the realm of computers and networks. This definition has been provided by Dr. Ivan Goldberg, who leads the "Institute for the Advanced Study of Information Warfare". The institute's website has a number of white papers and reports on information warfare topics. http://www.psycom.net/iwar.1.html Eric Hrovat provides some interesting perspectives on information warfare in his paper, "Information Warfare: The Unconventional Art in a Digital World" published by SANS: http://rr.sans.org/infowar/infowar.php 5 - 4 Information Warfare - SANS ©2001 4 Examples of Information Warfare • A company breaking into a competitor’s computer system to find out their list of customers • An R&D company putting false information about research on their web site to mislead the competition • A foreign government stealing tapes containing classified information There are many possible forms of information warfare, the above slide provides three examples. Any time someone uses information as a weapon against an adversary, that is information warfare. The distinguishing factors are only how the information is obtained, how it is used, and to what impact. We consider theft of information a form of information warfare, but the most critical issue is how the stolen information is used against its rightful owner. In terms of the examples, a company who discovers a list of their competitor's customers might send false or misleading information to the customers, might market to these people specifically, or might simply see to it that the customers are harassed by telemarketers and spam (so the recipients think that the company they trusted released their information without permission). A foreign government stealing classified backup tapes might be able to discover detailed technical information concerning the capabilities of their adversary's weapons, or might obtain documents detailing strategies, names of informants, or maps of secret testing facilities. The possibilities are endless. A startup tech company that has a next generation product to release might post information stating that their product will not be ready for several months. Such a posting might lull the company's competitors into a false sense of not needing to hurry their own development cycles. When the startup releases its product months earlier than advertised, the competition is caught flat-footed. 5 - 5 Information Warfare - SANS ©2001 5 Key Points From the Examples • Information Warfare can be: –Theft – Deception – Sabotage • Does not have to be technical or sophisticated • Attackers will always go after the weakest link Abstracting the previous examples a level, we can list out a few fundamental concepts. Theft, espionage, blackmail, deception, sabotage, destruction -- these are all common goals in information warfare attacks. As in other forms of warfare, a skilled attacker will seek out his opponent's weaknesses and attack those first and most vigorously. For example, sometimes social engineering or packet flooding attacks most effectively accomplish an attacker's goals, but neither of these attacks requires any sophisticated technical skills. 5 - 6 Information Warfare - SANS ©2001 6 Why is it Important? • Affects all governments and companies, and even individuals • Can be devastating • Risks are often not well understood • Can be difficult to predict or detect • Defenses must be custom tailored • Raises questions of legalities and liabilities In today's world, information warfare impacts everyone, whether they own a computer or not. Consider identity theft, where one person is able to impersonate another, resulting in destroyed credit histories, undeserved criminal records, misassigned debt and liability, false healthcare documents, and more. Most people and organizations are not fully aware of the risks that surround them, although the results of an attack can be devastating. Because each organization is different, there is no "one size fits all" defense system. The only way to design a good defense is to understand the offensive tactics used by attackers, and to understand the defensive tactics and tools available to us. We will explore both offensive and defensive tactics in this module, and see how (fortunately) a few basic principles can be applied across a large number of situations. Interestingly, our most useful principles come not from information theory, but from a compilation of warfare strategies written well over two thousand years ago: Sun Tzu's "Art of War". These strategies are as relevant today as when they were first written. 5 - 7 Information Warfare - SANS ©2001 7 How Dangerous is it Really? A few facts from the Honeynet project concerning break-ins between April and December 2000: • Seven default Red Hat 6.2 servers were attacked within 3 days of connecting to net • Fastest time for any server to be compromised was 15 minutes from first connection to net • Default Win98 box compromised in less than 24 hours from first connection, and compromised another four times in the next three days But lets back up a minute. Perhaps we are over-reacting. Is it really all that dangerous on the internet today? Are there really that many "evil-doers" out to do me ill when I connect to the internet? Unfortunately, yes. The Honeynet project (a group that sets up and monitors whole networks of honeypots of all different operating systems) recently reported some statistics concerning the rate of break-ins to their small network over a period of 9 months. The full information concerning the stats above is quoted from the paper below. http://project.honeynet.org/papers/stats/ ---------------- • Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the internet. Coincidentally, this was the first honeypot we ever setup, in March of 1999. • A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days. ---------------- These facts (and other information in the paper) demostrate the hostility of today's networks even to a simple home user. Even "grandma" needs to be aware of the dangers of the online environment today. As an example, consider that many of us use home computers to fill out year-end income tax forms. An attacker able to access that information would know enough to cause significant problems. Today's networks are infested with worms and automated attack programs that relentlessly seek out and compromise vulnerable computers, reporting back to a human only after accomplishing a successful compromise. Companies and governments must be secured against these threats, as well as against more sophisticated attackers specifically targeting their organization. 5 - 8 Information Warfare - SANS ©2001 8 How Would you be Impacted? • Consider the following scenario: – You go into work tomorrow and all of your computers are gone and there is no internet connection. • Could you handle the situation? • Do you have backups? Uncontaminated backups? Is there a restore process? • Could your organization survive the loss? Is your organization prepared for an attack? Either from the internet or from a natural disaster or terrorist act? Part of information warfare is planning for the worst and having a recovery plan in place. Many of us would be in a lot of trouble if a particular building burned down for example -- that building being the one holding the primary information and all of its backup copies. The September11th tragedy demonstrated how critical backups can be to a company's survival. When we ask about "uncontaminated backups", does that make sense to you? Consider a virus that spreads rapidly but remains undetected because it does not do anything observable. The virus infects several computers, but because it is not detected the virus program is copied onto the backup tapes along with legitimate information. Time passes. Ten months later the virus' payload goes into action and starts destroying files and laying waste to operating systems. You think, no problem, I've got backups going back 6 months. Oh no! All the backups are contaminated too! What do we do now? Do you have insurance against information loss? A recent Information Week article (January 2, 2002) explains how many insurance providers have decided to exclude online assets and terrorism- related damages from their IT policy offerings. http://www.informationweek.com/story/IWK20020102S0004 5 - 9 Information Warfare - SANS ©2001 9 Threats • Internal threats – Employees – Contractors –Visitors • External threats – Anyone connected to the internet The threat to a company could really be anything. Threats are typically broken down into internal and external threats. Internal threats are attacks launched by internal attackers, contractors, or even visitors to your facility. External threats could really be anyone that is connected to the internet. Threats can also range from intentional to unintentional events. Unintentional events, like floods or fires, could also be a threat that impacts a company. Even though these threats are not meant to hurt the company, the net result is the same. Therefore it is important to understand and react to all possible threats that are posed to your company. 5 - 10 Information Warfare - SANS ©2001 10 Offensive Tactics • Using publicly available information maliciously • Stealing confidential information • Destroying or corrupting important data • Denial of Service attacks against business or livelihood • Providing false information in order to deceive, mislead, or confuse • Impersonation and slandering • Public embarrassment (e.g. website defacement) Let us begin our consideration of information warfare concepts by looking at the offensive side of the game. Defensive strategies will be covered later. The slide above lists several common ways information can be involved in an attack against an organization or individual. At first glance it may seem that these attack methods are specific to the information age. In the next few slides we will take a closer look at several of the specific tactics and show that the concepts behind them have been well-known to warriors for centuries. [...]... proprietary information theft 5 - 12 False Information "All warfare is based on deception The one who is skillful maintains deceitful appearances, according to which the enemy will act." -Sun Tzu • If you know someone is watching you, why not give them misleading information? – False press releases – False company information – False server banners Information Warfare - SANS ©2001 13 This warfare tactic... • • • • • • Protect your information Be able to detect attacks when they happen Study information warfare strategies and tactics Understand your vulnerabilities and liabilities Be able to actively defend against an attack Plan for the worst Be able to act decisively and keep your head Information Warfare - SANS ©2001 33 Now that we have taken a look at offensive information warfare tactics, let us turn... easily use the information to build an attack list for breaking into the ISP's systems Similarly, a company that posts a list of employee names provides an attacker with information useful in username/password guessing attacks Public databases can also provide a wealth of information For example, publicly traded companies are required to disclose certain information to the SEC The SEC information is... encrypted communications channels Implement a strong password policy Think about strategic server positioning and network partitioning Information Warfare - SANS ©2001 34 The most fundamental step in defensive information warfare is to secure your networks Take the information you have learned about offensive tactics and think about how to defend against the attacks The objective should be to turn... sacrificial computers, purposely left vulnerable • The computers are carefully instrumented to record attackers' actions and gather copies of the tools they use Information Warfare - SANS ©2001 14 Another example of deception in information warfare is the use of honeypots The idea of a honeypot is twofold First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's... defensive information warfare comes in identifying our own weaknesses and strengthening our defenses accordingly 5 - 15 Understand the Risks "He who exercises no forethought but makes light of his opponent is sure to be captured by them." -Sun Tzu • Attackers have a complete arsenal of weapons to use against a network's defenses • An understanding of an attacker's offensive warfare tactics is essential Information. ..Public but Sensitive Information "It is always necessary to begin by finding out the names of the attendants, the aides-de-camp, and door keepers and sentries of the general in command." -Sun Tzu • There are many sources of information – Press releases – Employment ads – Company descriptions – Public databases (whois, legal, edgar, healthcare, whitepages) Information Warfare - SANS ©2001 11 Over... contain information about the individual's interests, habits, friends, employer, etc Information- rich messages posted to security mailing lists such as "I work for company XYZ and our main www.xyz.com IIS 5.0 web server has been hacked and is backdoored " can be very useful In addition, companies love giving out information to help fuel growth, but often fail to realize the negative impact that information. .. encryption and packet filtering Master the tools you use to defend Information Warfare - SANS ©2001 36 What you are doing right now, here today, is a big step towards meeting the goal of this slide Study, learn, experiment, research these things are critically important and should never be stopped In life, in warfare, and especially in information security, we are all always "newbies" in some way or... Stealing Confidential Information "Though the enemy be stronger in numbers, we may prevent him from fighting Scheme so as to discover his plans and the likelihood of their success." -Sun Tzu • Espionage is a real problem • Many foreign governments have admitted to launching corporate espionage attacks against US companies to give their local companies a competitive advantage Information Warfare - SANS ©2001 . 5 - 3 Information Warfare - SANS ©2001 3 What is Information Warfare? Information warfare is the offensive and defensive use of information and information. information warfare, the above slide provides three examples. Any time someone uses information as a weapon against an adversary, that is information warfare.