CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon University Intelligence - page 1 Cyber Intelligence Analysis

© 2000 by Carnegie Mellon University Intelligence - page 2 A Different Internet Armies may cease to march Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations

© 2000 by Carnegie Mellon University Intelligence - page 3 Purpose of Intelligence 1. Identify the need for action 2. Provide the insight and context for deciding among courses of action 3. Provide information on the effectiveness of pursuing the selected course of action

© 2000 by Carnegie Mellon University Intelligence - page 4 Change of View

© 2000 by Carnegie Mellon University Intelligence - page 5 Content / Context of Intelligence

© 2000 by Carnegie Mellon University Intelligence - page 6 What is Cyber Intelligence? Internet Behavior Intrusions/Responses Threats/Counters Vulnerabilities/Fixes Operators/GroupsVictims Stimuli/Motives Opportunities

© 2000 by Carnegie Mellon University Intelligence - page 7 Strategic Intelligence Analysis Provides “Big Picture” assessment Trend Analysis Sector Threat assessments Potential Damage assessments Categorization of Attacks and Attackers Identification of Anomalies

© 2000 by Carnegie Mellon University Intelligence - page 8 Tactical Intelligence Analysis Linking element between macro- and micro-level analysis Cluster and pattern analysis Temporal patterns Profiling Analysis of intrusion methods Commonality of targets Reinforces and compliments Strategic Analytic efforts

© 2000 by Carnegie Mellon University Intelligence - page 9 Using CERT/CC Data Year ,756 Incidents 16,129 Probes/Scans 2,912 Information Requests 261 Hoaxes, false alarms, vul reports, unknown 2454 Incidents with substantive impact on target Profiled 639 incidents, all active during July-Sept 2000 (profiling work is ongoing) Many different dimensions for analysis and trend generation (analysis work is ongoing)

© 2000 by Carnegie Mellon University Intelligence - page 10 Immediate Data Observations Increasing trend of incidents per month (some incidents carry over between months) Increasing diversity of ports used in incidents Shifts in services used in incidents Shifts in operating systems involved in incidents Generic attack tools adapted to specific targets

© 2000 by Carnegie Mellon University Intelligence - page 11 Service Shifts

© 2000 by Carnegie Mellon University Intelligence - page /2 4 /00 7/1/00 7/8/00 7/15/007/22/00 7/29/00 8/5/00 8/12/00 8/19/00 8/26/00 9/2/00 9/9/00 9/16/00 Weekly Incidents

© 2000 by Carnegie Mellon University Intelligence - page 13 Weekly Incidents by Target

© 2000 by Carnegie Mellon University Intelligence - page 14 Monthly Incidents by Target

© 2000 by Carnegie Mellon University Intelligence - page 15 Weekly Incidents by OS

© 2000 by Carnegie Mellon University Intelligence - page 16 Monthly Incidents by Operating System

© 2000 by Carnegie Mellon University Intelligence - page 17 Weekly Incidents by Impact

© 2000 by Carnegie Mellon University Intelligence - page 18 Monthly Incidents by Impact

© 2000 by Carnegie Mellon University Intelligence - page 19 Drivers for Weekly Incidents /2 4 /00 7/1/00 7/8/00 7/15/007/22/00 7/29/00 8/5/00 8/12/00 8/19/00 8/26/00 9/2/00 9/9/00 9/16/00 Independence Day Labor Day Advisory/ Alert New Toolkits DefCon

© 2000 by Carnegie Mellon University Intelligence - page 20 Operational Intelligence Analysis Overlaps with Tactical Analysis Technical assessments of intrusion methods Specific investigation of intruders Identification of vulnerabilities to support mitigation Attribution

© 2000 by Carnegie Mellon University Intelligence - page 21 Example: Signed Defacement Defaced Health-care web site in India "This site has been hacked by ISI ( Kashmir is ours), we want a hospital in Kashmir" and signed by Mujahideen-ul-dawat. Post-dates activity by Pakistani Hackers Club Level of activity is not significant Claim of identity may be significant

© 2000 by Carnegie Mellon University Intelligence - page 22 Example: Coordinated Automated Attack Probe Victim 2 Identity Victim Compromise & Coopt Probe Remote, fast-acting Adapts existing tools Limited deployment Sophisticated reporters

© 2000 by Carnegie Mellon University Intelligence - page 23 A Problem Too Big Cannot remain technical specialty Cannot remain localized activity Cannot remain responsive to incidents Cannot remain centrally controlled or performed Distributed, ongoing, multifaceted problem demands distributed, ongoing, multifaceted strategy

© 2000 by Carnegie Mellon University Intelligence - page 24 Cyber Intelligence Products Fused analysis reports Demographics and situational awareness In-depth studies Technology of intelligence

© 2000 by Carnegie Mellon University Intelligence - page 25 For Further Contact 24-hour hotline: FAX: Tim Shimeall - CERT - Direct voice: US mail:CERT Analysis Center Software Engineering Institute Carnegie Melon University 4500 Fifth Avenue Pittsburgh, PA USA