Team 1 Sec3.2

From CyberSecurity
Jump to: navigation, search

Here it is... complete draft of section 3.2. --Yi-Kai

In general, a cyberattack requires substantial technical skills, but only modest financial resources. Technical skills are especially precious because computer security is a rapidly changing field--attacks and defenses are becoming more sophisticated, and a software vulnerability can be discovered, exploited and patched all within a span of one year [1,2]. As a result, attackers must work to “stay current” with new vulnerabilities and defenses. Financial resources, on the other hand, can be quite modest--desktop PC’s are becoming commodity products, and high-speed internet access is fairly common. Human labor (i.e., programming the attack) is probably the most “expensive” component.

The technical skills required to mount a cyberattack vary considerably for different types of attacks. We analyze two main possibilities: large-scale attacks on unprotected home PC’s, and specialized attacks on well-defended corporate and government systems.

First, we consider attacks on low-end targets, such as home PC’s with well-known vulnerabilities and no defenses. These targets are very common, and will likely remain so for the next several years, because so many users lack the technical skills to secure their machines. Each individual PC is not very valuable, so the emphasis of this attack is on massive scalability using automated attack tools. The usual approach is to spread a worm or Trojan horse, or assemble a botnet and use it to do a distributed denial-of-service (DDoS) attack. An example of this is the Code Red worm, which infected more than 250,000 hosts within 9 hours on July 19, 2001 [3]. There are also anecdotal reports of botnets with as many as 50,000 machines [4]. We note that botnets may be especially attractive to a terrorist organization, since they are multipurpose tools that can do anything from DDoS attacks to sending spam [4,5].

The technical requirements of this attack are fairly low, since it makes use of already-known vulnerabilities. Documentation, exploit code and network scanners are all freely available (note that tools such as Nmap are dual-use, having legitimate uses in “red team” penetration testing). More overtly malicious tools, like worms and DoS agents, can be obtained with moderate effort; this may be inferred from the fact that “script kiddies” with limited technical ability have been implicated for releasing worms into the wild, as well as a significant fraction of DoS attacks [6,7]. We estimate that an attack of this kind could be carried out by 5 moderately skilled programmers in a few weeks. Alternatively, the whole operation might be outsourced to one of the criminal organizations which already build botnets for DDoS attacks and “cyber-extortion” [4]. Judging from the “protection fees” that these organizations demand, we estimate that such a job might cost a few hundred thousand dollars.

Note that, because worm and DDoS attacks have become so routine, a terrorist group would have to mount an exceptionally large attack in order to distinguish itself from criminals and hackers. This certainly poses an additional challenge, but it is hard to estimate. As an extreme case, experts believe it is possible to design a worm that would spread throughout the Internet within minutes; another possibility is that a worm could spread surreptitiously, eventually infecting 10,000,000 hosts [8]. However, such an attack would require much greater technical skill, and a much deeper understanding of the functioning of the Internet as a whole.

Next, we consider a second major class of attacks, targeting PC’s and other systems that have been patched to fix known vulnerabilities, and are protected by network defenses. These can be found in corporate and government settings. The emphasis of this attack is on penetrating security in order to disrupt operations or gather information. While the details will vary greatly from one target to another, we can make some general observations.

The technical requirements of this attack are substantial. The attacker may need to identify new vulnerabilities and develop new exploits; moreover, because of countermeasures such as intrusion detection systems, the attack itself will be more complicated. Some information may be available from hackers, but each attack must be tailored to a specific target--thus, insider information is helpful. We estimate that such an attack could be carried out by a team of 5 people, with experience in systems and network programming, over a period of 6 months to one year.

A special case of this attack occurs when the target is an uncommon or one-of-a-kind system, such as a router, a mainframe or an embedded control system (e.g., SCADA). These may be found in critical infrastructure. Often, information about these systems is not publicly available, so the attacker will have to actively investigate, or obtain cooperation from an insider. Developing an attack will likely require technical expertise, creativity and sustained effort. On the other hand, many of these systems were not designed with security in mind, and may have serious (but little-known) vulnerabilities [9]. Moreover, in the case of critical infrastructure, a successful attack can have catastrophic consequences.

References

[1] CERT Coordination Center, “Overview of Attack Trends,” manuscript, 2002. Available at http://www.cert.org/archive/pdf/attack_trends.pdf (accessed 10/21/05).

[2] W.A. Arbaugh, W.L. Fithen and J. McHugh, “Windows of Vulnerability: A Case-Study Analysis,” IEEE Computer Magazine, Dec. 2000.

[3] CERT Advisory CA-2001-23, “Continued Threat of the ‘Code Red’ Worm,” July 26, 2001. Available at http://www.cert.org/advisories/CA-2001-23.html (accessed 10/23/05).

[4] E. Ratliff, “The Zombie Hunters,” The New Yorker, Oct. 10, 2005.

[5] SwatIt, “GT Bot,” web page. Available at http://swatit.org/bots/gtbot.html (accessed 10/22/05).

[6] C. Thompson, “The Virus Underground,” New York Times Magazine, Feb. 8, 2004.

[7] D. Moore, G.M. Voelker and S. Savage, “Inferring Internet Denial-of-Service Activity,” USENIX Security Symposium, 2001.

[8] S. Staniford, V. Paxson and N. Weaver, “How to 0wn the Internet in Your Spare Time,” USENIX Security Symposium, 2002.

[9] D. Matthews, “Hardware Bus Security in Embedded Systems,” The Fifth HOPE (Hackers on Planet Earth), New York City, July 9-11, 2004.



3.2. Feasibility of acquiring the required technical and financial resources

I'm still working on the details, but here is an outline. I know, it includes topics from the other sections, but when I write this up, I'm just going to focus on the technical requirements. Question: Any suggestions about the amount of effort needed for these attacks? I gave some estimates, but they're just random guesses. I'm going to look for case studies of past attacks. --Yi-Kai


In general, there are significant technical requirements, but financial requirements are minimal. Note that computer security is a rapidly developing field, so attackers must work to "stay current." Software vulnerabilities last 2-3 years.


  • Low-end targets: PC's w/ well-known vulnerabilities, no defenses. These are very common, and will likely remain so (see Section 4). Usual approach is to spread a worm, or assemble a botnet and use it to do a distributed denial-of-service attack.

Technical requirements are minimal: vulnerabilities are well-documented, and network scanners, exploit code and automated attack tools are freely available (some of these tools are dual-use). Estimate: takes 5 moderately skilled programmers, a few weeks? Alternatively, a botnet can be bought for ? price.

Note that emphasis is on massively scalable attacks. A terrorist group may need to mount an exceptionally large attack, to distinguish itself from common criminal activity. This is much more technically challenging.

Examples: Code Red worm, DDoS attacks.


  • High-end targets: PC's that have been patched to fix known vulnerabilities, w/ network defenses. These are typical in high-value business/government applications. Attacker may seek to destroy data, disrupt operations, or gather intelligence.

Technical requirements are substantial: need to find new vulnerabilities and develop new exploits; attacks are more complicated, and one has to worry about detection. Some information is available from hackers, but each attack must be tailored to a specific target. Insider information is helpful. Could be done by a software engineer, w/ experience in systems and network programming; substantial investment of effort (5 people, a few months?).

Examples: return-to-libc attack, getting around intrusion detection systems.


  • Specialized targets: Uncommon, one-of-a-kind systems, like routers, mainframes, embedded control systems, SCADA. These may be found in critical infrastructure.

These can be very different from conventional PC's. Few sources of information about these systems--insider information is very helpful. May require special compilers, SDK's, hardware for testing--availability of special tools can help a lot. Developing an attack requires technical expertise, creativity, sustained effort (hard to predict?). However, many of these systems were not designed for security, and a successful attack can have catastrophic consequences.

Examples: Cisco routers, sewage control system, electric grid.



Note that states such as the US and China are developing technologies for information warfare; state sponsorship is a possibility.