225
12Chapter
Keep Your Enemies Closer
Keep your friends close, and your enemies closer.
Sun Tzu
Introduction
is chapter focuses on two personnel-related tactics: hiring a hacker and countering insider threat.
ehire a hacker” tactic is based on the idea that hiring someone good at fi nding security fl aws
in systems provides a defensive advantage.  e assumption is that these individuals are more likely
to fi nd aws in a system before it is released or goes into production and hopefully, before one of
the bad guys does.  e reviews on this strategy are mixed. Most security professionals say no, while
some security service companies would say yes. One example that stands out is @Stake, which
hired a number of hackers from L0pht Heavy Industries (a band of well-known Boston-based hack-
ers). Whether or not this is a good tactic really depends on the objectives you are trying to achieve.
Some in the industry say hiring a hacker is too risky and increases the threat of insider attacks.
Insider threat (the threat of malicious activities by internal sta ) has become a major topic of
concern in the industry since the terrorist attacks against the United States in September 2001.
Much of it is focused around the protection of critical infrastructure, but the problem is sys-
temic. Incidents of insider malfeasance costing millions of dollars are present in every business
sector. Insiders that go bad typically cause three times the damage that external attackers cause,
including damages resulting in permanent data loss. Despite the dangers, most organizations do
not actively manage their insider risks. Hopefully, the information contained in this chapter can
help reverse that trend.
Before we delve into those objectives, it is probably worthwhile to de ne the various defi nitions
applied to “hacker.”  e term hacker is typically broken down into three categories: white-hats,
black-hats, and gray-hats.  ese terms do not have hard and fast de nitions; instead they charac-
terize the types of activities these individuals are involved in. Before Hollywood and the media
turned hackers into people who illegally broke into computer systems (e.g., War Games), the term
hacker referred to someone who was a clever programmer. e New Hackers Dictionary (Raymond,
TAF-K11348-10-0301-C012.indd 225TAF-K11348-10-0301-C012.indd 225 8/18/10 3:11:56 PM8/18/10 3:11:56 PM
226Security Strategy: From Requirements to Reality
1996) puts it this way:A person who enjoys learning details of a programming language or sys-
tem; A person who enjoys actually doing the programming rather than just theorizing about it;
A person capable of appreciating someone else’s hacking; A person who picks up programming
quickly; A person who is an expert at a particular programming language or system, as in Unix
hacker.” Today, such persons fall into the white-hat category: security researchers, ethical hackers,
and others who use their skills to benefi t information security and to protect the public.
e opposite are black-hat hackers.  ese are people who use their skills to commit malicious
or illegal acts, usually for personal gain or notoriety. Crackers (people who illegally break into
computer systems), as well as spyware and virus authors, fall into this category.
In the middle are the gray-hats, people whose activities may result in an illegal compromise
of a system but not for malicious purposes. Instead, the goal is to better protect the public by
identifying fl aws and helping system owners to close them. It is not unusual for gray-hats to have
an active presence in the black-hat community, having gained some notoriety from their exploits.
We use the term hacker to refer to someone in any of these groups, security researcher or white-hat
to reference well-intended professionals, and black-hat to designate persons with nefarious intent.
e use of the term gray-hats is contextual.
Another aspect of hacking worth understanding is motivation. While white-hats and gray-hats
may have diff erent reasons for pursuing their craft, both are ultimately interested in protecting the
public through improved information security.  is is clearly NOT the motivation of black-hats.
In the black-hat community there are three primary motivations: reputation, profi t, and intelli-
gence. Many hackers start out motivated by reputation; they desire to demonstrate their technical
prowess and gain acceptance within the hacking community.  e story of Phantomd (recounted
in @ Large:  e Strange Case of the Worlds Biggest Internet Invasion) is a great example. Phantomds
primary motivation was curiosity; he wanted to see what he could gain access to. Aided by a few
friends” in the hacking community and tremendous persistence, Phantomd managed to break
into computer systems at hundreds of university, military, research, and business sites. Although
his intentions were not particularly malicious, his “experiments” did cause some of the systems
he broke into to malfunction or crash, and when he broke into the system controlling the central
California dams, he put thousands of lives at tremendous risk. Phantomd gained notoriety and
contributed to the exploits of other hackers by sharing his techniques and code, but he wasnt
criminally motivated.  is brings us to our second class of black-hats: pro t-motivated hackers
or cybercriminals.  eir activities are primarily computer- or electronic-based versions of scams,
forgeries, extortions, and thievery that have been prevalent in other forms for years. Prominent
examples include the following:
Russian hacker Vladimir Levin, who managed to steal some $10 million from Citibank in 1995
Barry Schlossberg’s extortion of $1.4 million from CD Universe in 2000
Brian Salcedo’s installation of a program at Lowe’s headquarters in North Carolina to cap-
ture credit card numbers in 2004
e millions of dollars of false credit card charges that resulted from CardSystems loss of
14 million credit card numbers in 2005
e shutdown of E-Gold online payment services for money laundering in 2006
John Schiefer’s use of illegally installed botnets to steal the online banking identities of
250,000 Windows users in 2008
e Hannaford Supermarket hack who stole 4.2 million debit card and credit card numbers
from its computer systems, resulting in a minimum of 1,800 incidences of credit or debit
card fraud in 2008
TAF-K11348-10-0301-C012.indd 226TAF-K11348-10-0301-C012.indd 226 8/18/10 3:11:56 PM8/18/10 3:11:56 PM
Keep Your Enemies Closer227
ough spectacular, none of these examples comes close to the $500 million lost in phishing
attacks in 2008 in the United States alone.
A second class of “for-profi t” hackers comes under the title of “exploits for sale.”  ese are
people who fi nd exploitable fl aws in products, and rather than notify the vendor of the fl aw so
it can be xed, they sell the fl aw to someone who will use it for illicit purposes. One example of
this type of activity is WabiSabiLabi (WSLabi) in Switzerland. WSLabi is a website that conducts
eBay-style auctions for exploits. Some contend that this is not necessarily black-hat activity; for
legitimate security researchers (white-hats), this can be a potential revenue stream for the fl aws
they discover (especially if the vendor refuses to provide renumeration). Most security experts
would disagree; the more probable result of this activity is the fast tracking of dangerous code (i.e.,
zero-day exploits) into the hands of criminal or espionage groups.  is leads us to our third class
of black-hats: spies.
Hackers who compromise systems for intelligence gathering or cyberwarfare fall into this class
of black-hats.  is activity is usually limited to government agencies but can be used for corporate
espionage as well. One of the best examples of government-sponsored activity is Titan Raina
ring of Chinese hackers accused of breaking into computer systems at U.S. military bases, defense
contractors, and aerospace companies between 2003 and 2005. Examples of cyber-based cor-
porate espionage are numerous; one recent example is Starwood Hotels’ lawsuit against Hilton
Worldwide alleging the theft of some 100,000 electronic fi les containing proprietary and con -
dential company information by two employees just prior to their defection to the Hilton group.
ese hacker types (white-hats, gray-hats, and black-hats) and motivations (public good, repu-
tation, pro t, and espionage) provide the basis for understanding the majority of the material in
the remainder of this chapter.
Hire a Hacker Objectives
Not all hackers are spies per se, but they all have something in common with spies:  ey all
gather intelligence. Spying is a long-standing military tactic for meeting both off ensive and
defensive objectives. On the off ensive side the intelligence gained from spying on an enemy can
be used to identify enemy positions, armament, and defensive weaknesses.  is information is
used to execute attacks and other off ensive movements more eff ectively and successfully. On the
defensive side, the intelligence gathered can be used to plan and deploy countermeasures that
will reduce the eff ectiveness of enemy attacks against your position.  is is equally true in the
IT arena.
Offensive Objectives
Hiring clever people (i.e., hackers) to ght cyberwars against other cyberoperatives may indeed
be a good tactic, especially from a military perspective. Military forces are increasingly dependent
on computers and network infrastructure for command, control, and communications (C
3
). e
ability to disrupt or destroy this capability gives an enemy signifi cant advantage. Furthermore,
if one can cripple the civilian critical infrastructure (power, telecom, transportation, etc.), you
can shut down entire cities or regions and cause massive civil unrest. A government dealing with
internal strife has less time to focus on external (international) activities such as military actions
and diplomacy. Today, the vast majority of this infrastructure is computer controlled and net-
work connected, including power grids, traffi c signals, radio towers, subway systems, and so on.
TAF-K11348-10-0301-C012.indd 227TAF-K11348-10-0301-C012.indd 227 8/18/10 3:11:56 PM8/18/10 3:11:56 PM
228Security Strategy: From Requirements to Reality
e ability to distract a commander or divert forces by causing catastrophic events like fl ooding
(opening dam fl ood gates), explosions, and fi res (power grid overloads) is equally as e ective. In
the past these attacks required physical access; today, they can be carried out from anywhere due
to the wonders of the Internet and computerized control systems.  ese types of off ensive activi-
ties are usually confi ned to military and government intelligence agencies where time, eff ort, and
costs are not signi cant factors. Information warfare has three primary attributes: reconnaissance,
acquisition, and disruption. Reconnaissance in o ensive terms is learning about your enemy’s
strengths, weaknesses, plans, and schedules. Information can be gathered by compromising e-mail
accounts, eavesdropping on Web conferences, intercepting message transmissions, and the like.
Acquisition is gaining access to an enemy asset for sabotage, theft, tampering, or monitoring
purposes. Attacks include password cracking, bu er overfl ow exploits, SQL injection, and oth-
ers. Disruption is using an acquired asset or other means to disrupt or deny your enemy access to
critical information or functions. Destruction of data, logic bombs, equipment shutdowns, and
falsifi cation of critical data are some of the options. When these activities are controlled by the
military or government agencies (e.g., the CIA), a fair number of checks and balances can be in
place to prevent abuses. Outside of the military and government purview, these skills can be used
for corporate espionage.
Corporate espionage is the gathering of intelligence that can be used to maintain or gain com-
petitive or fi nancial advantage. According to the Society of Competitive Intelligence Professionals
(SCIP), corporations spend more than $2 billion annually to keep tabs on one another. While
SCIP promotes ethical techniques for information gathering, there are many less ethical tech-
niques that can produce more desirable results. Hacking into computer systems to acquire client
lists, personnel records, fi nancial data, trade secrets, pricing information, production plans, and
research and development data is one such technique that is well suited to a hacker skill set. Other
softer” techniques such as social engineering can be used to gain entrance into online corporate
conferences (i.e., NetMeeting, WebEx, etc.), social networks, and collaboration shares. While the
world tends to view hacking as illustrating technical skills, Kevin Mitnick is more famous for
his social engineering skills. In his book e Art of Deception, Mitnick points out how worthless
rewalls, encryption, and other technical controls are against a gifted social engineer. Ira Winkler,
in his book Corporate Espionage, details a number of diff erent techniques he has used to exploit
human targets.
Although we certainly do not advocate unethical techniques for intelligence gathering, if this
is one of your strategic objectives, hiring a hacker may be a good tactic.  ere is one caveat, how-
ever: Make sure you keep a good eye on their activities lest their eff orts be turned inward and you
become the target.
How to Use This Tactic for Offense
Maintaining an off ensive hacking capability is an expensive proposition and the primary reason
why these activities are usually con ned to military and government agencies. Part of the expense
is related to hiding the activity from the ones being targeted, and the other is providing the means
necessary to properly monitor agent activities to identify and thwart potential abuses. Most non-
government entities outsource o ensive intelligence gathering to a competitive intelligence (CI)
professional (i.e., an ethical corporate spy); the exception might be large enterprises involved in
highly competitive endeavors.  ese organizations may choose to keep some intelligence gather-
ing activities in-house. It really depends on the level of intelligence needed, the eff ort required to
gather it, and the costs involved.
TAF-K11348-10-0301-C012.indd 228TAF-K11348-10-0301-C012.indd 228 8/18/10 3:11:56 PM8/18/10 3:11:56 PM
Keep Your Enemies Closer229
SIDEBAR: AUTOMATED ATTACK SCENARIO
Observing offensive intelligence gathering isn’t dif cult. On any given day, an Internet-connected fi rewall will log
hundreds, if not thousands, of packets attempting to exploit the latest discovered vulnerability or any number of older
ones. These types of attacks are easy to automate across a range of IP addresses, and once they are set in motion all
the attacker needs to do is wait for notifi cation of a vulnerable system and follow up on the exploit. One wouldn’t
think that this technique would be terribly effective, but it is.
Far too often the procedures for deploying and maintaining Internet facing systems fail to adequately address
security. This was the case with a defense contractor Bill helped a few years back. Someone built a new Windows
2000 Server system for database management in the DMZ. They did a good job of securing the sequel (SQL) data-
base application but failed to properly confi gure security on the host operating system, including leaving the default
Web service unpatched and fully operational. Needless to say, one of these offensive sweeps found the vulnerability,
and the attackers followed it up by exploiting a buffer overfl ow in the Web service, gaining system (root) access to
the box and proceeding to compromise every system in the DMZ, as well as a number of systems on the internal
LAN that connected to the DMZ. Its diffi cult to say how much damage was done, but the price tag for investigating
and repairing the breach exceeded half a million dollars.
Defensive Objectives
Most security groups use intelligence gathering for defensive purposes. Defensive objectives have
three principal attributes: reconnaissance, preparedness, and assessment. Reconnaissance for
defensive purposes focuses on learning what is being targeted, attack tools and techniques, and
emerging threats. Preparedness focuses on countering planned attacks, and assessment focuses on
reducing potential attack avenues (vectors).
In preparing for Information Warfare, one must fortify his castle with proactive lay-
ers of security, thereby creating his defensive paths and direct the defense instead of
following the dictates of the attacker.
Richard Forno and Ronald Baklarz
Reconnaissance is a critical component of a good defense.  e more you know about your
opponent’s capabilities and attack plans, the better you will be able to plan and deploy the resources
needed to minimize their eff ectiveness. During the early years of the Internet, reconnaissance was
a lost art. Security and networking professionals were aware of dangers like Distributed Denial of
Service (DDoS) attacks, but no one was actively working on defenses against those attacksnor
was anyone tracking what malicious code the hacking community was developing.  en one day
in 2000 hackers hit eBay, Yahoo, Amazon, and E*Trade with a massive DDoS attack, and sud-
denly understanding DDoS attacks and defenses became a critical part of defensive security plan-
ning.  e pattern was similar for other attacks as well: little reconnaissance, ineff ective responses,
and massive damage.
Today, that pattern has changed substantially; there is more emphasis on preparedness. Large
software vendors and Internet Service Providers (ISPs) work together to quickly identify and thwart
attacks, and several employ spies to recon hacker activities. One company even used a widely pub-
licized hack of their website to “up” the notoriety of their sta spy in the hacker community. His
(phony) achievement gave him celebrity status and access to a much broader array of hacking activi-
ties. Some might classify this tactic as o ensive rather than defensive, and that might be true if the
purpose was in ltration. In ltration tactics involve getting past the enemy’s frontline defenses and
attacking lightly defended rear areas. Paratroopers were used for this purpose in World War II. But
that isn’t what we are talking about here; we are only gathering intelligence. We are not trying to
put them out of business; that’s the work of law enforcement. Communications companies such
as AT&T do extensive traffi c analysis to identify attack patterns. Microsoft and other vendors of
TAF-K11348-10-0301-C012.indd 229TAF-K11348-10-0301-C012.indd 229 8/18/10 3:11:56 PM8/18/10 3:11:56 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset