Keep Your Enemies Closer ◾ 245
static information such as education and veteran status, which do not need to be reaffi rmed.
Regular rescreening is a standard process for personnel holding government security clearances,
but, outside of government, it is very uncommon. e use of rescreening is really a judgment call;
in organizations with competent supervision, the need to rescreen is diminished by supervisor
interaction, monitoring, and care.
e following actions are recommended for the employee screening control objective:
1. Improve supervisory skills so that managers are cognizant of issues leading up to insider mal-
feasance and are equipped to take appropriate action before issues escalate into malicious acts.
2. Incorporate insider malfeasance into employee awareness training.
3. Update employee screening practices to include additional measures for sensitive or high-
privilege positions, including a means to positively identify the applicant and get a complete
criminal history. Improve hiring practices, including the addition of interview questions or
questionnaires to evaluate ethical or moral attitudes. Create specifi c disqualifi cation criteria
when hiring for sensitive and high-privilege positions.
4. Improve the process and scope of account deactivation procedures to ensure a quick, com-
prehensive account deactivation upon termination.
5. Improve HR management policies and procedures to refl ect changes in the hiring and ter-
mination processes described above.
6. Update incident response plans to include procedures for malicious insider activities, includ-
ing procedures for the preservation of evidence on live systems (i.e., step away from your
computer procedures).
7. Improve or initiate supervisory processes to mitigate insider threats, including supervisor
monitoring, consistent policy enforcement, separation of duties, mandatory approvals, man-
datory change control, job rotation, and forced leave.
8. Add insider threat to all audit and assessment criteria.
9. Improve or enable strong accountability controls, including stringent identity management
and evidentiary-based audit trails for systems and applications.
10. Use technologies that preserve the content and integrity of log and audit data. Consider
outsourcing log management and analysis to ensure isolation and improve detection and
response to malicious activity.
11. Improve physical security controls and tracking (audit) mechanisms and collate physical and
logical access records to detect suspicious or anomalous activities.
Target Retaliation
When you are conducting off ensive maneuvers, there is always the chance that the entity you
are targeting will discover your activities and retaliate. Hacker defacements of the entertainment
industry’s websites for actions against Napster, e Pirate Bay, and other music-sharing sites are
noted examples. In cyberwarfare the stakes are much higher because the retaliating force may be
able to aff ect critical resources and functionality. Defensive reconnaissance eff orts (i.e., cyberspy-
ing), if discovered, may also invoke a retaliatory response. Massive denial of service attacks is not
unusual; the attacks are generally short-lived, but they get the point across. e best tactic against
retaliation is anonymity. It’s diffi cult to be the direct recipient of a retaliation attempt if the target
cannot identify you. is, incidentally, is the biggest issue associated with proactive defenses that
launch counterattacks. Often they are targeting an innocent party and an unwitting participant.
TAF-K11348-10-0301-C012.indd 245TAF-K11348-10-0301-C012.indd 245 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
246 ◾ Security Strategy: From Requirements to Reality
eir system has been compromised and is being used to disguise the attackers’ actual location.
Depending on your jurisdiction, a retaliatory response may subject you or your organization to
criminal charges and/or civil liabilities.
ere are a number of ways to achieve anonymity, including hidden Internet Assigned Numbers
Authority (IANA) registrations for specifi c IP ranges, but the more popular method is exploita-
tion. Exploitation is the compromise of third-party systems or communications channels that is
subsequently used to target other systems. Botnets are a great example; hackers and cybercrimi-
nals using various exploits implant a zombie on a victim’s computer system and send it remote
commands to carry out their illicit activities. For example, the Cimbot zombie uses the victim’s
e-mail accounts to send spam. Cimbots accounts for some 15% of the world’s spam; that’s about
13% of all e-mail! Botnets are also used for Distributed Denial of Service (DDoS) attacks. But
exploitation doesn’t necessarily have to involve remote control zombies; any access that allows the
attackers to disguise their actual source address is suffi cient, and it is not unusual for attackers to
use multiple hops to make it more diffi cult to trace their actions back to the source.
In the popular book e Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage,
Markus Hess, a West German hacker, used up to 10 intermediate sites to disguise his hacking
eff orts against U.S. military sites, national laboratories, and NASA. It took more than two years
to backtrack this maze of connections to Hess’s telephone line. Another means of achieving ano-
nymity is through account compromise or hijacking. Various means are used to capture a user’s
credentials (userID, password, session ID), which are then employed to conduct illicit activities.
Because such usage is readily traceable to the source, hackers may use this technique in combina-
tion with a compromised system or a publicly accessible system (e.g., library computer, Internet
café) for greater anonymity.
Defensive anonymity can use the same techniques to disguise the actual location of the agent,
but the interactive nature of digital reconnaissance (i.e., chat rooms, blogs, etc.) makes it harder
to maintain. Like any clandestine operation, there is always a possibility that the agent’s cover will
get blown. Black-hats tend to be smart intuitive people; they are not easily fooled or taken in, and
they are not at all nice when they discover they’ve been had. Anonymity is the only real control
objective associated with the target retaliation risk, and getting caught is the only real metric. Even
with good anonymity controls, it is smart to prepare for massive retaliation attacks just in case
your true identity is uncovered.
e following actions are recommended for the target retaliation risks:
1. Train your people. Spying, intelligence gathering, reconnaissance, whatever you choose to
call it, is a craft. In fact, the CIA calls it “the craft.” Training people in the craft, including
how to maintain anonymity, build and promote a persona (cover), and avoid detection or
tracing, are all important to their eff ectiveness. Natural ability, attitude, intelligence, and
experience are the other ingredients.
2. Maintain separation. To the greatest extent possible, try to keep your reconnaissance activities
completely separate from the agency or organization sponsoring them. ere should be nothing
on the systems used for reconnaissance associating it or the operator with the sponsor. If some-
one is going to retaliate, you want him to retaliate against the agent, not the organization.
3. Prepare for retaliation. Whether you are doing off ensive or defensive intelligence gathering,
when people discover what you are doing they are likely to retaliate. Be prepared for it by
creating a good incident response process capable of managing the attack. You should be
able to “pull the plug,” rebuild the system, and be back in business as a diff erent entity in a
half hour or so.
TAF-K11348-10-0301-C012.indd 246TAF-K11348-10-0301-C012.indd 246 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
Keep Your Enemies Closer ◾ 247
4. Prepare an isolated environment. is is the technical side of maintaining separation.
Systems used for reconnaissance should be completely isolated (physically and logically)
from internal resources. is includes a separate dedicated Internet connection, preferably
one that does not have a permanent IP address associated with it.
5. Identify, gather, and deploy tools that make it possible to quickly rebuild reconnaissance
systems and to change identifi ers, including system and account SIDs and MAC addresses.
Target Deception
e old proverb, “ ere is no honor among thieves,” is certainly applicable to the black-hat world.
Notoriety is one of the major motivators for hacking; money and espionage are the other two.
It is important that you recognize your progress and take pride in your accomplish-
ments. Share your achievements with others. Brag a little. e recognition and support
of those around you is nurturing.
Rosemarie Rossetti
Consequently, there is a propensity for bragging and exaggeration within the hacking com-
munity. Organizations may end up on expensive wild-goose chases if the information they gather
is not properly vetted. In some instances, this misinformation may be intentional or retaliatory,
designed to divert resources unnecessarily or lure you into a trap. Verifi cation is the only real
control objective associated with this risk. Before taking action on any piece of information from
a black-hat source, it is best to confi rm the contents fi rst. Cross checking with reliable knowledge-
able sources such as the Carnegie Mellon CERT and other white-hat reconnaissance eff orts is the
fi rst step. Investigating the claim itself is the second step. Is it plausible? We get one of our favorite
laughs when we see movie depictions of hackers sitting at computer consoles watching graphic
displays of their hacking agent breaking through fi rewalls and other protections. Possible? Yes.
Plausible? It’s a stretch to say the least. Of course, vetting isn’t all that it’s cracked up to be either.
e other parties could be deceived as well, so it is wise to be prepared, but only proceed when the
evidence is compelling. If this approach had been taken for the DDoS threat, the attacks on eBay,
Amazon, and E-Trade in 2000 would have had less impact. e weaknesses in the protocols were
well known, brags in the hacker community abounded, and even some examples of attack zombies
had been captured, but for some unexplained reason, the industry made no concerted eff ort to
prepare for the attack.
SIDEBAR: LEVERAGING THE BRAG
Bragging has an interesting reconnaissance benefi t. As Ralph Waldo Emerson points out, “There is also this benefi t
in brag, that the speaker is unconsciously expressing his own ideal. Humor him by all means, draw it all out, and
hold him to it.” In other words, it is possible to use a person’s bragging to draw out additional details that will help
you determine the legitimacy of his or her claim. Such efforts can also help you determine the type of hacker you are
interacting with. Accomplished black-hats are not inclined to brag or readily advertise their tools of the trade. If you
bait someone and get a cold response, you may want to pursue the conversation with a different tact.
e following actions are recommended for the target deception risks:
1. Identify resources that supply reliable, timely information, including organizations such as
the Carnegie Mellon CERT and the SANS Internet Storm Center.
2. Collaborate with others doing the same type of reconnaissance and with security researchers
who can perform proof-of-concept on new exploit claims.
TAF-K11348-10-0301-C012.indd 247TAF-K11348-10-0301-C012.indd 247 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
248 ◾ Security Strategy: From Requirements to Reality
3. Maintain separation. Never disclose your cover identity to anyone. Just because someone
says he is a good guy doesn’t make it so—black-hats do reconnaissance too!
4. Create a triage process for quickly vetting the information you gather so that you can priori-
tize what further actions will be taken.
5. Create a multistage set of procedures for evaluating threat information you gather to help
you make appropriate decisions concerning defensive preparations. Triage should establish
whether the information has merit or is simply a hoax (nonsense). Other stages should evalu-
ate the potential impact, how imminent the act is, and how existing controls can be used to
mitigate an attack. A staged procedure allows you to review results at the end of each stage
to determine whether or not to proceed to the next stage.
Malicious Code Implantation
If you tease the bull, you’re going to get horned.
Spanish proverb
e black-hat community is not a friendly one; exploiting newbies, script kiddies, and curious
spectators is not unusual. Many hacking sites have drive-by and other Web-based attacks installed
on them, and downloadable tools and utilities on these sites frequently contain malicious code.
e primary control object for this risk is containment. Reconnaissance eff orts will undoubtedly
subject our systems to these types of attack attempts. If our goal is to understand these attacks and
how they are executed, it’s not necessarily wrong to allow this code onto our systems as long as we
are able to contain it and prevent any signifi cant damage. Table 12.4 lists a number of diff erent
attributes of the containment control objective.
Isolated
e last thing we want is to have our reconnaissance eff orts cause a security incident in our inter-
nal business network. e best way to mitigate this possibility is to completely isolate the systems
used for reconnaissance from internal resources. is includes physical and logical separation.
Strongly recommended is a separate dedicated Internet connection, one that does not have a per-
manent IP address associated with it. One of the tricks we used to conceal our identity when doing
penetration testing was to periodically force the Dynamic Host Confi guration Protocol (DHCP)
server to assign us a new IP address by altering the Media Access Control (MAC) address of the
machine and then renewing the DHCP address. is is a useful technique if you come under a
retaliation attack as well. Strong isolation is one of the best ways to contain the potential damages
from implanted or downloaded malware.
Hardened
General-purpose operating systems, especially those intended for end-user systems, are designed
for usability, which usually equates to a relaxed security confi guration. is confi guration
isn’t, however, acceptable for reconnaissance. Every reasonable precaution needs to be taken
to ensure that systems used for reconnaissance cannot be compromised. Standard harden-
ing practices apply. We recommend the NSA/CIA and NIST guides. Select the high-security
option. Microsoft also has excellent security confi guration guides on TechNet for their operat-
ing systems.
TAF-K11348-10-0301-C012.indd 248TAF-K11348-10-0301-C012.indd 248 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
Keep Your Enemies Closer ◾ 249
Table 12.4 Containment Control Objective
Attribute/Control Type Risk and Requirements
Systems
Completeness Soft All systems used for reconnaissance shall be hardened to prevent
and/or contain the effects of malicious code implantation.
Isolated Soft Systems used for reconnaissance shall be physically and
logically isolated from the business network and systems.
Hardened Hard Systems used for reconnaissance shall be hardened to minimize
potential attack vectors to include (but not limited to):
- Removal of nonessential services and applications
- Removal of nonessential network protocols
- Disablement of nonessential accounts
- Confi guration of OS strong security features
- Installation of all applicable security patches
- Installation of protective mechanisms to ensure system
integrity and detect malicious code and/or activity
Malware
protected
Systems used for reconnaissance shall have protective
mechanisms installed to detect, contain, or restrict the
execution of malware; for example:
- Antivirus protection
- Anti-spyware or adware protection
- Root kit and zombie detectors
- File integrity checkers
- Intrusion prevention agents
Privilege
restricted
The operators of systems used for reconnaissance shall log on
using standard (nonprivileged) user accounts and use OS
utilities to escalate privileges when necessary.
Software
Source code
formatted
Soft The preferred format for all externally acquired applications is
source code. Binaries, including executables and linked
libraries, are to be avoided whenever possible.
Scanned Hard All software acquired from external sources shall be scanned for
malicious content using multiple scanning engines.
Execution
restricted
Hard All software acquired from external sources shall be restricted
(e.g., in a sandbox) in its execution, including its ability to access
or modify critical system components or confi gurations.
Execution
reviewed
Both Software acquired from external sources may be monitored
during its execution to identify the presence of potentially
malicious or dangerous functionality.
Code reviewed Soft All software acquired from external sources shall be code
reviewed for malicious content. Software in binary formats shall
be decompiled and the resulting source code reviewed for
malicious content.
TAF-K11348-10-0301-C012.indd 249TAF-K11348-10-0301-C012.indd 249 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.