SlideShare a Scribd company logo

Stu t18 b

S
SelectedPresentations
1 of 26
Download to read offline
Session ID: Session Classification: ▶ Slide▶ of 26 xxx-xxxx xxxxxxxxxxxx Stuxnet Lessons for Defenders William Cheswick cheswick.com http://www.cheswick.com/ches 1 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 762 ▶ I have never mounted a sophisticated cyber attack, nor have I been cleared for official training.   The observations here come from twenty years of evil thoughts and pondering offensive cyber activities. Note: Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 763 ▶ “Security people are paid to think bad thoughts” ▶ - Bob Morris Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Goals Espionage Damage Loss of confidence False flag operations 4 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Damage Soft damage Can be very subtle, and disrupt operations for years. Hard damage best if replacement equipment is scarce massive attack can overwhelm supply chains It is also much harder to do 5 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Soft Damage Erasing or changing data Subverting or destroying backups. Make operators take the wrong action Perhaps convince management that the project is not worthwhile 6 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Hard Damage Destroying hardware disk crashes? Flash has a limited number of writes Damage or destroy equipment Take out a dam, blow transformers, etc. 7 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 “Gremlin attack” Reduce confidence in the venture Make them reject certain approaches “Cursing” a technique, certain equipment, or people 8 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 False flag operations Attribution is the major problem in information warfare these days Make it look like someone else is doing something bad 9 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Exploits Day 0 exploits are rare, expensive, and have a shelf life Standard attacks still work Crypto BBB “social engineering” i.e. spy techniques 10 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 2611 software hacks day 0 exploits expensive, single use, has a shelf life well-known exploits on old software (which is common) email/web injection USB sticks Gain access Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 people network devices software 12 Mapping Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 People network administrators key engineers/scientists 13 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 the Official Map ping/traceroute SNMP dumps reverse DNS passive packet monitoring activity of people (see above) 14 Network Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 industrial controllers network gear client hosts misc. devices often not updated 15 Devices Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Feedback Operational progress, i.e. debugging Espionage 16 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Exfiltrating Data To the Internet VPNs stego: TCP headers, web requests, email, etc. Depends on the volume, which can be huge Over the cell network USB sticks/laptops/cell phones? strip search on your way out? 17 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Attacker’s concerns Getting noticed Getting caught Expending exploits Misleading information the double agent problem Wasting time and money 18 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Attacker’s concerns Controlling exponential growth Morris worm Stuxnet got away, after a while 19 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 7620 ▶We know these attacks are real, and we know that you don’t have to be separating uranium isotopes to be worth all this effort. Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 2621 You may well be a target Attacks, even APT attacks, are relatively cheap There is virtually no downside for the attackers Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 There are weak points in these attacks Discovery phase can create brief signatures on the network and in hosts. Secret honeypots and sentinels can force attackers to show their hand Deception toolkits 22 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Some thoughts Require deep monitoring of your own people Data exfiltration could be detectable Boot from clean operating system sources 23 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Network monitoring Detect all SNMP activity Low TTL packets are highly suspect (traceroute of any kind) Any usual net activity High-entropy packets and flows Day 0 backups for comparisons 24 Monday, February 18, 13
▶ Presenter Logo ▶ Slide▶ of 26 Network topography Internet gateway? Really? Bulkheads and enclaves. 25 Monday, February 18, 13
Session ID: Session Classification: ▶ Slide▶ of 26 xxx-xxxx xxxxxxxxxxxx Stuxnet Lessons for Defenders William Cheswick cheswick.com http://www.cheswick.com/ches 26 Monday, February 18, 13

Recommended

EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor Volovich
EC-Council
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
EC-Council
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?
Community Protection Forum
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
Nigel Hanson
 

Recommended

EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor Volovich
EC-Council
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
EC-Council
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
The Current State of Cybersecurity
The Current State of CybersecurityThe Current State of Cybersecurity
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?
Community Protection Forum
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
Nigel Hanson
 
Iam r35 a
Iam r35 aIam r35 a
Iam r35 a
SelectedPresentations
 
Stu r35 a
Stu r35 aStu r35 a
Stu r35 a
SelectedPresentations
 
Ht r33
Ht r33Ht r33
Ht r33
SelectedPresentations
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
SelectedPresentations
 
Stu r37 b
Stu r37 bStu r37 b
Stu r37 b
SelectedPresentations
 
Iam r31 a (2)
Iam r31 a (2)Iam r31 a (2)
Iam r31 a (2)
SelectedPresentations
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
SelectedPresentations
 
Exp t19 exp-t19
Exp t19 exp-t19Exp t19 exp-t19
Exp t19 exp-t19
SelectedPresentations
 
Hum w25 hum-w25
Hum w25 hum-w25Hum w25 hum-w25
Hum w25 hum-w25
SelectedPresentations
 
Grc w25 a
Grc w25 aGrc w25 a
Grc w25 a
SelectedPresentations
 
Stu w23 b
Stu w23 bStu w23 b
Stu w23 b
SelectedPresentations
 
Grc r35 b
Grc r35 bGrc r35 b
Grc r35 b
SelectedPresentations
 
Stu w22 a
Stu w22 aStu w22 a
Stu w22 a
SelectedPresentations
 
Hta t17
Hta t17Hta t17
Hta t17
SelectedPresentations
 
Stu r31 a
Stu r31 aStu r31 a
Stu r31 a
SelectedPresentations
 
Hta f42
Hta f42Hta f42
Hta f42
SelectedPresentations
 
Особенности использования современных СЗИ НСД для обеспечения информационной ...
Особенности использования современных СЗИ НСД для обеспечения информационной ...Особенности использования современных СЗИ НСД для обеспечения информационной ...
Особенности использования современных СЗИ НСД для обеспечения информационной ...
SelectedPresentations
 
Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1
SalmenHAJJI1
 
Threats to a computer
Threats to a computer Threats to a computer
Threats to a computer
FCA - Future Chartered Accountants
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
APNIC
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
George Boobyer
 

More Related Content

Viewers also liked

Viewers also liked (17)

Iam r35 a
Iam r35 aIam r35 a
Iam r35 a
 
Stu r35 a
Stu r35 aStu r35 a
Stu r35 a
 
Ht r33
Ht r33Ht r33
Ht r33
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
Stu r37 b
Stu r37 bStu r37 b
Stu r37 b
 
Iam r31 a (2)
Iam r31 a (2)Iam r31 a (2)
Iam r31 a (2)
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Exp t19 exp-t19
Exp t19 exp-t19Exp t19 exp-t19
Exp t19 exp-t19
 
Hum w25 hum-w25
Hum w25 hum-w25Hum w25 hum-w25
Hum w25 hum-w25
 
Grc w25 a
Grc w25 aGrc w25 a
Grc w25 a
 
Stu w23 b
Stu w23 bStu w23 b
Stu w23 b
 
Grc r35 b
Grc r35 bGrc r35 b
Grc r35 b
 
Stu w22 a
Stu w22 aStu w22 a
Stu w22 a
 
Hta t17
Hta t17Hta t17
Hta t17
 
Stu r31 a
Stu r31 aStu r31 a
Stu r31 a
 
Hta f42
Hta f42Hta f42
Hta f42
 
Особенности использования современных СЗИ НСД для обеспечения информационной ...
Особенности использования современных СЗИ НСД для обеспечения информационной ...Особенности использования современных СЗИ НСД для обеспечения информационной ...
Особенности использования современных СЗИ НСД для обеспечения информационной ...
 

Similar to Stu t18 b

Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
George Boobyer
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
OSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt
OSMC 2013 | Flapjack - monitoring notification system by Birger SchmidtOSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt
OSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt
NETWAYS
 

Similar to Stu t18 b (20)

Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1Ccna sv2 instructor_ppt_ch1
Ccna sv2 instructor_ppt_ch1
 
Threats to a computer
Threats to a computer Threats to a computer
Threats to a computer
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
IT-Security-20210426203847.ppt
IT-Security-20210426203847.pptIT-Security-20210426203847.ppt
IT-Security-20210426203847.ppt
 
IT-Security-20210426203847.ppt
IT-Security-20210426203847.pptIT-Security-20210426203847.ppt
IT-Security-20210426203847.ppt
 
IT-Security-20210426203847.ppt
IT-Security-20210426203847.pptIT-Security-20210426203847.ppt
IT-Security-20210426203847.ppt
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Brief Introduction of Hackers
Brief Introduction of HackersBrief Introduction of Hackers
Brief Introduction of Hackers
 
Security information for internet and security
Security information for internet and securitySecurity information for internet and security
Security information for internet and security
 
Technology Challenges of Virtual Worlds in Education & Training - Research di...
Technology Challenges of Virtual Worlds in Education & Training - Research di...Technology Challenges of Virtual Worlds in Education & Training - Research di...
Technology Challenges of Virtual Worlds in Education & Training - Research di...
 
Cybersecurity During the COVID Era
Cybersecurity During the COVID EraCybersecurity During the COVID Era
Cybersecurity During the COVID Era
 
CC 2-1 Incident response.pdf
CC 2-1 Incident response.pdfCC 2-1 Incident response.pdf
CC 2-1 Incident response.pdf
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Ccna security v2 instructor_ppt_ch11
Ccna security v2 instructor_ppt_ch11Ccna security v2 instructor_ppt_ch11
Ccna security v2 instructor_ppt_ch11
 
OSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt
OSMC 2013 | Flapjack - monitoring notification system by Birger SchmidtOSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt
OSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt
 
ENSA_Module_3.pptx
ENSA_Module_3.pptxENSA_Module_3.pptx
ENSA_Module_3.pptx
 

More from SelectedPresentations

More from SelectedPresentations (20)

Длительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решенияДлительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
 
Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.
 
Варианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройстваВарианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройства
 
Новые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решенийНовые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решений
 
Управление безопасностью мобильных устройств
Управление безопасностью мобильных устройствУправление безопасностью мобильных устройств
Управление безопасностью мобильных устройств
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
 
Кадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасностиКадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасности
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...
 
Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
 
Запись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данныхЗапись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данных
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИСОбеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИС
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБДокумент, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБ
 
Чего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложенийЧего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложений
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИОб угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
 

Stu t18 b

  • 1. Session ID: Session Classification: ▶ Slide▶ of 26 xxx-xxxx xxxxxxxxxxxx Stuxnet Lessons for Defenders William Cheswick cheswick.com http://www.cheswick.com/ches 1 Monday, February 18, 13
  • 2. ▶ Presenter Logo ▶ Slide▶ of 762 ▶ I have never mounted a sophisticated cyber attack, nor have I been cleared for official training.   The observations here come from twenty years of evil thoughts and pondering offensive cyber activities. Note: Monday, February 18, 13
  • 3. ▶ Presenter Logo ▶ Slide▶ of 763 ▶ “Security people are paid to think bad thoughts” ▶ - Bob Morris Monday, February 18, 13
  • 4. ▶ Presenter Logo ▶ Slide▶ of 26 Goals Espionage Damage Loss of confidence False flag operations 4 Monday, February 18, 13
  • 5. ▶ Presenter Logo ▶ Slide▶ of 26 Damage Soft damage Can be very subtle, and disrupt operations for years. Hard damage best if replacement equipment is scarce massive attack can overwhelm supply chains It is also much harder to do 5 Monday, February 18, 13
  • 6. ▶ Presenter Logo ▶ Slide▶ of 26 Soft Damage Erasing or changing data Subverting or destroying backups. Make operators take the wrong action Perhaps convince management that the project is not worthwhile 6 Monday, February 18, 13
  • 7. ▶ Presenter Logo ▶ Slide▶ of 26 Hard Damage Destroying hardware disk crashes? Flash has a limited number of writes Damage or destroy equipment Take out a dam, blow transformers, etc. 7 Monday, February 18, 13
  • 8. ▶ Presenter Logo ▶ Slide▶ of 26 “Gremlin attack” Reduce confidence in the venture Make them reject certain approaches “Cursing” a technique, certain equipment, or people 8 Monday, February 18, 13
  • 9. ▶ Presenter Logo ▶ Slide▶ of 26 False flag operations Attribution is the major problem in information warfare these days Make it look like someone else is doing something bad 9 Monday, February 18, 13
  • 10. ▶ Presenter Logo ▶ Slide▶ of 26 Exploits Day 0 exploits are rare, expensive, and have a shelf life Standard attacks still work Crypto BBB “social engineering” i.e. spy techniques 10 Monday, February 18, 13
  • 11. ▶ Presenter Logo ▶ Slide▶ of 2611 software hacks day 0 exploits expensive, single use, has a shelf life well-known exploits on old software (which is common) email/web injection USB sticks Gain access Monday, February 18, 13
  • 12. ▶ Presenter Logo ▶ Slide▶ of 26 people network devices software 12 Mapping Monday, February 18, 13
  • 13. ▶ Presenter Logo ▶ Slide▶ of 26 People network administrators key engineers/scientists 13 Monday, February 18, 13
  • 14. ▶ Presenter Logo ▶ Slide▶ of 26 the Official Map ping/traceroute SNMP dumps reverse DNS passive packet monitoring activity of people (see above) 14 Network Monday, February 18, 13
  • 15. ▶ Presenter Logo ▶ Slide▶ of 26 industrial controllers network gear client hosts misc. devices often not updated 15 Devices Monday, February 18, 13
  • 16. ▶ Presenter Logo ▶ Slide▶ of 26 Feedback Operational progress, i.e. debugging Espionage 16 Monday, February 18, 13
  • 17. ▶ Presenter Logo ▶ Slide▶ of 26 Exfiltrating Data To the Internet VPNs stego: TCP headers, web requests, email, etc. Depends on the volume, which can be huge Over the cell network USB sticks/laptops/cell phones? strip search on your way out? 17 Monday, February 18, 13
  • 18. ▶ Presenter Logo ▶ Slide▶ of 26 Attacker’s concerns Getting noticed Getting caught Expending exploits Misleading information the double agent problem Wasting time and money 18 Monday, February 18, 13
  • 19. ▶ Presenter Logo ▶ Slide▶ of 26 Attacker’s concerns Controlling exponential growth Morris worm Stuxnet got away, after a while 19 Monday, February 18, 13
  • 20. ▶ Presenter Logo ▶ Slide▶ of 7620 ▶We know these attacks are real, and we know that you don’t have to be separating uranium isotopes to be worth all this effort. Monday, February 18, 13
  • 21. ▶ Presenter Logo ▶ Slide▶ of 2621 You may well be a target Attacks, even APT attacks, are relatively cheap There is virtually no downside for the attackers Monday, February 18, 13
  • 22. ▶ Presenter Logo ▶ Slide▶ of 26 There are weak points in these attacks Discovery phase can create brief signatures on the network and in hosts. Secret honeypots and sentinels can force attackers to show their hand Deception toolkits 22 Monday, February 18, 13
  • 23. ▶ Presenter Logo ▶ Slide▶ of 26 Some thoughts Require deep monitoring of your own people Data exfiltration could be detectable Boot from clean operating system sources 23 Monday, February 18, 13
  • 24. ▶ Presenter Logo ▶ Slide▶ of 26 Network monitoring Detect all SNMP activity Low TTL packets are highly suspect (traceroute of any kind) Any usual net activity High-entropy packets and flows Day 0 backups for comparisons 24 Monday, February 18, 13
  • 25. ▶ Presenter Logo ▶ Slide▶ of 26 Network topography Internet gateway? Really? Bulkheads and enclaves. 25 Monday, February 18, 13
  • 26. Session ID: Session Classification: ▶ Slide▶ of 26 xxx-xxxx xxxxxxxxxxxx Stuxnet Lessons for Defenders William Cheswick cheswick.com http://www.cheswick.com/ches 26 Monday, February 18, 13