Computer Attack Stratagems


Published on

1. China leverages computer network attack and exploitation techniques, harvesting information critical to building a modern nation-state and "informationalized", technical military forces.
2. China adapted ancient stratagems for CNA & CNE operations.
3. China can claim plausible denial for nation-sponsored hacking activities, hiding within the sea of everyday hackers.
4. On the other hand, north Korea must take CNA & CNE operations outside its country's boundaries.

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Computer Attack Stratagems

    1. 1. Computer Network Attack / Exploitation: Regional Threats China & North Korea Karl Wolfgang, CISSP
    2. 2. CNO in NE Asia <ul><li>People’s Republic of China: medium threat, growing </li></ul><ul><li>North Korea: low threat, restrained </li></ul><ul><li>Methodology </li></ul><ul><ul><li>National vision, objectives: military doctrine </li></ul></ul><ul><ul><li>Stratagems </li></ul></ul><ul><ul><li>Reality check: </li></ul></ul><ul><ul><ul><li>Capabilities </li></ul></ul></ul><ul><ul><ul><li>supporting infrastructure </li></ul></ul></ul><ul><ul><ul><li>Software / programming </li></ul></ul></ul><ul><ul><li>Open source analysis, “in the wild” hacker processes </li></ul></ul><ul><ul><ul><li>Assumptions: </li></ul></ul></ul><ul><ul><ul><ul><li>Individual hackers and nations share similar processes / techniques </li></ul></ul></ul></ul><ul><ul><ul><ul><li>China and north Korea share similar processes / techniques </li></ul></ul></ul></ul><ul><ul><ul><ul><li>China: 1. more active 2. better able to operate under cloak of plausible denial </li></ul></ul></ul></ul>
    3. 3. Jiang Zemin: 90s – Early 21 st Century Warfare at the Speed of Electrons <ul><li>Economic, political, historical objectives </li></ul><ul><ul><li>Taiwan </li></ul></ul><ul><ul><li>Infrastructure > military techno-revolution </li></ul></ul><ul><li>Regional power projection </li></ul><ul><li>Lessons learned – Kosovo, Iraq </li></ul><ul><ul><li>C4I fusion </li></ul></ul><ul><ul><li>preemption </li></ul></ul><ul><li>&quot;Informationized arms . . . together with information systems, sound, light, electronics, magnetism, heat and so on, turn into a carrier of strategies.&quot; </li></ul><ul><li>MG Dai Qingmin </li></ul>
    4. 4. NETOPS vs. The Science of Campaigns cognitive errors Multi-dimentional Threat Phased Operations
    5. 5. Civilian Assets & IW Reserves <ul><li>Dissolving boundaries </li></ul><ul><ul><li>Civil-military cooperation </li></ul></ul><ul><ul><li>Civil vs. military targets </li></ul></ul><ul><li>Militia – fist of network warfare & hacker units </li></ul><ul><li>Potential missions </li></ul><ul><ul><li>Network offense </li></ul></ul><ul><ul><li>Network defense </li></ul></ul><ul><ul><li>Network propaganda </li></ul></ul><ul><ul><li>Electronic countermeasures </li></ul></ul><ul><ul><li>Technical recon </li></ul></ul><ul><ul><li>Maintenance </li></ul></ul>
    6. 6. <ul><li>Skill Sets </li></ul><ul><li>Computer science graduates </li></ul><ul><li>Professions: </li></ul><ul><ul><li>Satellite </li></ul></ul><ul><ul><li>Telecommunications / networking </li></ul></ul><ul><ul><li>Data communications / SW &HW </li></ul></ul><ul><ul><li>Microwave </li></ul></ul><ul><ul><li>Programming </li></ul></ul><ul><li>Develop doctrine / training </li></ul>Civilian Assets & IW Reserves <ul><li>Cyber Forces </li></ul><ul><li>People’s Armed Forces Department of Echeng, Ezhou, Hebi </li></ul><ul><li>Chongquin Garrison </li></ul><ul><li>Shanxi Reserve “Network’ Fendui, Datong MSD </li></ul><ul><li>Shanghai </li></ul><ul><li>Guangzhou, Donghshan District </li></ul>
    7. 7. China: Plausible Denial <ul><li>Ancient stratagems </li></ul><ul><li>Maoist tactics </li></ul><ul><li>Aggressive program of national development </li></ul>
    8. 8. Stratagems of Information Warfare <ul><li>All warfare is based on deception. There is no place where espionage is not used. Offer the enemy bait to lure him. </li></ul><ul><li>Let your rapidity be that of the wind, your compactness that of the forest. </li></ul><ul><li>The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim. </li></ul><ul><li>Attack him where he is unprepared, appear where you are not expected. </li></ul>47 China’s Electronic Strategies
    9. 9. Sun Tzu – Wang Mind Meld <ul><li>IW: Complex, limited goals, short duration, less damage, larger battle space and less troop density, intense struggle for information superiority, C4I integration, new aspects of massing forces and the fact that effective strength may not be the main target. </li></ul><ul><li>Principles of IW: Decapitation, blinding, transparency, quick response and survival. Wang Baocun, &quot;A Preliminary Analysis of IW,&quot; Beijing Zhongguo Junshi Kexue , 20 November 1997 </li></ul><ul><li>The quality of decision is like the well-timed swoop of a falcon which enables it to strike and destroy its victim. </li></ul><ul><li>Attack him where he is unprepared, appear where you are not expected. </li></ul><ul><li>Sun Tzu </li></ul>
    10. 10. Thirty-Six Stratagems: The Secret Art of War
    11. 11. Thirty-Six Stratagems: The Secret Art of War <ul><li>Fool the emperor to cross the sea </li></ul>
    12. 12. Technical / Social Engineering <ul><li>e-mail from Stephen J. Moree, who reports to the office of Air Force Secretary Michael W. Wynne </li></ul><ul><li>evaluates the security of selling U.S. military aircraft to other countries </li></ul><ul><li>Indian government had just released request on Aug. 28, </li></ul><ul><li>to a Booz Allen Hamilton executive —from “Pentagon”, list weaponry India wanted to buy </li></ul><ul><li> </li></ul>
    13. 13. The innocent e-mail <ul><li>Poison Ivy </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><ul><li>designed to extract data from government contractor </li></ul></ul><ul><ul><li>Remote access Trojan </li></ul></ul><ul><ul><li>Keystrokes to </li></ul></ul><ul><ul><li>Small backdoor </li></ul></ul><ul><ul><li>Encrypted, compressed communications </li></ul></ul><ul><ul><li>Registry </li></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{2B81DA45-7941-1AAB-0607-050404050708} &quot;StubPath“ </li></ul></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun </li></ul></ul></ul>
    14. 14. Harvest then Exploit
    15. 15. Expired Accounts, Spear Phishing: Compromise <ul><li>Cat & mouse game continues </li></ul><ul><ul><li>1,500 expired accounts in Korea </li></ul></ul><ul><ul><li>Security patch woes </li></ul></ul><ul><ul><li>Improvements with CAC & limiting OWA </li></ul></ul><ul><ul><li>Email phishing </li></ul></ul>
    16. 16. Thirty-Six Stratagems: The Secret Art of War <ul><li>Besiege Wei to rescue Zhao </li></ul>Supreme excellence consists in breaking the enemy's resistance without fighting. Sun Tzu
    17. 17. Supply Chain Fakes Threaten Miltary Readiness <ul><li>Fake CISCO routers </li></ul><ul><li>&quot;Counterfeit products have been linked to the crash of mission-critical networks, and may also contain hidden 'back doors' enabling network security to be bypassed and sensitive data accessed [by hackers, thieves, and spies].” Melissa E. Hathaway, DNI </li></ul><ul><li>Counterfeit Xicor chips in F-15s </li></ul><ul><li>BAE, Boeing Satellite Systems, Raytheon Missile Systems, Northrop Grumman Navigation Systems, and Lockheed Martin Missiles & Fire Control. </li></ul>
    18. 18. Thirty-Six Stratagems: The Secret Art of War <ul><li>Kill with a borrowed sword </li></ul>
    19. 19. Thirty-Six Stratagems: The Secret Art of War <ul><li>Kill with a borrowed sword </li></ul>Slammer's most novel feature: propagation speed. In 3 minutes; scanning rate > 55 million / second; after which the growth rate slowed because significant portions of the network had insufficient bandwidth to accommodate more growth.
    20. 20. AutoRun Worms: Leverage Strengths, Dynamics <ul><li>The Internet </li></ul><ul><ul><li>Browser & plug-in vulnerabilities. ActiveX – 85% </li></ul></ul><ul><ul><li>Cross-scripting </li></ul></ul><ul><li>Workstation: operating system “entry points” </li></ul><ul><ul><li>Startup folder </li></ul></ul><ul><ul><li>Registry </li></ul></ul><ul><ul><ul><li>Active Setup </li></ul></ul></ul><ul><ul><ul><li>HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion </li></ul></ul></ul><ul><ul><ul><li>HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion </li></ul></ul></ul><ul><ul><ul><ul><li>Run, RunOnce, RunServices, and RunServicesOnce </li></ul></ul></ul></ul><ul><li>CDs / USB Flash Drives </li></ul><ul><ul><li>AutoRun / AutoPlay </li></ul></ul><ul><ul><li>Leverage user </li></ul></ul>
    21. 21. AutoRun: Fish in the sea Mal/Generic-A [Sophos] 42 W32.SillyFDC [Symantec] 41 Packed.Generic.181 [Symantec] 5 W32.Dotex.CA [Symantec] 5 Mal/TinyDL-T [Sophos] 4 Mal/Basine-A,, Mal/Basine-C Mal/Behav-160, Mal/Emogen-E, Mal/Behav-009, Mal/Basine-C Worm.Hamweg.Gen Worm.Win32.AutoRun.eic <ul><li>Autorun #1 for first 6 months of 2008 </li></ul><ul><li>8% malicious code market </li></ul><ul><li>Japan: 143 in August, 347 in September, 471 in Oct. </li></ul>The varieties: The statistics: Worm.Win32.AutoRun.eae [Kaspersky Lab] VirTool:Win32/Vtub.WL [Microsoft] Trojan Horse [Symantec] HackTool.Win32.IISCrack.d [Ikarus] Worm.Win32.AutoRun.lkx Worm.Hamweg.Gen [PC Tools] 3 Worm.Win32.AutoRun.eic [Kaspersky Lab] 3 Worm.Win32.AutoRun.ejf [Kaspersky Lab] 3 Backdoor.Graybird!sd6 [PC Tools] 2 Mal/Dropper-MAP [Sophos] 2 TROJ_AGENT.ANFQ [Trend Micro] 4 Trojan.Win32.Agent.vkw [Kaspersky Lab] 4 VirTool.Win32.DelfInject [Ikarus] 4 W32.SillyP2P [Symantec] 4 Worm.Win32.Agent [Ikarus] 4 Worm.Win32.Agent.lz [Kaspersky Lab] 4 Worm.Win32.AutoRun.rol [Kaspersky Lab] Worm:Win32/Autorun.GR [Microsoft] 4 Worm:Win32/Hamweq.gen!C [Microsoft] 4 WORM_AUTORUN.AJX [Trend Micro
    22. 22. Thirty-Six Stratagems: The Secret Art of War <ul><li>Await the exhausted enemy at your ease </li></ul><ul><ul><li>Code Red and the White House </li></ul></ul>
    23. 23. Thirty-Six Stratagems: The Secret Art of War <ul><li>The insider </li></ul><ul><li>Hacker exploitation of OS vulnerability </li></ul>Loot a burning house
    24. 24. Growing Web-based Threat <ul><li>Infected web pages: 1 every 14 seconds in ’07 / 1 every 5 seconds in ’08 </li></ul><ul><li>60% vulnerabilities in 2007 – web applications </li></ul><ul><ul><li>85% of these ActiveX </li></ul></ul><ul><li>Cross-site scripting </li></ul><ul><ul><li>7,000 first half 2007 </li></ul></ul><ul><ul><li>11,300 second half 2007 </li></ul></ul>
    25. 25. Unpatched IE Malicious page exploits browser vulnerability, Downloads code without user approval Installs back door beacon User clicks on HTML link in Email, User expects & receives download of article on tax benefits for Americans living overseas…
    26. 26. Legitimate Sites Can Point to “Drive-by Download” Source: Korea Information Security Agency
    27. 27. Computer Network Exploitation <ul><li>Titan Rain: espionage </li></ul><ul><ul><li>SANS: attacks were most likely the result of Chinese military hackers attempting to gather information on U.S. systems. </li></ul></ul><ul><ul><li>Targets: Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA </li></ul></ul><ul><li>Cyber rules of engagement differ </li></ul><ul><ul><li>US: Sandia National Laboratories IA professional tracks bad guys, loses job </li></ul></ul><ul><ul><li>China: Industry IA professionals double dip at hackers </li></ul></ul>
    28. 28. North Korean CNA Capabilities: Low <ul><li>Differing views of capabilities </li></ul><ul><ul><li>Korean officials – NK aggressively cultivating </li></ul></ul><ul><ul><li>US – Modest skill sets centered within elite </li></ul></ul><ul><ul><li>Emphasis more on Computer Network Exploitation (gathering information)during peactime </li></ul></ul><ul><li>Computer Network Attack capabilities is restricted </li></ul><ul><li>Assessment methodology: </li></ul><ul><ul><li>Objective </li></ul></ul><ul><ul><li>Doctrine </li></ul></ul><ul><ul><li>Supporting infrastructure: electricity, education, industry </li></ul></ul>
    29. 29. nK CNA Threat is Low <ul><li>Cyber attacks fit into DPRK’s scheme of asymmetric means to counter ROK/US advantages </li></ul><ul><li>“ I believe that the North Koreans, whatever their limitations, have a capacity to think deeply and innovatively about military affairs…And what I have observed over the years convinces me that they are devoting considerable attention to cyber war.” </li></ul><ul><li>John Arquilla, RAND, 2 June 2003 </li></ul>“ In the next war we will crush the American boors/Philistines first”
    30. 30. Great Leader’s IW Vision <ul><li>Kim Jong-il’s “three pillars for building a powerful state” </li></ul><ul><ul><li>Ideology </li></ul></ul><ul><ul><li>Arms </li></ul></ul><ul><ul><li>Information technology </li></ul></ul><ul><li>“ The future warfare will depend not on who is showered with a lot of bullets, but who grasps diverse information faster.” </li></ul>
    31. 31. Plato’s Cave: NK IW / CNA Constraints
    32. 32. Minimal Internet: No Sea for Fish to Swim <ul><li>Internet </li></ul><ul><ul><li>Two class C blocks with virtually no activity </li></ul></ul><ul><ul><li>Official sites in Japan, China, Australia </li></ul></ul><ul><ul><li>2002 – Pyongyang cyber café; one hour – average worker’s weeks wage </li></ul></ul><ul><li>Cannot hide state activities / Intranet </li></ul><ul><ul><li>Kwang Myoung network </li></ul></ul><ul><li>Minimal gateways with outside world </li></ul><ul><ul><ul><li>Korea Computer Center / satellite links </li></ul></ul></ul><ul><ul><ul><li>Preparation for gateway? </li></ul></ul></ul><ul><ul><ul><ul><li>China Telecom / fiber </li></ul></ul></ul></ul><ul><ul><ul><ul><li>2001 Pyongyang Information Center tests FW </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Increasing encryption </li></ul></ul></ul></ul>
    33. 33. Infrastructure Does Not Support Formidable Threat <ul><li>electricity supply problems: antiquated, unreliable; poor frequency control, outages </li></ul><ul><li>Nascent, struggling tech industries </li></ul><ul><li>Basic software, biometric technology, voice recognition, automated translation programs, game programs </li></ul><ul><li>Seek information on basic applications, programming </li></ul>
    34. 34. Possess Skills for Cyber Hacks <ul><li>Armed Forces – moderate capabilities </li></ul><ul><ul><li>Mirim College, 100 graduates per year </li></ul></ul><ul><ul><li>Up to 1,000 elite hackers </li></ul></ul><ul><ul><li>Unit 121 </li></ul></ul><ul><li>Growing software / programming expertise </li></ul><ul><ul><li>applying process-oriented quality control models </li></ul></ul><ul><ul><ul><li>ISO9001, Capability Maturity Model Integration and Six Sigma. </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>expertise with development platforms, coding </li></ul></ul><ul><ul><ul><li>Assembler, Cobol, C, Visual Studio .Net, Visual C/C++, Visual Basic, Java, JBuilder, Powerbuilder, Delphi, Flash, XML, Ajax, PHP, Perl, Oracle, SQL Server and MySQL, etc. </li></ul></ul></ul>
    35. 35. CNA / CNE within nK Government Kim Jong-il National Defense Commission MPAF General Staff Department Reconnissance Bureau Unit 121 Chairman of the National Defence Commission Korean Workers Party General Secretary ? + Federation of American Scientists 39 38 Office 35
    36. 36. CNA & CNE Services <ul><li>Components of modern warfare: </li></ul><ul><ul><li>IW – Recon, electronic, cyber & psychological warfare </li></ul></ul><ul><ul><li>Three-dimensional warfare </li></ul></ul><ul><ul><li>Asymmetric warfare </li></ul></ul><ul><ul><li>Non-contact </li></ul></ul><ul><ul><li>Precision strikes </li></ul></ul><ul><ul><li>Short-term </li></ul></ul><ul><li>Unit 121, Reconnaissance Bureau </li></ul><ul><ul><li>Gifted students recruited, trained, Kim il Sung Military Academy </li></ul></ul><ul><ul><li>Computing specialties Eg. networking, OS </li></ul></ul><ul><li>Room / Office 35 </li></ul><ul><li>Nefarious cohorts in crime within the Workers’ Party </li></ul><ul><li>Likely works outside nK – CNE & CNA </li></ul>
    37. 37. References <ul><li>47 China’s Electronic Strategies </li></ul><ul><li>TIME, Titan Rain </li></ul><ul><li>,9171,1098961,00.html </li></ul><ul><li>New E-spionage Threat </li></ul><ul><li>U.S. Is Losing Global Cyberwar </li></ul><ul><li>Dangerous Fakes </li></ul>