The document discusses various strategies for testing cyber-terrorism defenses, highlighting the dangers of ignorance and lack of basic computer skills among individuals. It outlines the distinctions between visible and invisible threats, countermeasures against cyber crimes, and emphasizes the importance of performance testing with unique traffic flows. Additionally, it introduces 'DiversifEye,' a tool for emulating real-world client interactions and analyzing network performance in various environments.

1. Mark Lambe Product Marketing Manager Shenick Network Systems Emulation Strategies to test Cyber terrorism defense Effective Internet Data and Attack

2. The real Crime is Ignorance IGNORANCE – this is the real crime, the lack of knowledge and basic computer skills! FREE TOOLS - Using free tools what did I discover from a simple pcap capture using a free download tool – wireshark. POTENTIAL OUTCOME – The destruction of Mr. X’s life as he knows it! Sadly more and more people are exposing themselves and their valuable data without ever thinking whose watching! To a cyber criminal this is a no brainer! NAME & EMAIL ADDRESS! 10.1.0.82 Extortion of money Interest in Russian Brides 10.1.0.82 Potential Crime Data Collected IP Address

3. Network Vulnerabilities Sabotage – April 2009: Saboteurs hacked through underground fiber-optic cables leaving tens of thousands of Silicon Valley residents with no phone, cell phone or Internet service Attack - May 2009: No internet access for several million users in China due to a DDoS attack on the DNS system from one of the countries registrars. Virus – May 2009: The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies. Pranksters – May 2009: YouTube was busy deleting porn videos after users of forums at a rival site and an imageboard site declared a "Porn Day" campaign against the popular video service.

4. Visible vs Invisible Threats A method of organising threats can be ranked into two: Visible Invisible Visible Threats– Crimes committed on networks, where the result or outcome of the action is network related. In essence, the virtualization of the common day crimes such as sabotage, vandalism, extortion, fraud, etc. Invisible Threats– The use of networks for crimes outside of the network but in the real world. The main purpose is to exploit network resources for research and communication.

5. Visible Threats Visible threats exploit the “Openness” of IP networks and systems DDoS Virus Worms Spam Mails Counter Measures – deploy security devices Deploy Packet Inspection devices Firewalls Intrusion Detection / Protection Data loss Prevention Load Balancers A visible network threat is one in which a network or device on the network is targeted for some unlawful gain or reason of exploitation.

6. Invisible Threats Perceived threats include the use of networking resources by terrorists Knowledge gain or education Communication “ Steganography” has been suggested as the preferred means of communication or message transmission Only the end points know something is embedded or exists in the video, audio or picture files The message may be encrypted. Counter Measure – Steganalysis tools A map image may easily be embedded under an ordinary, everyday image and added to image sharing websites such as flickr, Youtube, etc.

7. Security - The Price of Protection Firewalls, DDoS mitigation, IPS/IDS, AntiVirus, AntiSpam, Cache/Proxy, all introduce performance overheads Key Questions : Under both regular and regular plus attack conditions - how is the application end-end performance effected? TCP throughput Connection rates Concurrent connection rates How is aggregate QoS performance compared to a sample of individual users QoE (e.g. effect on connection rate and web page download time?) The three-way relationship between application performance, QoS settings and network load is highly complex, non-linear and very fluid, as a small increase in application traffic can have a disastrous affect on application performance.

8. Performance Issues Lawful interception or analysis of traffic flows will add some delay, in monitored networks excessive delay will be perceived as message infiltration. In much a similar manner to public services, Service Providers test & measure performance of deployed network devices to determine the impact on individual flows especially when varying individual device and network settings. Its necessary to test and measure performance with a mix of both legal and illegal traffic flows, especially when security monitoring technology is deployed on a network with delay sensitive services such as voice or video.

9. Emulate the crime Counter measures for most cyber based crimes and activities include the deployment of hardware and/or software solutions. How do you evaluate the usefulness of next generation cyber crime mitigation technology and solutions? Stateful traffic Emulation – the representation of real traffic flows and user activities!

10. Per flow Challenge DPI / DLP/ IDP security devices are sophisticated and can quickly learn traffic flows and patterns therefore the traffic used in testing must have unique properties on each of the layers in the OSI model. Essential to test with large volumes of unique flows and attachments. A key response is the ability to correctly identify the illegal attachment or content. In the example of email and/or content sharing websites - Emails usually contain unique address identifiers and the majority of attachments are legal. Majority of uploads to web sharing sites are unique and legal. Test false positive/negatives by identifying when the system has incorrectly identified a flow. Out of the thousands of emails, upload, download requests can the one illegal file be spotted? Out of the 1,000,000s of daily emails / uploads, can the security system identify the one possible illegal flow with an illegal attachment correctly?

11. Attack the stack The majority of visible threats such as DDoS utilize or exploit known vulnerabilities with the IP packet, TCP stack or applications. When examining for vulnerabilities, its essential to include attack options: SYN Flood - floods a specific IP Address with SYN packets. RESET Flood -floods a specific IP Address with RESET packets. UDP Flood - floods a specific IP Address with UDP datagrams. Ping Flood - floods a specific IP Address with ICMP echo request (ping) packets. ARP Flood - floods the subnet with requests for a specific IP Address. Ping of Death - sends ICMP echo requests to the specified IP Address. Teardrop Attack - sends a UDP datagram in 2 IP fragments to the specified IP Address. Reflective SYN Flood - sends a flood of SYN packets (i.e. TCP connection requests). UDP Fragmentation Attack - sends a single IP fragment that contains part of a UDP datagram to the specified IP Address. When considering a solution for testing security mitigation devices, it’s essential to consider if the solution offers a fully compliant TCP stack. It’s essential to quickly develop new test strategies in the face of new threats.

12. Test for the Invisible Steganography is real and tools are freely available from the web. Generate stega-files with hidden data. In testing performance emulate thousands of flows of email and web requests with attachments include a single stega-file, determine if attachment is identified correctly by steganalysis tools. Use of capture tools (e.g. wireshark) to capture suspicious flows / sessions. Replay capture files and conversations for more detailed analysis. This includes testing for correct identification of illegal conversations.

13. diversifEye diversifEye emulates stateful clients with real world functionality and features (layer 2-7). diversifEye may support a mix of client and/or server applications using IPv4 and/or IPv6 on a single test interface port. diversifEye is used in ‘Per flow’ application emulation and performance analysis of multiple environments including : xDSL, xPON, IMS, CABLE, WiMAX & LTE Capture and replay TCP, UDP (files >1Gb) Fully compliant TCP stack - Multicast IPTV (IGMPv1,2,3 & MLDv1,2) - Video On Demand (RTSP, trick play, SIP or HTTP enabled RTSP) - Voice over IP (SIP/RTP, Multimedia, Dual hosted, Nat Traversal) - Voice and Video Media Analysis (both no reference TVQM/R factor and full reference PEVQ/PESQ) - HTTP (Client and/or Server, POST supports file attachments) - SMTP & POP3 (Client and/or Server, per client unique messaging) - P2P ( with or without signatures) - DHCPv4,6 (client and/or server, configurable Options) Service Layer PPPoE and VLAN (incl. double tagged) TWAMP (Client/Sender and/or Server/Responder) - Secure Media (TLS/SSL, X509 cert., CA) - PPPoE (client and/or server, PAP/CHAP) - Security Attacks with DDoS(SYN/RST/UDP/ARP floods) and Virus/Worm Attacks - FTP (passive and active, full command set) - RTP (media only) - SIP with multiple RTP streams - Per Application QoS (DSCP/ToS) Sample features Overview

14. Thank You! Award Winning Test & Monitoring Solutions Industry Associations