Active Defense Scenario
The Players
Warbucks Financial Services is an aggressively growing company which that provides stock brokerage and asset management services to very high net worth individuals around the world, through a network of fifteen offices. It is rapidly building a name for itself as a highly sophisticated financial services provider for the discriminating investor.
Warbucks’ services include a proprietary “real time” electronic stock trading system, which automatically tracks various market indicators and executes transactions on behalf of Warbucks’ client, according to the clients’ pre-determined guidelines. Warbucks also maintains a sophisticated customer relations management (“CRM”) system which that stores, analyzes and can provide detailed personal and financial information about clients and prospects.
Warbucks offers “24/7” communications to its clients using a web portal, email and a state-of-the-art voice-over-IP phone system. Warbucks brokers and client managers are provided with and expected to use laptops to access and upload information, and pick up and send messages routinely while in the field. All systems are tightly integrated to support fast, flexible, customized service.
Hard Knocks University is a large state university with four campuses, including a combined academic medical center/life sciences research institute (“Target Medical Center”). Hard Knocks maintains its own a complex network which is accessible to and used by virtually all faculty, students and administrative staff and is, of course, connected to the Internet.
Target Medical Center has implemented an innovative computerized physician order entry (“CPOE”) system tied in to its electronic medical record (“EMR”) system. Target has had great success using this combined system to reduce errors made by physicians prescribing drugs, since the CPOE is constantly updated with information about the various drugs patients may already be on, previously reacted badly to, and so on. Prescription information is automatically entered into the EMR whenever a drug is ordered, and the CPOE system will alert the physician if a drug she is prescribing may interact badly with other drugs or there are other counter-indications for the prescription.
There are a number of relationships between Warbucks and Target, not all of them obvious and not all of them positive. Warbucks former CIO, fired in a bitter dispute over system upgrade problems during Warbucks’ difficult startup phase, is now a program manager for IT services at Target. There is a small research team whose members still resent Warbucks’ founder and CEO “Daddy” Warbucks, for reneging on a promised grant for their research on computer modeling of care protocols. There is also a small group of activist students who dislike Daddy Warbucks intensely for his financing of a particularly irritating public policy think-tank.
Both Target and Warbucks have contracted with HereToday Consulting for various IT projects. Warbucks is currently in a dispute with HereToday over a balance due of several hundred thousand dollars.
Warbucks’ current Chief Information Security Officer, Francis X. Hackerman, is a recent graduate of the Hard Knocks School of Information Management. He was also a somewhat notorious hacker while he was in high school. This is part of his appeal to Daddy Warbucks, who believes this gives Hackerman depth and valuable experience. In person Hackerman is rather meek; but on a network, his preferred environment, he sees himself as, and to some extent is, a highly skilled “hired gun.”
Targets of attack from a strategic perspective
For the sake of constructing this scenario, let us being with the assumption that there are five main strategic methods of “attack” against TMC and Warbucks:
- Attacks on the confidentiality of data,
- Attacks on the integrity of data,
- Attacks on the availability of data or services,
- Theft of intellectual property (i.e., copyright infringement and piracy), and
5.Attacks involving unauthorized use of computer and network resources.
These categories are derived from the concept of “Information Assurance” as defined by the National Security Agency:
“Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” (National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999)
In the scenario described above, a subset of these attack methods are involved, namely 5 (the use of stepping stones at TMC to attack Warbucks), and 3 (the disruption of communication channels of TMC.) TMC is brought into this scenario because of the use of its systems as a stepping stone and an attack launch platform, and Warbucks is directly attacked by a traceable denial of service. (A more skilled attacker would likely use multiple stepping stones, increasing the number of third parties involved through unauthorized use), and could also use greater obfuscation of these stepping stones to make traceback more difficult and time consuming. This increases the time necessary to get adequate reconnaissance for a potential counter-attack by Warbucks against the attacker.
Aspects of Information Assurance pertaining to Security Operations
Recall that the definition of IA included restoration of information systems. These actions fall under the broad term of “Information Operations”, which in the military sense includes both defensive and offensive activities. These involve protection or prevention (e.g., firewalls, anti-virus software, configuration mangement, patch management, etc.), detection (IDS systems, audit functions, system integrity checking utilities, etc.), and reaction (e.g., inciden t response actions, network and host level forensic analysis, involvement of law enforcement, and Active Defense actions.)
We are now ready to look at each of these potential attacks on Warbucks individually, and see how they can be waged .
Attacks on confidentiality of data
Warbucks has many customers, some of whom are quite wealthy and private. They have financial and personal data within Warbucks’ computer systems. Exposure of this information publicly would damage Warbucks’ reputation significantly, perhaps even destroying the company. Should the information be stolen, and used for identity theft or other financial crimes, the losses could be significant as well, and those suffering the losses could chose to sue Warbucks for a lack of due diligence in securing this data. Warbucks no doubt has lawyers who have made sure to put disclaimers with limitations on liability in the use policies of the company and make clients acknowledge and accept these limitations.
This kind of an attack would typically be done “low and slow”, so as to not tip off the company that it is under attack. The attacker must spend sufficient time within the network to identify multiple weaknesses, perhaps leveraging vulnerable desktops to sniff passwords, plant Trojan horse remote control programs, hoping to escalate privileges where ever and when ever possible until the “crown jewels” have been identified and downloaded out of the corporate network.
The loss in this type of attack would be minimal up until the attacker has succeeded in violating the confidentiality of Warbucks’ data, at which point the attacker is gone and the damage sky-rockets.
Attacks on integrity of data
In a variation on the attack above, the intruder identifies the key databases with critical financial data and then slowly corrupts them. A rapid deletion of data would likely tip off the victim that they have been attacked, and they would shut down connectivity (closing off the attacker’s access) and begin restoration of their databases from backups. If the backups are good enough, only a small amount of data accumulated over a short period of time between backups would be lost for good.
The loss could be small to medium in cost (downtime and lost transactions), and for some individuals whose trades were lost or delayed, they may suffer significant financial losses. It is highly unlikely that the entire customer base would suffer large financial losses in a rapid attack.
On the other hand, if the attacker were to make small changes, over a longer period of time, and do so in a manner that goes below detection of IDS systems and financial audit mechanisms, the corruption could be far more pervasive and significant. If it spans several backup cycles, the changes become more difficult to back out of the system. It may be necessary to take the entire system down for an extended period of time to allow a careful bit-by-bit restoration of the database by rolling back or replaying transactions. It may be necessary to get the cooperation of customers to verify transactions recorded in their paper records.
The losses from this kind of attack could be very significant, and quite widespread. Again, however, the attacker would be long gone at the point the system must be cleaned up.
Either way, the best defenses to this type of attack are to focus on prevention and detection.
Attacks on availability of data/services
This attack is much more broad in its effects, as all network oriented applications of the company are disrupted for a period of time. Because of their heavy reliance on networked services, pretty much the entire business will grind to a halt during the attack: real-time trades cannot be initiated or completed; visibility of market indicators will be lost, and traders will have to turn to more traditional means of business intelligence gathering (e.g., MSNBC or CNNfn by television, or Plain Old Telephone Service (POTS) calls); communications that customers are used to using (i.e., the web portal, email, and voice-over-IP communications) will cease to function; information uploads and message transfer to field traders will cease to work, and they will lose access to the Customer Relations Management system. In short, the losses will pile up at an increasing rate as long as services are disrupted.
The attacker must keep up the attack in order to sustain these losses. A massive distributed denial of service (DDoS) attack would need to be waged, with sufficient numbers and diffusion of attacking hosts so as to make identifying them and contacting their network providers to get them shut down. The attacker must also chose an attack that is sufficiently difficult for Warbucks’ own ISP and upstream providers to block, such as a distributed reflection attack that involves “normal” looking traffic, or a massive bandwidth consumption attack.
Active defenses that involve countering this attack by flooding the victims themselves would be practically useless, and (if done using Warbucks on network provider) would simply make matters worse. Directed attacks on the DDoS agents is feasible, but only if sufficient knowledge about the attacking agents and their vulnerabilities are known to the AD team. (Many DDoS agents have exploitable weaknesses that could allow someone to detect and or disable them, but the analyses of these programs have often been done in closed circles, by private researchers, or within corporate environments were only paying customers have access to the results. Highly skilled AD responders are necessary to make such a counterattack technically feasible and viable.
Theft of intellectual property
In this attack, the software and systems that Warbucks uses (at least the proprietary portions of them) are the targets of the attack, and like the first two attacks, they will likely go “low and slow” and try to conceal their presense as much as possible. The goal in this attack is to steal sufficient information and tools to set up a competitor to Warbucks, who will continue the attack in the markerplace.
This attack would be difficult to pull off effectively, as Warbucks has likely patented or obtained trademark protection for their software, and a competitor who springs up with a nearly identical service strategy and offerings would be noticed. A significant investment would also need to be made to pull this off, which means that Warbucks could use the courts to attempt to recover losses suffered from this theft.
Any type of AD actions that involved penetration of the competitors system would only put Warbucks in a less defensible position in regards to legal action. (This scenario becomes far different when Warbucks is replaced with a multi-national media conglomerate who owns a significant amount of copyright entertainment material.)
Attacks involving unauthorized use of computer and network resources
In this attack, the goal is to anonymize connections, conceal files and back doors to systems, surreptitiously enter and exit computers and networks, to further attacks on more distant third parties. These are referred to as “caches” for files and stepping stones for connections.
The attacker does not necessarily want to lose these resources (unless they have sufficient reserves, already set up in duplicate manner, and available for use as a fall-back if they lose their primary systems; to do this takes significant resources, so in some cases only a single, or small handful of caches are used, while a practically infinite list of stepping stones can be used and discarded regularly.) In order to prevent detection and tracking, the attacker should use a stepping stone once and never use it again, thereby causing the trail to become cold. In practice, however, this is difficult and some attackers will simply go down a list until a system is found that is still active, at which point it is used for the time being.
If Warbucks is being used as the site for stepping stones, this gives them an opportunity to identify the stepping stones, watch for the attacker to use them, log and track their activity, and preserve evidence that could be handed over to law enforcement when the time comes. Warbucks could even invest in reverse engineering of the programs used to install back doors, to the point of perhaps being able to “follow” the attacker backwards and forwards through the attacker’s other stepping stones and caches. This could potentially lead to recovering evidence that confirms suspicions about compromised hosts within Warbucks’ network that have not yet been identified, or to determine the extent of loss via theft of intellectual property or customer data. This opens up a whole slew of legal and ethical issues that could present problems to Warbucks’ staff.
If Warbucks is the final victim of attacks using stepping stones, they can only attempt to trace backwards to identify the attacker. They cannot know how many stepping stones or caches the attacker has, or whether the attacker has monitoring in place to watch Warbucks’ staff attempting to find them.
Depending on how good or bad a job the attacker does at covering tracks, deleting logs, and alternating stepping stones, it may be impossible for Warbucks to do enough to stop the attacker from coming back (or even at blocking the attacker’s access to Warbucks’ network, if the attacker has gained enough of a foothold and multitude of holes and back-doors into the network.)
Any effort to overtly attack back by Warbucks could simply alert the attacker that Warbucks is now aware of the attacker’s presense. This could enbolden them, enrage them, or possibly scare them off. There is no way to tell which will be the case. When attacked back, there is a change the attacker will simply escalate the damage by destroying as much of Warbucks’ network infrastructure as the attacker controls (obtaining the exact opposite result that Warbucks sought.)
Comparing attacks, losses, and defenses
In the following table, you can see a comparison of the attacks listed above. “Attack timeframe” refers to the typical timeframe for the attack. “Loss timeframe” refers to how long a bad loss could continue to be felt. The “Loss amount” refers to how large a bad loss could become. “Damage inflicted” indicates when the victim is likely to suffer the majority of the loss. “Defensive mode(s)” are the most effective means of defense against the attack.
Comparison of attacks, losses, primary defensives
Attack on / Attack timeframe / Loss timeframe / Loss amount / Damage inflicted / Defnsv. mode(s)Confidentiality of client information / Long / Med-Long / Med-High / After / Prevent, Detect
Integrity of financial data, systems / Med-Long / Med-Long / Med-High / After / Prevent, Detect
Availability of services, data / Short / Short / Med-High / During / Detect, React
Intellectual Property / Long / Med-Long / Low-Med / After / Prevent, Detect
Unauthorized use of resources (stepping stones, cache) / Short-Med / Short-Med / Low / During / Prevent, Detect, React
A couple main points can be made with this table.
Many of the attacks are best dealt with, not by some form of reactive AD action, but by pro-active measures taken before an attack occurs. Once data has been altered or copied out of the victim’s network, there is very little the victim can do to affect the losses if they haven’t prepared for these risks. This is especially important when it comes to detection, where the measures necessary to log and monitor activity must be in place and active prior to the attack if they are to work at all. Any kind of reaction that involves AD options will depend on these logs and monitoring capabilities, and cannot be done effectively without the data they provide.