Session Recording: https://vimeo.com/250803673 (Available 1/12-1/19)
Next Sessions Registration: https://networkdefense.clickmeeting.com/cuckoos-egg-7
This week, we reviewed chapters 31-37.
Sventek comes back again, this time through another link traced back to Germany. He tries to copy the telnet and rlogin programs back to his computer. This is probably to introduce password stealing functionality, so Cliff halts this by physically introducing noise on the line and messing up the transfers. The attacker also continues to search for specific terms on milnet.
Cliff makes his calls to let his stakeholders know what is going on. He reaches Greg Fennel at the CIA who tells him “Just tell me what happened. Don’t embellish, don’t interpret.”
Cognitive Bias and Estimative Probability
The statement from the CIA’s Greg Fennel is interesting and valuable because it elicits a neutral evidence-based response. This is something we should strive for in information security. After all, a conclusion without supporting evidence is an opinion. We have to inject opinions sometimes to fill in where evidence doesn’t exist, but it should be done sparingly and only when necessary.
In relation to this, I spent time discussing cognitive bias and how it can affect the interpretation and acquisition of facts. I listed and described a few of the more common biases that persist in security. I also discussed the importance of using measuring language of estimative probability and the class went through an exercise to practice.
More Reading:
- CIA Words of Estimative Probability: https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html
- Wikipedia list of cognitive biases: https://en.wikipedia.org/wiki/List_of_cognitive_biases
Dig Deeper Exercises:
- Level 1
- Review the words of estimative probability. Look through the last few things you’ve written. Should you make any adjustments?
- Level 2
- Review the list of cognitive biases and research one of them. Can you think of a time you’ve been subject to that bias?
- Level 3
- Pair up with a friend and review the list of biases. Can you identify biases in each other?
Cliff spends time searching Usenet for news about hackers that might be related. He comes into contact with Bob at the University of Toronto. Bob tells Cliff that attackers from the German Chaos Computer Club broke into his network through CERN, and they had also been in the Fermilab computers as well. They went by the aliases Hagbard and Pengo. It turns out these same usernames were observed during a Stanford breach.
Open Source Intelligence and the Diamond Model
Cliff’s examination of Usenet threads related to the breach he was investigating is an example of open source intelligence (OSINT) investigation. The power of collective intelligence is vast and is something many security practitioners rely on when conducting investigations. I discussed sources of OSINT and demonstrated pivoting based on indicators from a real investigation. I also discussed the Diamond Model as a method of assimilating and characterizing collected information to form a clear picture of events that have transpired.
More Reading:
- The Original Diamond Model of Intrusion Analysis Paper: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
- Diamond Model meets Star Wars from ThreatConnect: https://www.threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/
- Alienvault OTX: http://otx.alienvault.com
- Any.run: http://any.run
- VirusTotal: http://virustotal.com
Dig Deeper Exercises:
- Level 1
- Sign up for an Alienvault OTX account and familiarize yourself with the interface. Read a few of the blog posts and explore the available information.
- Level 2
- Find one of the file hashes from malware-traffic-analysis.net and search for it on VirusTotal. Review the output.
- Level 3
- Go to malware-traffic-analysis.net and pick a blog post. Search for an IP and Domain on Alienvault OTX and see if you can find related malicious infrastructure.
Cliff discovers additional victims of the attackers. This includes the Ballistic Research Laboratory and TRW, a company developing US keyhole spy satellites.
Meanwhile, the Bundespost gets back in touch and shares that the source of the call is a VAX computer at the University of Bremen. They discovered an account that appears to be compromised and are going to start monitoring it for the next time the attacker comes back.
Cliff’s boss comes in and tells him that it is time to end the investigation. Cliff fails to convince him otherwise and begins a plan to change the password for all 1200 users in the network. Fortunately, the FBI got involved and convinced his boss to keep the investigation open for a little while longer.
PICERL
When Cliff believes the investigation is over he starts to think about the incident response process. While the PICERL model didn’t exist in Cliff’s time, he was actually thinking about the transition from identification to containment. The standard incident response model is called PICERL: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. I briefly provided an overview of this process as an introduction to incident response.
- Incident Handlers Handbook white paper: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
- Incident Response Process white paper: https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791
- NERC Incident Response Planning presentation: https://www.nerc.com/pa/CI/CIPOutreach/CIP%20Training/Vancouver_Santora_Incident_Response.pdf
Not long after this, Cliff hears that the DOE is filing a complaint about LBL for not reporting this incident when it happened. Of course, Cliff did do that! He has it recorded in his log book. Good thing he saved that.
Meanwhile, the attacker comes back and pivots through LBL to access the Optimis Army Database to search for specific keywords related to military data. Cliff informs the network operator who plugs the hole.
After this, Cliff observes the attacker breaking into Space Command. Using a default password, they are actually able to get SYSTEM privileges. However, he screwed up. He lost his connection because he tried to list too much data at once. Then, he didn’t realize that the password on the account had expired and he hadn’t set a new one. This means he couldn’t get back into the account. He was locked out. Sadly, some system operator resets the account to the same password and the attacker gets back in and creates his own account. Cliff informs them of the issue so they can remediate.
While all this is going on the attacker is traced to a few different locations in Germany while the University of Bremen is closed for the holidays. Eventually, they call is traced to a local exchange in Hannover where they finally believe the attacker to be. Two barriers now exist. First, to trace this any further Cliff needs a German warrant and that can only be requested from a high-level government official. Second, the antiquated phone exchange requires someone physically present to trace the call while it is active.
Questions to Consider
Zeke at the NSA asks Cliff, “If [the attacker] is so methodological, how can you prove you’re not just following some computer program?”
What characteristics of an attacker can indicate a human at the other end instead of an automated process?
Next Session
January 25th 7:30PM ET
Read Chapters 38-46
Register/Attend Here: https://networkdefense.clickmeeting.com/cuckoos-egg-7