互联网安全情报分析 续2

表1：传统的和新的智力域名

很明显，即使在这个简单的表格，（这还不是全部包括在内），恐怖主义和网络威胁之一，同时拥有相似的多样性和复杂性，另一个不同于单一威胁模型，在冷战时期占主导地位显着。 In both domains, therefore, the intelligence effort has to be implemented through a series of environmental scans rather than a simple and easy focus on one dominant threat.在这两个领域，因此，情报工作，必须通过实施环境扫描，而不是在一个主要威胁的一系列简单易用的焦点。 Whether the emphasis is on a single threat or multiple threats, however, crucial aspects of the intelligence task remain the same.
无论强调的是一个单一的威胁或多种威胁，但是，情报任务的关键方面保持不变。 Although the focus of the collection and analysis effort might shift, the intelligence process itself involves the same cycle of activities: focus on the mission, collection of sources and information, collation and management of the collected intelligence, analysis and assessment resulting in an intelligence product, and the dissemination of this product to the customer.虽然收集和分析工作的重点可能转向，情报过程本身涉及同一周期的活动：在使命，来源和资料，整理和收集情报收集的重点管理，分析和评估结果在智能产品，而该产品传播给客户。 The intelligence cycle remains constant whatever the target of the efforts.情报周期保持不变，无论是努力的目标。 Similarly, good intelligence not only moves from data streams to data fusion but also from fused data to knowledge, and from knowledge to forecasting or prediction.同样，从数据的可靠情报，不仅移动流数据融合，但也从数据融合的知识，从知识，预测或预测。 And whatever the domain of activity, whether business intelligence, military intelligence, or cyber-intelligence, there is always a requirement to overcome pathologies and obstacles that can undermine the analytical process and dilute or distort finished intelligence products.和任何领域的活动，无论是商业情报，军事情报，或网络智能，总有一项规定，克服病态和障碍，能够破坏的分析过程，淡化或扭曲情报成品。

It is clear, even in this simple table (which is not all inclusive), that terrorism and cyber-threats resemble one another in both diversity and complexity and differ significantly from the monolithic threat model that dominated during the Cold War.很明显，即使在这个简单的表格，（这还不是全部包括在内），恐怖主义和网络威胁之一，同时拥有相似的多样性和复杂性，另一个不同于单一威胁模型，在冷战时期占主导地位显着。 In both domains, therefore, the intelligence effort has to be implemented through a series of environmental scans rather than a simple and easy focus on one dominant threat.在这两个领域，因此，情报工作，必须通过实施环境扫描，而不是在一个主要威胁的一系列简单易用的焦点。

Whether the emphasis is on a single threat or multiple threats, however, crucial aspects of the intelligence task remain the same.无论强调的是一个单一的威胁或多种威胁，但是，情报任务的关键方面保持不变。 Although the focus of the collection and analysis effort might shift, the intelligence process itself involves the same cycle of activities: focus on the mission, collection of sources and information, collation and management of the collected intelligence, analysis and assessment resulting in an intelligence product, and the dissemination of this product to the customer.虽然收集和分析工作的重点可能转向，情报过程本身涉及同一周期的活动：在使命，来源和资料，整理和收集情报收集的重点管理，分析和评估结果在智能产品，而该产品传播给客户。 The intelligence cycle remains constant whatever the target of the efforts.情报周期保持不变，无论是努力的目标。 Similarly, good intelligence not only moves from data streams to data fusion but also from fused data to knowledge, and from knowledge to forecasting or prediction.同样，从数据的可靠情报，不仅移动流数据融合，但也从数据融合的知识，从知识，预测或预测。 And whatever the domain of activity, whether business intelligence, military intelligence, or cyber-intelligence, there is always a requirement to overcome pathologies and obstacles that can undermine the analytical process and dilute or distort finished intelligence products.和任何领域的活动，无论是商业情报，军事情报，或网络智能，总有一项规定，克服病态和障碍，能够破坏的分析过程，淡化或扭曲情报成品。

In terms of collection methods, however, a critical addition needs to be made. As well as traditional reliance on Comint, Humint, and Sigint, it might be necessary to develop a separate category of Cyberint. In effect, Cyberint would require a blending of Sigint, Humint, and Comint methodologies to be effective. Each of those traditional intelligence disciplines brings components that are critical for analysis of on-line threats. The Humint aspect would provide for the monitoring and profiling of potential threat groups. It could take the form of simple monitoring of intruder chat rooms and web sites or in-depth profiling of identified individuals or groups. It will require that analysts are able to identify which players, whether individuals or groups, have the technical expertise to carry out their intended operations. Consequently, much effort will need to be focused on existing use of the Net and identified intrusions to establish a baseline of data from which to proceed. The Sigint perspective is useful from the point of analyzing intruder tools and specific system vulnerabilities. This is not to say that an analytic organization would necessarily intercept and collect data being transmitted across targeted systems. There are too many questions of legality and ethics to anticipate that sort of effort. However, studying identified tools and how they have been implemented does call for the utilization of existing Sigint methodologies to provide value added assessments. Similarly, one of the basic tenets of Comint analysis is to establish a communications activity baseline – this readily applies to various information and communication systems. Establishing baseline information on the normal data flow for a given system would make it easier and quicker to identify anomalies that could be indicative of probes or attempts at intrusion. As with the overall intelligence process, each of these recognized intelligence disciplines provide individual parts of a greater whole. They are the tools through which fusion intelligence of both current and future cyber-threats can be obtained. It goes without saying that collecting this sort of data will require a major cooperative effort between the analytic organization and past, as well as potential future, victims. In sum, cyberint would not supercede other collection methods but is likely to prove a crucial addition that would help to focus the intelligence effort and contribute significantly to the successful analysis of cyber-threats and intrusions.

III Intelligence for cyber-space

Although many of the intelligence methodologies and principles remain the same, new ways of thinking appropriate to the cyber-domain are essential. The lack of borders in cyber-space is a critical difference from the more familiar domains of intelligence. Indeed, geography and political borders often aided traditional military intelligence analysis - it is a simple thing to develop threat scenarios if the potential enemy can only use certain terrain or sea lines of communication and then, only at certain times of the year- while simple factors of physics such as time and distance also provided opportunities for warning. Within the Internet, however, these limiting factors are absent, (although other limiting factors, such as geometry of network connectivity, might exist in a form useful to be incorporated into intelligence analysis), contributing to what can appear to be "instantaneous threats" [Berkowitz and Goodman].

Assessment of cyber-space threats requires not only a merger of old methodologies and new modes of thinking but also analysts willing and able to approach the art of threat assessment and warning from new perspectives. Only with a distinctive blend of the traditional and the new will it be possible to obtain real understanding of threats and vulnerabilities, to differentiate among types of intrusions and to forecast or anticipate specific incidents or clusters of incidents in ways that lengthen warning time. Enhancing the ability to identify perpetrators is also highly desirable: removing the cloak of anonymity would make perpetrators more concerned about the potential costs and risks of their actions and could have an important deterrent effect. In short, there are several fundamental questions at the heart of the intelligence process. They consist of variations on the who, what, when, where, why and how questions that are familiar parts of most research and analysis.

1. 1。 Who is challenging security?

Efforts to identify intruders are critical both to the assessment of the challenge and the nature of the response. Potential intruders run the gamut from young hobbyists engaged in the equivalent of joy riding to terrorist organizations and nations that are intent on maximizing damage to the target. The problem of identification is particularly difficult in a domain where maintaining anonymity is easy and there are sometimes time lapses between the intruder action, the intrusion itself, and the actual disruptive effects. [CERT99] Moreover, the consequences are not always commensurate with the objectives, in some cases falling short of what the intruders hoped to achieve, and in others going well beyond what they had envisaged. [Gordon93]

There is a broad spectrum of potential intruders on the Internet and an almost equal number of motives for intrusions against organizations. Not surprisingly, this includes perpetrators conducting operations against other perpetrators. As enticing as this prospect is, it does not mitigate the effects of such internecine rivalry. New and more sophisticated tools are often the result of such interplay. This sort of jousting can also provide valuable insights to analysts once it is recognized, but does not simplify the analytic task and puts an incredible strain on limited analytic/warning resources. With the continuing proliferation of sophisticated computer technologies into the mainstream population, attribution for an intrusion becomes more difficult by the day. The dynamism of the intruder population is itself a problem. On the one hand, success breeds imitation and the sophistication of readily available tools means that even those with limited skills can become intruders. On the one hand, there is a certain degree of attrition in the intruder community. Indeed, there are many reasons why intruders might cease their activity, including increased maturity, a need to find gainful employment, and a perception of the rewards of working to increase network security rather than attack it. The implication, of course, is that the mix of agents threatening network security is changing as the nature of the Internet changes. [Paller00]

The vast majority of the intrusions are probably being conducted by nuisance hackers or "ankle-biters" who have limited objectives and are usually satisfied with the actual penetration of the system or conduct relatively harmless cyber-vandalism such as the defacement or alteration of web-sites. While aggravating to the target, no significant or lasting damage occurs. The more serious problem occurs when an intrusion is carried out by a more sophisticated intruder (either an individual or a group) whose objective is better defined and involves malicious intent. Motives for these sorts of intrusions are also as varied as the persons carrying them out. They range from greed to defined military strategy and doctrine, and all that falls in between.

Four of the more dangerous, and less well defined categories of intruder are governments conducting operations against other sovereign states, the organized terrorist group, insurgency or revolutionary groups, and organized crime. All these entities are beginning to appreciate the potential power, anonymity, and effectiveness of the Internet. There are myriad examples of governments instituting programs for Computer Network Warfare. In the case of Russia, policy-makers consider the security of their information infrastructure so critical that – rhetorically at least - they equate an attack against it with a strategic nuclear strike (and have promised an appropriate response). [Thomas] As a result of the realization of the criticality of information infrastructures, computer warfare is now a part of the formal Russian Military Strategy and Doctrine.[Thomas] The same is true of organized terrorist groups. In fact, "most of the 30 top terrorist organizations identified by the US government have web pages and use e-mail, and are ``fairly well developed'' at using the Internet."[Casciano] In many cases, dependence on technology is viewed as an Achilles Heel to be exploited by terrorist organizations.

Within the US, many of the more militant indigenous groups have discovered the power of the Internet and have well designed and effective Web sites. Indeed, militia and supremacist groups have had significant increases in membership since developing their Web pages. It is a natural progression from using the Internet for propaganda and recruiting to exploiting its potential as a weapon. There is also growing evidence that some of the active insurgency groups around the world are discovering the potential of the computer. It is just a matter of time until they discover the effect of a computer-generated attack against the infrastructure of the government they are fighting. Once that realization is made, cyber-attacks will likely become a weapon of choice for organizations intent on overthrowing an existing government. Disturbingly, Aum Shinrikyo, the group responsible for the Sarin gas attack on the Japanese subway, has increasingly been involved in the Japanese software industry!

Organized crime probably was the first of the sophisticated intruder threats to realize the power and value of the computer. In 1995, it was discovered that the Cali cartel had sophisticated state-of-the-art equipment for electronic eavesdropping, while smaller drug trafficking organizations in Colombia are using the Internet to pressure the Colombian government to change the policy of extraditing traffickers to the United States. Furthermore, the use of computers by organized crime organizations to garner illicit profits is well documented. However, some criminal efforts have gone beyond simple siphoning of funds and money laundering. Extortion of money from financial institutions by threatening to destroy or modify their computer databases is also evident. It is probable that at least some of these extortion operations are conducted by transnational criminal groups. Some of the extortion efforts go wrong – as did the effort to extort Bloomberg. In other cases, however, large payoffs are almost certainly made to the extortionist. It seems likely, therefore, that larger and potentially more dangerous operations should be anticipated.

The obvious challenge is to develop a capacity to identify and track the activities of these potential intruders with the goal of being able to provide predictive analysis and warning of intrusions. Some of the traditional intelligence techniques should apply to these threats, but new methodologies and the ability to contemplate new and complex concepts have to be developed concurrently. This will become even more important (and difficult) as perpetrators of increasing sophistication operate on the Internet. As motivations vary, so will the efforts of the individuals behind malicious operations to either conceal or reveal their responsibility. All of this complicates efforts to track responsible parties determine attribution. Nations and transnational criminal organizations, by their nature, will be diligent in their efforts to maintain anonymity. In some of these cases, identifying the intended victim may give valuable insight into tracking the intruder. Sometimes the target of an intrusion allows the analyst to rule out certain possible perpetrators. A multi-million dollar extortion plot against a major financial institution is probably not the work of a 13-year-old hacker working out of his bedroom. At the same time, however, many victims, especially within government or sensitive industries such as banking or insurance, often complicate the effort to track intruders because of their reluctance to report the incident. In other cases, such as politically motivated attacks, the perpetrators may want their identity known, but not their location. As such operations become more sophisticated, tracking the attack back to its point of origin will be a major challenge to the intelligence analysts involved. What is clear from all of this is that tracking intruders and gaining attribution is much more than just a technical challenge.

One difficulty, of course, is that there are legal constraints on intelligence collection, especially by the military and the national security establishment. Traditionally the focus of intelligence has been on foreign threats, and there are restrictions on intelligence activities directed against individuals or groups that are domestic in nature. Insofar as these groups are the focus of government attention, it is from the law enforcement community. This points to yet another problem: that of coordination and information sharing between the traditional national security agencies and the law enforcement community. Generally law enforcement focuses on individual cases and wants evidence that stands up in court; intelligence agencies in contrast are concerned with protecting the sources of their information so that they can continue to use them. The problem with cyber-threats is that they fall in the gray area where crime and national security merge into one another.

2. 2。 What forms of intrusion are occurring?

It is tempting to see intrusions in terms of a pyramid that goes from transient vulnerability probing and defacing web-sites at the base to large scale efforts to undermine the critical missions of an organization or the critical functions of a nation at the top - and to suggest that there is an inverse relationship between frequency and significance, with many trivial incidents and comparatively few of the more serious incidents. There are several difficulties with this however. The first is that probes that appear relatively insignificant could be a harbinger of more serious intrusions. The second is that there is sometimes a gap between intent and consequences – the effects and impact of an incident can either fall far short of what was intended, or far exceed what the perpetrator initially envisaged. This lack of congruence between limited intent and far-reaching consequences stems from the capacity of worms and viruses for infinite replication and multiplication combined with the seamless inter-connectivity of systems. Incidents such as the Love Bug cross the public-private divide and have an indiscriminate impact on corporations, governments, and private individuals irrespective of the initial target. In cases such as this, the consequences have less to do with targeting than with the ubiquity of a particular program such as Microsoft Outlook that is used as the vector of transmission. In effect, the incident takes on its own momentum.

When the consequences are widespread, of course, the incident becomes very public and is the subject of much media and official commentary. In many other cases, however, there is far greater reticence about the scale, type and targets of attack. The analytic effort must successfully build a trust relationship for the collection of data across a broad variety of organizations. This trust relationship allows for observation of incidents from early probing and experimentation through widespread deployment of automated forms of intrusion. For example, in recent months (June and July 2000) CERT Ò /CC has received reports of intrusions involving a wide variety of automated tools, ranging from simple viruses and system corruption toolkits through complex viruses designed to attack relatively hardened sites with low probability of detection and distributed tools designed to crash network infrastructure. Roughly 10%-25% of the CERT/CC reports involve viruses. Roughly 20%-40% are intrusions where the victim site cannot discern the type of the intrusion from available data. The remaining intrusions are a large number of other forms of intrusion, including compromise of system administration accounts, web defacements, reconnaissance attempts and misuse of computing resources.

3. 3。 Who is being intruded upon?

Determining who are the victims of intrusions is, in some respects, an enormously significant part of the intelligence process. It is important - at least in those cases where attacks are not indiscriminate - to differentiate between public and private targets, to distinguish infrastructure targets from individual targets, to distinguish between intrusions that focus on targets of convenience and those that are much more precise and calculated. For example, existing analysis has shown a link between port scanning and certain types of later intrusions [Moitra&Konda], but this needs to be more fully explored to provide for effective warnings. Profiling victims can sometimes play a critical role in determining the nature of the intrusion and the nature of the intruders. For this to be done, understanding is needed of the level of "background noise", probes and intrusion attempts occurring across the Internet. Once understood, it may be possible to isolate this activity from the more significant activity directed at a particular victim.

Victim profiles will be just as important, in terms of strategic intelligence analysis of the Internet, as profiling potential intruders. The more serious the intrusion, the more critical this sort of profiling will be. One of the potential hurdles to this effort, however, will be the natural tendency of the victim, whether private or public, to withhold sensitive or proprietary information. A few examples of this kind of reticence would be financial institutions withholding information about loses due to intrusions; companies failing to divulge the nature of an intrusion due to proprietary corporate data; or a government agency protecting information that is sensitive or even classified. Beyond simply protecting proprietary or sensitive data, there are also serious legal questions that have not yet been resolved in the courts or in the legislature. These include constitutional guarantees of privacy; contradictory national laws (or lack of laws) as perpetrators use the global network; laws limiting various governmental agency's efforts to track down the source of an intrusion, and the need to determine what is domestic and what is foreign.

If these barriers can be overcome, critical information will become available. Details of the victim's infrastructure, the nature of the intrusion, identity clues left by the intruder, network traffic flow as observed by the victim site, and intrusion tools left as artifacts on the victim hosts can all provide indispensable clues. Without such information, motivation becomes more difficult to define and profiling efforts will be seriously flawed. Some work has already been accomplished in this area by organizations involved in incident monitoring, including the members of the Forum of Incident Response and Security Teams (FIRST) community. Much more remains to be accomplished, however, as new cooperative agreements are forged and additional analytic efforts and methodologies are developed. Furthermore, while it is true that some of the legal restrictions are avoided by the voluntary nature of the cooperative relationships, they are by no means completely overcome. The keys to success seem to be two-fold. First, the analytic organization has to prove itself to be a highly secure confidant, never disclosing victim identities while working to assist victims in recovering from intrusions. Second, it must return information that is of value to the victims, including information that might place the intrusion in a larger context as well as providing assistance in dealing with vendors or other sites. More simply put, the exchange of information must be in both directions. Experience with other organizations has shown that neither trustworthiness nor returned value alone is sufficient, but both appear to be required for effective information gathering with victims.

Beyond their reticence, victim organizations are often unaware of critical parts of their security stance. Available data suggests that victims are often not aware that their networks have been intruded upon. The effectiveness of installed security measures is often overestimated. Levels of trust given to users by computing practices are often unwarranted. All of this hampers both analysis and defense.

One of the reasons that profiling the victims is so critical is that it provides insights in to motivations that can greatly assist analysts in predicting future intrusions under similar circumstances. This insight will need to incorporate identification of circumstances that facilitate or hamper intrusion. For example, K-12 educational institutions might offer a significant opportunity for intruders to stage their attacks, since many such institutions lack knowledgeable system administrators. However, such hosts may be removed from the network during summer break and other times when school is not in session. During the Year 2000 rollover, conditions for system intrusion were relatively poor not only because of the active presence of a large number of system administrators, carefully monitoring their systems, but also the significant number of alternative activities available to potential intruders. These examples serve to identify that there exist time-varying circumstances; further analysis is required to delineate these factors more fully.

4. 4。 How are the intrusions being implemented?

This is both the most technical aspect of the problem and, for specialists in the area, the easiest question to answer. Methods of intrusion are the on-line equivalent of military tactics. And just as in the military world there has historically been a dialectic between defense and offense so on the Internet, there is a similar dialectic between protection and intrusion. One difference lies in the ability of intruders to obfuscate their methods of intrusion by manipulation of the sources of intrusion and of the on-line records of activity. The sources of intrusion are manipulated either by staging intrusions through a series of already-intruded and corrupted hosts, or by falsification of source information found in network traffic. Both of these methods are common in intrusions. The on-line records of activity are commonly falsified either by direct modification of the records themselves or by replacement of the monitoring software that produces these records. While there are analogies to these activities in the physical world, the ease, rate, and invisibility of these activities on the Internet especially complicates the analysis task.

5. 5。 When are they taking place?

The timing of intrusions might or might not be significant. It is possible, for example, that an intrusion on a particular company could have been precipitated by a particular action of the company, whether in the marketplace or in relation to one or more of its employees. Similarly, an intrusion on a country's infrastructure could come about in an international crisis, as part of an adversary's effort to prevent or disrupt military intervention in a specific region or country. A particular sequence of intrusions might also be important in determining whether probing activities are taking place as a preliminary to a more serious assault. Another important component is whether or not the intrusions are accompanied by any other actions – such as the demand for payment that would be an essential ingredient in any extortion contingency.

The timing of an intrusion, especially one that is more serious in nature will often have significance with regard to the motive for the intrusion, hence the importance of victim profiling. Given the global nature of business today and the amount of political upheaval throughout the world, myriad events must be examined on a daily basis for clues to possible impending intrusions. Awareness of upcoming political events, corporate announcements or openings of new industrial facilities will be essential to the analytic process. This sort of situational awareness, combined with the historical perspective provided by profiling, will have a major impact on the ability to provide predictive analysis and warning. There is a need for care here in distinguishing significant from background activity. Experience at the CERT/CC with informal measures of significance, as are used in generation of advisories, may be useful in facilitating this distinction.

6. 6。 Where are they taking place?

Although the virtual world is borderless, the points at which it connects to the real world are geographic locations. Indeed, the simple question of "where?" has to be broken down into point(s) of origin, digital routing, and point(s) of attack. Indeed, it is physical actions at a particular location that start the attack process – even if there is sometimes a time lag prior to the implementation of the attack itself. This becomes particularly significant when the actions initiated at this location go beyond web defacement and involve more serious criminal, terrorist, and war-like actions. Tracing the attack back to source, therefore, becomes particularly important in determining both the responsibility for the action and the appropriate target for counter-measures or reprisals. Where the attacker is determined to be another nation then this has particularly important implications. Even in less extreme situations, however, location is critical – and because of law as well as geography. In some jurisdictions, for example, there are no laws against computer intrusions. This was why the Filipino perpetrator of the love bug was not placed on trial in the Philippines itself. In other jurisdictions, of course, the laws are quite severe. For criminals and terrorists, these divergences offer opportunities to launch attacks at minimal risk – even if the source of the attack is somehow discovered. This suggests that there might be a form of jurisdictional arbitrage with potential attackers seeking out low risk jurisdictions from which to launch their attacks. Over the longer term, of course, the opportunities for arbitrage of this kind can be diminished through more inclusive laws criminalizing this kind of activity, through the harmonization of laws among states, and through the extension of extradition treaties and mutual legal assistance treaties.

As well as using jurisdictional arbitrage computer intruders also seek to cover their tracks by going through multiple jurisdictions. In some cases, this makes it impossible to track the activity back to source by complicating the digital trail. In others, it adds significant legal obstacles as some states are simply unwilling to cooperate in investigations There is also the potential for mischief with the possibility that skilful intruders might lay a false trail that lead to unwarranted but damaging accusations against innocent parties (whether individuals, groups or nations).

待续