互联网安全情报分析 续1

3. 3。 Who is being intruded upon?

Determining who are the victims of intrusions is, in some respects, an enormously significant part of the intelligence process. It is important - at least in those cases where attacks are not indiscriminate - to differentiate between public and private targets, to distinguish infrastructure targets from individual targets, to distinguish between intrusions that focus on targets of convenience and those that are much more precise and calculated. For example, existing analysis has shown a link between port scanning and certain types of later intrusions [Moitra&Konda], but this needs to be more fully explored to provide for effective warnings. Profiling victims can sometimes play a critical role in determining the nature of the intrusion and the nature of the intruders. For this to be done, understanding is needed of the level of "background noise", probes and intrusion attempts occurring across the Internet. Once understood, it may be possible to isolate this activity from the more significant activity directed at a particular victim.

Victim profiles will be just as important, in terms of strategic intelligence analysis of the Internet, as profiling potential intruders. The more serious the intrusion, the more critical this sort of profiling will be. One of the potential hurdles to this effort, however, will be the natural tendency of the victim, whether private or public, to withhold sensitive or proprietary information. A few examples of this kind of reticence would be financial institutions withholding information about loses due to intrusions; companies failing to divulge the nature of an intrusion due to proprietary corporate data; or a government agency protecting information that is sensitive or even classified. Beyond simply protecting proprietary or sensitive data, there are also serious legal questions that have not yet been resolved in the courts or in the legislature. These include constitutional guarantees of privacy; contradictory national laws (or lack of laws) as perpetrators use the global network; laws limiting various governmental agency's efforts to track down the source of an intrusion, and the need to determine what is domestic and what is foreign.

If these barriers can be overcome, critical information will become available. Details of the victim's infrastructure, the nature of the intrusion, identity clues left by the intruder, network traffic flow as observed by the victim site, and intrusion tools left as artifacts on the victim hosts can all provide indispensable clues. Without such information, motivation becomes more difficult to define and profiling efforts will be seriously flawed. Some work has already been accomplished in this area by organizations involved in incident monitoring, including the members of the Forum of Incident Response and Security Teams (FIRST) community. Much more remains to be accomplished, however, as new cooperative agreements are forged and additional analytic efforts and methodologies are developed. Furthermore, while it is true that some of the legal restrictions are avoided by the voluntary nature of the cooperative relationships, they are by no means completely overcome. The keys to success seem to be two-fold. First, the analytic organization has to prove itself to be a highly secure confidant, never disclosing victim identities while working to assist victims in recovering from intrusions. Second, it must return information that is of value to the victims, including information that might place the intrusion in a larger context as well as providing assistance in dealing with vendors or other sites. More simply put, the exchange of information must be in both directions. Experience with other organizations has shown that neither trustworthiness nor returned value alone is sufficient, but both appear to be required for effective information gathering with victims.

Beyond their reticence, victim organizations are often unaware of critical parts of their security stance. Available data suggests that victims are often not aware that their networks have been intruded upon. The effectiveness of installed security measures is often overestimated. Levels of trust given to users by computing practices are often unwarranted. All of this hampers both analysis and defense.

One of the reasons that profiling the victims is so critical is that it provides insights in to motivations that can greatly assist analysts in predicting future intrusions under similar circumstances. This insight will need to incorporate identification of circumstances that facilitate or hamper intrusion. For example, K-12 educational institutions might offer a significant opportunity for intruders to stage their attacks, since many such institutions lack knowledgeable system administrators. However, such hosts may be removed from the network during summer break and other times when school is not in session. During the Year 2000 rollover, conditions for system intrusion were relatively poor not only because of the active presence of a large number of system administrators, carefully monitoring their systems, but also the significant number of alternative activities available to potential intruders. These examples serve to identify that there exist time-varying circumstances; further analysis is required to delineate these factors more fully.

4. 4。 How are the intrusions being implemented?

This is both the most technical aspect of the problem and, for specialists in the area, the easiest question to answer. Methods of intrusion are the on-line equivalent of military tactics. And just as in the military world there has historically been a dialectic between defense and offense so on the Internet, there is a similar dialectic between protection and intrusion. One difference lies in the ability of intruders to obfuscate their methods of intrusion by manipulation of the sources of intrusion and of the on-line records of activity. The sources of intrusion are manipulated either by staging intrusions through a series of already-intruded and corrupted hosts, or by falsification of source information found in network traffic. Both of these methods are common in intrusions. The on-line records of activity are commonly falsified either by direct modification of the records themselves or by replacement of the monitoring software that produces these records. While there are analogies to these activities in the physical world, the ease, rate, and invisibility of these activities on the Internet especially complicates the analysis task.

5. 5。 When are they taking place?

The timing of intrusions might or might not be significant. It is possible, for example, that an intrusion on a particular company could have been precipitated by a particular action of the company, whether in the marketplace or in relation to one or more of its employees. Similarly, an intrusion on a country's infrastructure could come about in an international crisis, as part of an adversary's effort to prevent or disrupt military intervention in a specific region or country. A particular sequence of intrusions might also be important in determining whether probing activities are taking place as a preliminary to a more serious assault. Another important component is whether or not the intrusions are accompanied by any other actions – such as the demand for payment that would be an essential ingredient in any extortion contingency.

The timing of an intrusion, especially one that is more serious in nature will often have significance with regard to the motive for the intrusion, hence the importance of victim profiling. Given the global nature of business today and the amount of political upheaval throughout the world, myriad events must be examined on a daily basis for clues to possible impending intrusions. Awareness of upcoming political events, corporate announcements or openings of new industrial facilities will be essential to the analytic process. This sort of situational awareness, combined with the historical perspective provided by profiling, will have a major impact on the ability to provide predictive analysis and warning. There is a need for care here in distinguishing significant from background activity. Experience at the CERT/CC with informal measures of significance, as are used in generation of advisories, may be useful in facilitating this distinction.

6. 6。 Where are they taking place?

Although the virtual world is borderless, the points at which it connects to the real world are geographic locations. Indeed, the simple question of "where?" has to be broken down into point(s) of origin, digital routing, and point(s) of attack. Indeed, it is physical actions at a particular location that start the attack process – even if there is sometimes a time lag prior to the implementation of the attack itself. This becomes particularly significant when the actions initiated at this location go beyond web defacement and involve more serious criminal, terrorist, and war-like actions. Tracing the attack back to source, therefore, becomes particularly important in determining both the responsibility for the action and the appropriate target for counter-measures or reprisals. Where the attacker is determined to be another nation then this has particularly important implications. Even in less extreme situations, however, location is critical – and because of law as well as geography. In some jurisdictions, for example, there are no laws against computer intrusions. This was why the Filipino perpetrator of the love bug was not placed on trial in the Philippines itself. In other jurisdictions, of course, the laws are quite severe. For criminals and terrorists, these divergences offer opportunities to launch attacks at minimal risk – even if the source of the attack is somehow discovered. This suggests that there might be a form of jurisdictional arbitrage with potential attackers seeking out low risk jurisdictions from which to launch their attacks. Over the longer term, of course, the opportunities for arbitrage of this kind can be diminished through more inclusive laws criminalizing this kind of activity, through the harmonization of laws among states, and through the extension of extradition treaties and mutual legal assistance treaties.

As well as using jurisdictional arbitrage computer intruders also seek to cover their tracks by going through multiple jurisdictions. In some cases, this makes it impossible to track the activity back to source by complicating the digital trail. In others, it adds significant legal obstacles as some states are simply unwilling to cooperate in investigations There is also the potential for mischief with the possibility that skilful intruders might lay a false trail that lead to unwarranted but damaging accusations against innocent parties (whether individuals, groups or nations).

With respect to victim location, physical location can also provide key insights. Local threats might arise through local activism (such as the Sierra Club opposition to military exercises in California; this did not involve cyber threats, but analogous activities in the future might well do so). Beyond physical location, there is logical location. A site might come under attack because either its Internet service provider or a subsidiary site is vulnerable. This logical location could be entirely unrelated to physical location: a site in New York might be on a network logically associated with one in Florida. This could occur due to mergers and acquisitions, but more typically takes place due to the difficulties in securing Internet addresses. Whatever the cause, however, it adds yet another complication to the location issue.

Using either physical or logical locations, there are several sorts of victims that might be of interest. One is the intended target of the incident. Another is an intermediate site used as a means of access or interference to the intended target, which might be termed the vector for the incident. In some circumstances this can involve substantial collateral damage to the vector site (or sites) even though it is not the intended victim. Intruders on a vector might extract information, reconfigure computers and hamper desirable operation, all for the purpose of striking the intended target.

7. 7。 Why are the actions taking place?

From a predictive intelligence analysis perspective, threat is most simply defined as capability plus intent. Capabilities, in terms of more powerful computers and more malicious covert software, are expanding rapidly. Attacks that required deep technical expertise in the recent past are within the reach of casual users today. Malicious intent is less easy to pin down, but can be assumed to be widespread and varied. History alone teaches us that much. Determining those two factors is the foundation of strategic intelligence analysis. Categorization of the nature of attacks and of the victims is critical to the success of any analytic effort. Historically, the more serious attacks will often have a specific catalyst: a corporation builds a production facility in a third world country that is viewed as an exploitive action by one or more activist groups; a government sponsors a peace conference that is viewed as an attempt to subvert the political viability of a disaffected part of the population; a repressive regime massacres a band of rebels near the capital; an organized crime syndicate reacts to crack downs by law enforcement. These are just a handful of examples of motivations for more serious incidents. Just as importantly, a more serious incident, while probably more sophisticated, also has a greater potential for an unintended cascading effect.

Objectives can range from revenge (a disgruntled employee) to political statements (terrorism) to a full-scale attack on infrastructure as an act of warfare or at the very least part of "coercive diplomacy".[Schelling] Although the inference of intent is sometimes problematic (particularly where the damage or disruption is either less or more than the intruder intended), the effort is an essential component of the intelligence process. In many cases, intrusions that are politically motivated will be relatively easy to interpret. The effect of the intrusion will be muted if the underlying political intent is not publicized. Depending on the nature of the goal, this publication of intent may be quite localized and covert – eg, to gain power within the intruder organization. Nonetheless, such publication might be identifiable and could provide a historical perspective that will greatly assist in predicting possible future intrusions. On the other hand, activities by governments and criminal elements are, almost by definition, covert in nature. Intrusions of those types will provide a much greater challenge to the goal of providing predictive assessments and warnings. It also has to be recognized that in some incidents, there are no clear objectives. The lack of motive can be truly confounding.

In this connection, it is essential to acknowledge the limits of intelligence. No one has articulated these more effectively than Sherman Kent, formerly the Director of the Office of National Intelligence Estimates, who noted that intelligence consists of three kinds of information: "The first is easily disposed of; it is the statement of indisputable fact… The second and third kinds do not carry any such certainty; each rests upon a varying degree of uncertainty. They relate respectively (a) to things which are knowable but happen to be unknown to us, and (b) to things which are not known to anyone at all." [Kent] In effect, much of the analysis process involves what Kent also called the "speculative-evaluative" component of intelligence – especially when it involves efforts to anticipate future behavior and future threats, and when the targets of intelligence collection and analysis are engaging in systematic concealment or deception designed to thwart these efforts.

Such limits notwithstanding, the ultimate goal of intelligence analysis is predictive, strategic intelligence, disseminated to a consumer, based on the fusion of technical assessments, global analysis of incident data, and analysis of intruders and victims. It fuses three kinds of knowledge: that rooted in monitoring technology to obtain assessments about tools and weapons of disruption; that obtained from analysis of incident data; and that obtained from monitoring of possible intruders – individuals, terrorist and criminal groups and nations. Accordingly, Table 2 summarizes the three kinds of activity to be monitored and identifies the components of the collection and analysis processes in each activity area.

Table 2: An Intelligence Model for Cyber-Threats