Raoul Chiesa President, Security Brokers SCpA

©2015/2019RaoulChiesa,SecurityBrokersSocietàCoopera=vaperAzioniConferenzaGARR2019–Torino,4giugno2019©2015/2019RaoulChiesa,SecurityBrokersSocietàCoopera=vaperAzioniConferenzaGARR2019–Torino,4giugno2019

FromHackingtoCyberWarfare:the“filrouge”among

differentWorlds,EcosystemsandActors

RaoulChiesaPresident,SecurityBrokersSCpA

©2015/2019RaoulChiesa,SecurityBrokersSocietàCoopera=vaperAzioniConferenzaGARR2019–Torino,4giugno2019

Disclaimer

●  Theinforma,oncontainedwithinthispresenta,ondonotinfringeonanyintellectualpropertynordoesitcontaintoolsorrecipethatcouldbeinbreachwithknownlaws.

●  The sta,s,cal data presented belongs to the Hackers ProfilingProjectbyUNICRIandISECOM.

●  Quotedtrademarksbelongstoregisteredowners.●  Theviewsexpressedarethoseoftheauthor(s)andspeaker(s)and

do not necessary reflect the views of UNICRI or others UnitedNa=onsagenciesandins,tutes,northeviewofENISAanditsPSG(Permanent Stakeholders Group), neither Security Brokers, itsAssociatesandAssociatedCompanies.

●  Contents of this presenta,on may be quoted or reproduced,providedthatthesourceofinforma=onisacknowledged.


Agenda

!  Introduc,ons!  Cybercrime

!  ScenariosandActors!  Profiling«Hackers»!  Informa,onWarfare

!  NewActors&Ecosystems

!  Conclusions!  References

Agenda


TheSpeaker!  President, Founder, The Security Brokers !  Founder, Swascan.com !  Indipendent Special Senior Advisor on Cybercrime @ UNICRI (United Nations Interregional Crime & Justice Research Institute) !  Roster of Experts @ ITU (UN International Telecomunication Union) !  Former PSG Member, ENISA (Permanent Stakeholders Group @ European Union

Network & Information Security Agency) !  Founder, @ CLUSIT (Italian Information Security Association) !  Steering Committee, AIP/OPSI (Privacy & Security Observatory) !  Board of Directors, ISECOM (Institute for Security & Open Methodologies) !  OSSTMM Key Contributor (Open Source Security Testing Methodology Manual) !  Board of Directors, OWASP Italian Chapter !  Cultural Attachè. Scientific Committee, APWG European Chapter !  Former Board Member, AIIC (Italian Association of Critical Infrastructures) !  Supporter at some security community


"

Nocommonspelling…

„Cybersecurity,Cyber-security,CyberSecurity?”

Nocommondefini,ons…

Cybercrimeis…?

Noclearactors…

Cyber–Crime/war/terrorism?

Nocommoncomponents?…

# InthosenonEnglish-speakingcountries,problemswithcorrectlyunderstandingwordsandtermsriseup.

Firstofall


Thescenario(s)andtheActors


Crime->Today

Yougottheinforma3on,yougotthepower..

Simplyput,thishappensbecausethe“informa2on”canbetransformedatonceinto“somethingelse”:

1.   Compe==veadvantage(geo/poli=cal,business,personalrela=onships)2.   Sensible/cri=calinforma=on(blackmailing,extorsion)3.   Money(Cash-outtechniques,BlackMarket&UndergroundEconomy)

  …that’swhyallofuswewantto“besecure”.

  It’snotbychancethatit’snamed“IS”:Informa=onSecurity☺  Thetrendofthe«cyber-prefix»isfromveryrecentyears,tough.


Cybercrime#  Cybercrime:

“TheuseofITtoolsandtelecommunica2onnetworksinordertocommitcrimesindifferentmanners”.

#  Theaxiomofthewholemodel:“acquiringdifferenttypesofdata(informa2on),whichcanbetransformedintoanadvantage.”

#  Keypoints:!  Virtual(pyramidalapproach,anonimity,C&C,flexibleandscalable,movingquickly

andrebuildingfast,useof“cross”productsandservicesindifferentscenariosanddifferentbusinessmodels)

!  Transna=onal!  Mul,-market(buyers)!  Differen=a=ngproductsandservices!  Low“entry-fee”!  ROI/ReturnofInvestment(oneachsingleopera,on,whichmeansthat,

exponen,ally,itcanbeindustrialized)!  Tax&(cyber)Lawheaven


Why?

“2013CybercrimefinancialturnoverapparentlyscoredupmorethanDrugsdealing,Human

TraffickingandWeaponsTraffickingturnovers”

Varioussources(UN,USDOJ,INTERPOL,2013)

2018FinancialTurnover,es3ma3on:60BUSD$/year

«Cybercrimeranksasoneofthetop

foureconomiccrimes»

PriceWaterhouseCoopersLLCGlobalEconomicCrimeSurvey2011


FromCybercrimeto…# Wearespeakingaboutanecosystemwhichisveryooen

underevaluated:mostof,mes,Cybercrimeisthestar=ngortransitpointtowardsdifferentecosystems:!  Informa=onWarfare

!  BlackOps!  CyberEspionage!  Hack,vism

!  (private)CyberArmies!  UndergroundEconomyandBlackMarkets

!  OrganizedCrime

!  Carders!  Botnetowners!  0days!  Malwarefactories(APTs,codewri,ngoutsourcing)

!  Lonelywolves!  “cyber”-Mercenaries


CybercrimeMO


ProfilingActors


Welcome to HPP!


HPPV1.0

  Backin2004welaunchedtheHacker’sProfilingProject-HPP:hcp://www.unicri.it/special_topics/cyber_threats/

  Sincethatyear:  +1.200ques=onnairescollected&analyzed  9Hackersprofilesemerged

  Twobooks(oneinEnglish) ProfiloHacker,Apogeo,2007 ProfilingHackers:theScienceofCriminalProfilingasAppliedtotheWorldofHacking,Taylor&FrancisGroup,CRCPress(2009)


Evalua=on&Correla=onstandards

Modus Operandi (MO)

Lone hacker or as a member of a group

Motivations

Selected targets

Relationship between motivations and targets

Hacking career

Principles of the hacker's ethics

Crashed or damaged systems

Perception of the illegality of their own activity

Effect of laws, convictions and technical difficulties as a deterrent


OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS / PURPOSES

Wanna Be Lamer 9-16 years “I would like to be a hacker, but I can’t”

GROUP End-User For fashion, It’s “cool” => to boast and brag

Script Kiddie 10-18 years The script boy

GROUP: but they act alone SME / Specific security flaws To give vent of their anger / attract mass-media attention

Cracker 17-30 years The destructor, burned ground

LONE Business company To demonstrate their power / attract mass-media attention

Ethical Hacker 15-50 years The “ethical” hacker’s world

LONE / GROUP (only for fun)

Vendor / Technology For curiosity (to learn) and altruistic purposes

Quiet, Paranoid, Skilled Hacker

16-40 years The very specialized and paranoid attacker

LONE On necessity For curiosity (to learn) => egoistic purposes

Cyber-Warrior 18-50 years The soldier, hacking for money

LONE “Symbol” business company / End-User

For profit

Industrial Spy 22-45 years Industrial espionage

LONE Business company / Corporation

For profit

Government Agent 25-45 years CIA, Mossad, FBI, etc.

LONE / GROUP Government / Suspected Terrorist/ Strategic company/ Individual

Espionage/ Counter-espionage Vulnerability test Activity-monitoring

Military Hacker 25-45 years LONE / GROUP Government / Strategic company

Monitoring / controlling / crashing systems


Then,newActorsjoinedin

  CybercrimeandInforma=onWarfarehaveaverywidespectrumofac=onanduseintrusiontechniqueswhicharenowadays,somehow,availabletoagrowingamountofActors,whichusetheminordertoaccomplishdifferentgoals,withapproachesandintensitywhichmaydeeplyvary.

  Alloftheaboveislaunchedagainstanykindoftargets:Cri,calInfrastructures,Governa,veSystems,MilitarySystems,PrivateCompaniesofanykind,Banks,Medias,InterestGroups,PrivateCi,zens.…  Na,onalStates  IC/LEAs

  OrganizedCybercrime  Hack,vists

  IndustrialSpies

  Terrorists

  Corpora,ons

  CyberMercenaries

Everyone against everybody


Informa3onWarfare(Cyberwar?)

(thissec3onincludesmaterialfromProf.Dr.AlexanderKlimburg)


"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought

with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the

multi-thousand force of the current armed forces.“

Former Duma speaker Nikolai Kuryanovich, 2007

TheDUMAknewit,long=meago….


…but,Saalbachknewthisalreadyin2004!


Cyber*MilitaryTrends

Situa=onalawareness

Self-synchronizingops

Informa=onpull

Collabora=on

Communi=esofInterest

Task,post,process,use

Onlyhandleinforma=ononce

Shareddata

Persistent,con=nuousIA

Bandwidthondemand

IP-basedtransport

Diverserou=ng

Enterpriseservices

COTSbased,net-centriccapabili=es

Scou=ngelitehackerpar=es?

Singleopera=onalpic

Autonomousops

Broadcastinforma=onpush

Individual

Stovepipes

Task,process,exploit,disseminate

Mul=pledatacalls,duplica=on

Privatedata

Perimeter,one-=mesecurity

Bandwidthlimita=ons

Circuit-basedtransport

Singlepointsoffailure

Separateinfrastructures

Customized,platorm-centricIT

OUT! IN☺


Making“CyberWar”…• „dummylist“of„ID-10T“forphishing• backgroundinfoonorganisa,on(orgchartetc.)• Primerforsector-specificsocial-engineering• proxyservers• bankingarrangements• purchaseacack-kits• rentbotnets• find(trade!)goodC&Cserver

• purchase0-days/cer,ficates• purchaseskill-set• bespokepayload/searchterms • PurchaseL2/L3systemdata

• equipmenttomimictargetnetwork• dummyrunonsimilarnetwork• sandboxzerodays

AlexanderKlimburg2012


MixofActorsgeneratenewEcosystems


Thepricingdebate

hcp://www.theregister.co.uk/2014/11/11/german_spooks_want_millions_to_buy_0day_vulns/


PossibleCWUsStructure

StrategicGovernanceUnit

StructureGovernance

ProcessEngineering

Informa,onManagement

Opera,onsManagement

Unit

Cyberopera,onsUnit

CyberintelligenceUnit

R&DUnit

Acack&DefenseMethodologyResearch

ToolkitResearch


«Auackauribu=on»

„A]ribu3onisnotreallyanissue“.SeniorDoDofficial,2012AspenStrategyGroup

„Thegreatestchallengeisfindingoutwhoisactuallylaunchingthea]ack“.

MajorGeneralKeithB.Alexander,CommanderUSCYBERCOM/NSA,tes2monyMay8th2009,

„CyberspaceasaWarfigh2ngDomain”–USCongress

Attribution: %  tactical level = irrelevant %  operational level = helpful %  strategic level = important %  political (board) level = critical

Source: Alexander Klimburg, 2012


Non-stateproxiesand“inadvertentCyberwar”:„Duringa2meofinterna2onalcrisis,a[presumednon-stateCNE]proxynetworkofcountryAisusedtowagea„serious(maliciousdestruc2on)cyber-aàck“againstcountryB.“

HowdoescountryBknowif:

a)  TheaàckisconductedwithconsentofCountryA(Cyberwar)

b)  TheaàckisconductedbytheproxynetworkitselfwithoutconsentofCountryA(Cyberterrorism)

c)  TheaàckisconductedbyaCountryCwhohashijackedtheproxynetwork?(FalseFlagCyberwar)

© Alexander Klimburg 2012

Mistypingmayleadto(very)differentscenarios…


Evolvingscenarios:2014-2020

Kiev,Caracas


Conclusions


Conclusions

!  Everythinghaschanged.

!  Youjustcannotfightonyourownthiswaranymore.Youmaywinasinglebacle,whileitwon’tbeenough.!  Ifyouareinsecure,Iwillbeinsecuretoo….

!  Informa,onSharing,SecurityAwareness,Acacker’sProfiling,balancedInfoSecapproach&processes:thisiswhatyouneed.

!  Askfortechnicalsolu,onsfromtheSecurityIndustry,becompliantwithsecuritystandardsandregula,ons,butdon’tforgetbothtakingfromandgivingbacktothesecuritycommuni=es.


References[1]h`p://www.dsd.gov.au/infosec/csoc.htm [2]GaryWaters,DesmondBall,IanDudgeon,“Australiaandcyber-warfare”,AustralianNa2onalUniversity.StrategicandDefenceStudiesCentre,ANUEpress,2008 [3]h`p://www.dsd.gov.au/ [4]h`p://www.unidir.ch/pdf/ouvrages/pdf-1-92-9045-011-J-en.pdf [5]h`p://www.reuters.com/ar2cle/2012/03/08/china-usa-cyberwar-idUSL2E8E801420120308 [6]h`p://www.theaustralian.com.au/australian-it/chinas-blue-army-could-conduct-cyber-warfare-on-foreign-powers/story-e6frgakx-1226064132826 [7]h`p://www.a2mes.com/a2mes/China/NC15Ad01.html [8]h`p://eng.mod.gov.cn/Opinion/2010-08/18/content_4185232.htm [9]h`p://www.reuters.com/ar2cle/2011/06/01/us-korea-north-hackers-idUSTRE7501U420110601 [10]h`p://www.washingtonpost.com/world/na2onal-security/suspected-north-korean-cyber-a`ack-on-a-bank-raises-fears-for-s-korea-allies/2011/08/07/gIQAvWwIoJ_story.html [11]h`p://www.slideshare.net/hackfest/dprkhf [12]JeffreyCarr,“InsideCyberWarfare:MappingtheCyberUnderworld”,O'Reilly,December2011 [13]h`p://www.nato.int/cps/en/SID-C986CC53-5E438D1A/natolive/topics_78170.htm? [14]CharlesBilloandWeltonChang,“CyberWarfare:AnAnalysisofmeansandmo2va2onsofselectedNa2onState”,DarthmouthCollege,Dec.2004 [15]h`p://www.defence.pk/forums/indian-defence/122982-new-war-between-india-pakistan-cyber-warfare.html [16]h`p://www.dnaindia.com/india/report_as-cyber-a`acks-rise-india-sets-up-central-command-to-fight-back_1543352-all 34h`p://www.jpost.com/Defense/Ar2cle.aspx?id=249864 35h`p://internet-haganah.com/harchives/006645.html 36h`p://ar2cles.2mesofindia.india2mes.com/2010-10-16/india/28235934_1_cyber-security-hackers-official-agencies 37h`p://fmso.leavenworth.army.mil/documents/Russianvuiw.htm 38h`p://www.conflictstudies.org.uk/files/Russian_Cyber_Command.pdf 39h`p://www.defense.gov/news/newsar2cle.aspx?id=65739 40h`p://www.defense.gov/news/newsar2cle.aspx?id=65739 41h`p://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Sec2on%20934%20Report_For%20webpage.pdf42h`p://www.enisa.europa.eu/media/news-items/enisa-teams-up-with-member-states-on-pan-european-exercise 43h`p://english.nctb.nl/current_topics/Cyber_Security_Assessment_Netherlands/ 44h`p://www.ccdcoe.org


ReadingRoom/1● Thecommercializa=onofDigitalSpying,MorganMarquis-Boire,ClaudioGuarnieri,BillMarczak,JohnScoc-Railton,Ci,zenLab,CanadaCenterforGlobalSecurityStudies,MunkSchoolofGlobalAffairs(UniversityofToronto),2013● NoPlacetoHide:EdwardSnowden,theNSAandSurveillanceState,GlennGreenwald,PenguinBooks,2014● GrazieMr.Snowden,FabioChiusi,edizioniValigiaBlu/MessaggeroVeneto,2014● Kingpin,KevinPoulsen,2012● ProfilingHackers:theScienceofCriminalProfilingasappliedtotheworldofhacking,RaoulChiesa,StefaniaDucci,SilvioCiappi,CRCPress/Taylor&FrancisGroup,2009● H.P.P.Ques=onnaires2005-2010● FatalSystemError:theHuntforthenewCrimeLordswhoarebringingdowntheInternet,JosephMenn,PublicAffairs,2010● StealingtheNetwork:Howto0wnaCon=nent,(anIden=ty),(aShadow)(V.A.),SyngressPublishing,2004,2006,2007● StealingtheNetwork:Howto0wntheBox,(V.A.),SyngressPublishing,2003● Underground:TalesofHacking,MadnessandObsessionontheElectronicFron=er,SueleceDreyfus,RandomHouseAustralia,1997● TheCuckoo’sEgg:TrackingaSpyThroughtheMazeofComputerEspionage,CliffordStoll,DoubleDay(1989),Pocket(2000)● MastersofDecep=on:theGangthatRuledCyberspace,MichelleStalalla&JoshuaQuincner,Harpercollins,1995● KevinPoulsen,SerialHacker,JonathanLicman,Licle&Brown,1997● Takedown,JohnMarkoffandTsutomuShimomura,Sperling&Kupfler,(HyperionBooks),1996● TheFugi=veGame:onlinewithKevinMitnick,JonathanLicman,Licle&Brown,1997● TheArtofDecep=on,KevinD.Mitnick&WilliamL.Simon,Wiley,2002● TheArtofIntrusion,KevinD.Mitnick&WilliamL.Simon,Wiley,2004● @Large:theStrangeCaseoftheWorld’sBiggestInternetInvasion,CharlesMann&DavidFreedman,Touchstone,1998


ReadingRoom/2● TheEstoniaauack:BaulingBotnetsandonlineMobs,GadiEvron,2008(whitepaper)

● Whois“n3td3v”?,byHackerFactorSolu,ons,2006(whitepaper)

● Mafiaboy:HowIcrackedtheInternetandWhyit’ss=llbroken,MichaelCalcewithCraigSilverman,2008

● TheHackerDiaries:ConfessionsofTeenageHackers,DanVerton,McGraw-HillOsborneMedia,2002

● Cyberpunk:OutlawsandHackersontheComputerFron=er,Ka,eHafner,Simon&Schuster,1995

● CyberAdversaryCharacteriza=on:audi=ngthehackermind,TomParker,Syngress,2004

● InsidetheSPAMCartel:tradesecretsfromtheDarkSide,bySpammerX,Syngress,2004

● HackerCracker,EjovuNuwerewithDavidChanoff,HarperCollins,2002

● Compendiodicriminologia,Pon,G.,RaffaelloCor,na,1991

● Criminalitàdacomputer,TiedemannK.,inTracatodicriminologia,medicinacriminologicaepsichiatriaforense,vol.X,Ilcambiamentodelleformedicriminalitàedevianza,Ferracu,F.(acuradi),Giuffrè,1988

● UnitedNa=onsManualon thePreven=onandControlofComputer-relatedCrime, in Interna,onalReviewofCriminalPolicy–Nos.43and44

● CriminalProfiling:dall’analisidellascenadeldeliuoalprofilopsicologicodelcriminale,MassimoPicozzi,AngeloZappalà,McGrawHill,2001

●  Deduc=ve Criminal Profiling: Comparing AppliedMethodologies Between Induc=ve and Deduc=ve CriminalProfilingTechniques,TurveyB.,KnowledgeSolu,onsLibrary,January,1998

● MaliciousHackers:aframeworkforAnalysisandCaseStudy,LauraJ.Kleen,Captain,USAF,USAirForceIns,tuteofTechnology

●  Criminal Profiling Research Site. Scien=fic Offender Profiling Resource in Switzerland. Criminology, Law,Psychology,Täterpro


Contacts,Q&A

 Needanything,gotdoubts,wannaaskmesmth? rc[at]security-brokers[dot]com

Thanksforyourauen=on!

QUESTIONS?

Raoul Chiesa President, Security Brokers SCpA

Documents

Transcript of Raoul Chiesa President, Security Brokers SCpA