National Infrastructure National Infrastructure Protection CenterProtection Center

National Infrastructure National Infrastructure Protection CenterProtection Center

PARTNERSHIP FOR PROTECTION

STATUS and INITIATIVES

National Infrastructure Protection National Infrastructure Protection CenterCenter

National Infrastructure Protection National Infrastructure Protection CenterCenter

“An adversary wishing to destroy the United States only has to mess up the computer systems of its banks by hi-tech means. This would disrupt and destroy the US economy.” February, 1996

“An adversary wishing to destroy the United States only has to mess up the computer systems of its banks by hi-tech means. This would disrupt and destroy the US economy.” February, 1996

People’s Liberation DailyPeople’s Liberation Daily

Critical InfrastructureCritical Infrastructure

““Services so vital that Services so vital that their incapacity or their incapacity or destruction would have a destruction would have a debilitating impact on the debilitating impact on the defense or economic defense or economic security of the United security of the United States”States”

CRITICAL INFRASTRUCTURESCRITICAL INFRASTRUCTURES

Telecommunications / Computer SystemsTelecommunications / Computer SystemsElectrical PowerElectrical PowerOil & GasOil & GasTransportationTransportationBanking & FinanceBanking & FinanceWater Water Emergency ServicesEmergency ServicesGovernment OperationsGovernment Operations

Why were we concerned about the Y2K Why were we concerned about the Y2K rollover ?rollover ?

Why were we concerned about the Y2K Why were we concerned about the Y2K rollover ?rollover ?

Uncertainty as to the stability of Uncertainty as to the stability of infrastructures which are dependent upon infrastructures which are dependent upon computerscomputers

The threat of malicious attacks upon The threat of malicious attacks upon systems that control our nation’s systems that control our nation’s economy and securityeconomy and security

The possibility that computer systems The possibility that computer systems might not recognize the date changemight not recognize the date change

There were no significant There were no significant Infrastructure attacksInfrastructure attacks

Industry reported Industry reported several anomalies: several anomalies:

Brief delay in some British Brief delay in some British credit card transactions.credit card transactions.

Numerous retail receipts read Numerous retail receipts read “1900”.“1900”.

Occasional loss of 911 Occasional loss of 911 systemssystems

““The wonderful thing about the The wonderful thing about the Internet is that you’re connected to Internet is that you’re connected to everyone else. The terrible thing everyone else. The terrible thing about the Internet is that you’re about the Internet is that you’re connected to everyone else.” connected to everyone else.”

““Freedom Isn’t Free…”Freedom Isn’t Free…”““Freedom Isn’t Free…”Freedom Isn’t Free…”

Historical BackgroundHistorical BackgroundHistorical BackgroundHistorical Background

End of the Cold WarEnd of the Cold WarChanging Expectations of WarfareChanging Expectations of WarfareHomeland Defense a New Worry Homeland Defense a New Worry Vulnerabilities & InterdependenciesVulnerabilities & InterdependenciesEver-growing role of E-commerceEver-growing role of E-commerceLoyalties are ChangingLoyalties are ChangingSOLAR SUNRISE SOLAR SUNRISE New Terrorism Possibilities & ActorsNew Terrorism Possibilities & Actors

MUST REDEFINE SECURITYMUST REDEFINE SECURITY

OLD DEFINITIONS DON’T WORKOLD DEFINITIONS DON’T WORK

Foreign vs. DomesticForeign vs. Domestic

Intelligence vs. Law EnforcementIntelligence vs. Law Enforcement

Military vs. Law EnforcementMilitary vs. Law Enforcement

““TRADITIONAL” ADVERSARIES TRADITIONAL” ADVERSARIES NO LONGER FIT THE MOLD NO LONGER FIT THE MOLD

Unstructured Threats Insiders Hackers / Virus Propagators

Unstructured Threats Insiders Hackers / Virus Propagators

Structured Threats Hacktivists Economic Espionage Organized Crime

Structured Threats Hacktivists Economic Espionage Organized Crime

National Security Threats Terrorists Intelligence Agencies Information Warriors

National Security Threats Terrorists Intelligence Agencies Information Warriors

THREATS - HARD TO DEFINETHREATS - HARD TO DEFINE

CAPABILITY + INTENT x VULNERABILITY = CAPABILITY + INTENT x VULNERABILITY = THREATTHREAT

Traditional AdversariesTraditional Adversaries Economic AdversariesEconomic Adversaries Political AdversariesPolitical Adversaries Others / Potential Others / Potential

Terrorists / Organized Crime / Non-State / OpportunistsTerrorists / Organized Crime / Non-State / Opportunists

RANGE OF CAPABILITY - - BUT RANGE OF CAPABILITY - - BUT

SIGNIFICANT CAPABILITY IS EASY TO GETSIGNIFICANT CAPABILITY IS EASY TO GET

Unique Challenges FacingUnique Challenges FacingLaw EnforcementLaw Enforcement

Unique Challenges FacingUnique Challenges FacingLaw EnforcementLaw Enforcement

Intelligence (statistics)Intelligence (statistics)Identifying perpetratorsIdentifying perpetratorsLocating victimsLocating victimsDetermining venueDetermining venueTechnical trainingTechnical trainingDeveloping partnershipsDeveloping partnerships

with private sectorwith private sector

Intelligence (statistics)Intelligence (statistics)Identifying perpetratorsIdentifying perpetratorsLocating victimsLocating victimsDetermining venueDetermining venueTechnical trainingTechnical trainingDeveloping partnershipsDeveloping partnerships

with private sectorwith private sector

WHOSE PROBLEM IS IT ?WHOSE PROBLEM IS IT ?WHOSE PROBLEM IS IT ?WHOSE PROBLEM IS IT ?

NOT JUST A FEDERAL GOVERNMENT NOT JUST A FEDERAL GOVERNMENT ISSUEISSUE

AND NOT JUST A GOVERNMENT ISSUEAND NOT JUST A GOVERNMENT ISSUE

ANYONE - AT ANY LEVEL - CAN BE AANYONE - AT ANY LEVEL - CAN BE A

TARGET OR A VICTIM OF TERRORISM TARGET OR A VICTIM OF TERRORISM

Why Should Government and Why Should Government and Industry be Concerned?Industry be Concerned?

Why Should Government and Why Should Government and Industry be Concerned?Industry be Concerned?

Exponential increase in number and severity of Exponential increase in number and severity of domestic Cyber incidentsdomestic Cyber incidents Increase in 2 years, from 3700 to 22,000 incidents Increase in 2 years, from 3700 to 22,000 incidents

reported to CERT/CC ®reported to CERT/CC ® Increasing FBI caseloadIncreasing FBI caseload

““Solar Sunrise” (FEB 1998) - DOD “wake-up call”Solar Sunrise” (FEB 1998) - DOD “wake-up call” Recent “Leaves” & “Code Red” Worm eventsRecent “Leaves” & “Code Red” Worm events Enterprise security practices continue to lag product Enterprise security practices continue to lag product

innovationsinnovations

NATIONAL INFRASTRUCTURE NATIONAL INFRASTRUCTURE PROTECTION CENTERPROTECTION CENTER

Composition - Interagency, multi-levelComposition - Interagency, multi-level Multiple government agenciesMultiple government agencies Federal, state, and local law enforcementFederal, state, and local law enforcement Private sector representativesPrivate sector representatives

ManningManning FBI - 75 of 93 on boardFBI - 75 of 93 on board Other government agencies - 22 of 40 on boardOther government agencies - 22 of 40 on board

DoD, DCIS, NSA, Services, GSA, DoE,DoD, DCIS, NSA, Services, GSA, DoE,CIA, USPS, FAACIA, USPS, FAA

Inbound includes FDIC, State, othersInbound includes FDIC, State, others

NIPC Director

Deputy Director

Computer Investigations andOperations Section (CIOS)

Analysis and Warning Section (AWS)

Computer Investigations Unit

Special Technologies Applications Unit

Cyber Emergency Support Team

Analysis and Information Sharing Unit

Watch and Warning Unit

Training, Outreach and Strategy Section (TOSS)

Training and Continuing Education Unit

Strategic Planning Unit

Outreach and Field Support Unit

NIPC OrganizationNIPC Organization

NIPC INITIATIVESNIPC INITIATIVESINFRAGARD

Government - private sector alliance. Representatives Government - private sector alliance. Representatives from industry, government, academia, law enforcementfrom industry, government, academia, law enforcement

Mechanism for systems owners and operators to Mechanism for systems owners and operators to communicate with colleaguescommunicate with colleagues

Improves dissemination of security informationImproves dissemination of security information Intrusion alert network & Secure web siteIntrusion alert network & Secure web site Chapter committees dedicated to concerns of membershipChapter committees dedicated to concerns of membership Seminars and training & Meetings with colleaguesSeminars and training & Meetings with colleagues

Membership requirementsMembership requirements Membership agreementMembership agreement Confidentiality pledgeConfidentiality pledge Commitment to actively participateCommitment to actively participate

InfraGard ServicesInfraGard ServicesInfraGard ServicesInfraGard Services

• Secure Web SiteSecure Web Site• Secure Web SiteSecure Web Site

• Alert NetworkAlert Network• Alert NetworkAlert Network

• Chapter ActivitiesChapter Activities• Chapter ActivitiesChapter Activities

• Help DeskHelp Desk• Help DeskHelp Desk

Why InfraGard?Why InfraGard?Why InfraGard?Why InfraGard?

• Presidential Decision Directive 63Presidential Decision Directive 63

• Vulnerability information not always Vulnerability information not always being shared by owners and operatorsbeing shared by owners and operators

• Computer expertise is identified and Computer expertise is identified and enhanced enhanced

• Relationships are established between Relationships are established between private industry and government agenciesprivate industry and government agencies

• Presidential Decision Directive 63Presidential Decision Directive 63

• Vulnerability information not always Vulnerability information not always being shared by owners and operatorsbeing shared by owners and operators

• Computer expertise is identified and Computer expertise is identified and enhanced enhanced

• Relationships are established between Relationships are established between private industry and government agenciesprivate industry and government agencies

NIPC INITIATIVESNIPC INITIATIVES

KEY ASSET INITIATIVE

FBI PROGRAM REVITALIZEDFBI PROGRAM REVITALIZED

KEY ASSETS NEED TO BE REDEFINEDKEY ASSETS NEED TO BE REDEFINED

DATA BASE MAINTAINED AT NIPCDATA BASE MAINTAINED AT NIPC

FIELD OFFICES GATHERING INFOFIELD OFFICES GATHERING INFO

MUST BE COMPATIBLE WITH DOD PROGRAMMUST BE COMPATIBLE WITH DOD PROGRAM

What is a Key Asset?What is a Key Asset? An organization, group of organizations, An organization, group of organizations,

system, or group of systems is considered system, or group of systems is considered to be a critical or “ key” asset if it is to be a critical or “ key” asset if it is determined that the loss of its associated determined that the loss of its associated goods, services or information would goods, services or information would have widespread and dire economic or have widespread and dire economic or social impact.social impact.

Tier1 = national impactTier1 = national impact Tier 2 = regional impactTier 2 = regional impact Tier 3 = local impactTier 3 = local impact

The Role of the Key Asset Coordinator The Role of the Key Asset Coordinator in the field:in the field:

Conduct a thorough search Conduct a thorough search for key assets in your for key assets in your divisiondivision

Examine one infrastructure Examine one infrastructure at a time until you have at a time until you have completed all eightcompleted all eight

Once identified, categorize Once identified, categorize assets by tierassets by tier

Once list is complete, Once list is complete, contact owners/operatorscontact owners/operators

Maintain contact with assetsMaintain contact with assets

Critical Networks/SystemsCritical Networks/Systems

ThreatsThreats VulnerabilitiesVulnerabilities

RiskRisk

Credit Card TheftCredit Card TheftCredit Card TheftCredit Card Theft

Organized Crime Groups

U.S. Companies

intrusion

data

Hacker ProfileHacker Profile

Predominantly teenage malesPredominantly teenage malesPoor interpersonal skillsPoor interpersonal skillsFocused on technologyFocused on technologySubstitutes the computer for interpersonal Substitutes the computer for interpersonal

relationshipsrelationshipsInsatiable curiosityInsatiable curiosityAnti-establishment (nerd with an attitude)Anti-establishment (nerd with an attitude)Desire to possess “forbidden knowledge”Desire to possess “forbidden knowledge”

Typical Network AttackTypical Network AttackTypical Network AttackTypical Network Attack

Locate system

to attack

Gain useraccess

Covertracks

Installbackdoors

Attackother hosts

Take or alter

information

Engage inother un-

authorizedactivity

Gainprivileged

access

What We Can Do for YouWhat We Can Do for YouWhat We Can Do for YouWhat We Can Do for You

Combine technical skills and investigative experienceCombine technical skills and investigative experience National and global coverageNational and global coverage Apply more traditional investigative techniquesApply more traditional investigative techniques Long-term commitment of resourcesLong-term commitment of resources Integration of law enforcement and national security Integration of law enforcement and national security

concernsconcerns Pattern analysisPattern analysis Can provide deterrent effect . . . even if hacker not Can provide deterrent effect . . . even if hacker not

prosecutedprosecuted

What We Cannot DoWhat We Cannot DoWhat We Cannot DoWhat We Cannot Do Take over your systemTake over your system Provide information beyond your need to knowProvide information beyond your need to know Share proprietary information with competitorsShare proprietary information with competitors Become involved in civil actionBecome involved in civil action May not keep you advised of status of investigationMay not keep you advised of status of investigation Provide investigation-related information to the Provide investigation-related information to the

mediamedia Provide access to national security Provide access to national security

information/intelligence gathering techniquesinformation/intelligence gathering techniques May not react with the speed you want or expect May not react with the speed you want or expect

INVESTIGATIVE PROCESSINVESTIGATIVE PROCESSINVESTIGATIVE PROCESSINVESTIGATIVE PROCESS

Victim ComplaintVictim ComplaintCollection of EvidenceCollection of EvidenceIdentify Subject / LocationIdentify Subject / LocationSearch WarrantSearch WarrantAnalysis of Evidence SeizedAnalysis of Evidence SeizedArrest / Formal ChargingArrest / Formal ChargingTrial / Plea AgreementTrial / Plea AgreementSentencingSentencing

Bottom Line . . . . . .Bottom Line . . . . . .Bottom Line . . . . . .Bottom Line . . . . . .

The Hacker has access The Hacker has access and wants to and wants to keepkeep it it!!

Response ChecklistResponse ChecklistResponse ChecklistResponse Checklist

Respond quickly and without failRespond quickly and without fail Check date and time stamps of log filesCheck date and time stamps of log files Designate one employee to secure evidenceDesignate one employee to secure evidence

Physically secure & copy to CD, Initial and date it!Physically secure & copy to CD, Initial and date it! Retain Evidence for Law EnforcementRetain Evidence for Law Enforcement

Request trap and trace with upstream providerRequest trap and trace with upstream provider Make backups of damaged/altered filesMake backups of damaged/altered files Secure old backups to show original status of systemSecure old backups to show original status of system Trace through System Administrator ContactsTrace through System Administrator Contacts

SysAdmin - Extension of FBI ?SysAdmin - Extension of FBI ?SysAdmin - Extension of FBI ?SysAdmin - Extension of FBI ?

Once Government is involved:Once Government is involved: FBI cannot direct Victim - FBI cannot direct Victim -

Privacy Violation Privacy ViolationVictim can make inquiries prior to Victim can make inquiries prior to

reporting to FBIreporting to FBI Permits Evidence to be retainedPermits Evidence to be retained Can advise FBI at initial interview of all of Can advise FBI at initial interview of all of

the connections through other sitesthe connections through other sites

Success is spelled L.O.G.S.Success is spelled L.O.G.S.Success is spelled L.O.G.S.Success is spelled L.O.G.S.

System Logs (lastlog and history files)System Logs (lastlog and history files)Dial-in and Network AuthenticationDial-in and Network AuthenticationIntercepted TrafficIntercepted TrafficE-mailE-mail

Logfile collectionLogfile collection Keep all logs, no matter how trivial seemingKeep all logs, no matter how trivial seeming

may be important for trend analysismay be important for trend analysis cross-event correlation may enable reconstruction cross-event correlation may enable reconstruction

of missing/deleted eventof missing/deleted event

Tracing the ConnectionsTracing the Connections

Signs of an Inexperienced HackerSigns of an Inexperienced HackerSigns of an Inexperienced HackerSigns of an Inexperienced Hacker

Deletes or corrupts dataDeletes or corrupts dataShuts down the machineShuts down the machineGives out the compromised passwordsGives out the compromised passwordsCan be identified with scriptingCan be identified with scriptingShares account with othersShares account with others

AN INTERNATIONAL PROBLEMAN INTERNATIONAL PROBLEM

INFRASTRUCTURES ARE INFRASTRUCTURES ARE INTERNATIONAL INTERNATIONAL

ATTACKS KNOW NO BORDERSATTACKS KNOW NO BORDERS

SECURITY AND RESPONSE REQUIRE SECURITY AND RESPONSE REQUIRE NATIONWIDE AND INTERNATIONAL NATIONWIDE AND INTERNATIONAL COOPERATION COOPERATION

Signs of an Experienced HackerSigns of an Experienced HackerSigns of an Experienced HackerSigns of an Experienced Hacker Alters logs rather than deletes themAlters logs rather than deletes them Alters ALL relevant logsAlters ALL relevant logs Victim cannot easily determine how the Victim cannot easily determine how the

original access was attainedoriginal access was attained New techniques were usedNew techniques were used Hacker installed trojanized code to avoid Hacker installed trojanized code to avoid

detection (who, netstat, ps)detection (who, netstat, ps) On and Off the system quicklyOn and Off the system quickly No bragging or sharing of accountNo bragging or sharing of account

Challenges for Law EnforcementChallenges for Law EnforcementChallenges for Law EnforcementChallenges for Law EnforcementTraceabilityTraceability

Through numerous Internet SitesThrough numerous Internet Sites Identification of Subject and other VictimsIdentification of Subject and other Victims

International ElementsInternational Elements Sovereignty Sovereignty

Inconsistent LawsInconsistent Laws Legality of Obtaining EvidenceLegality of Obtaining Evidence

Preservation and Evidence CollectionPreservation and Evidence Collection Chain of Custody of EvidenceChain of Custody of Evidence Overseas Witnesses at TrialOverseas Witnesses at Trial

Investigative TechniquesInvestigative TechniquesInvestigative TechniquesInvestigative Techniques Internet is only a portion of the case.Internet is only a portion of the case. Traditional Law Enforcement Traditional Law Enforcement

Physical SurveillancePhysical Surveillance Consensual MonitoringConsensual Monitoring Electronic SurveillanceElectronic Surveillance Search WarrantsSearch Warrants InterviewsInterviews Evidence Collection and AnalysisEvidence Collection and Analysis Informants and Cooperating WitnessesInformants and Cooperating Witnesses

Investigating the CrimeInvestigating the Crime

(Victim Site)(Victim Site)

(Looping Sites(Looping Sites.edu, .com, .gov).edu, .com, .gov)

(Source ISP:(Source ISP:Keep Safe!)Keep Safe!)

Logs

Trap/Trace

Monitoring

Subpoena

Search Warrant

Another Country’s Solution…Another Country’s Solution…

THE CHALLENGETHE CHALLENGETHE CHALLENGETHE CHALLENGE

The ChallengeThe Challenge

The SolutionThe Solution

The Private Sector ContributionThe Private Sector Contribution

The Government ContributionThe Government Contribution

WILL IT WORK ?WILL IT WORK ?WILL IT WORK ?WILL IT WORK ?

New Information Sharing New Information Sharing

Paradigm Paradigm

Foundation of Trust Foundation of Trust

No One Has All the AnswersNo One Has All the AnswersNo One Has All the AnswersNo One Has All the Answers

But all can contribute to the answersBut all can contribute to the answers

Intelligence, Law Enforcement, Intelligence, Law Enforcement, CERTs, Systems Administrators, CERTs, Systems Administrators, Infrastructure Owners and OperatorsInfrastructure Owners and Operators

When you think of law enforcement, don’t focus on When you think of law enforcement, don’t focus on arrests. Instead focus on their authorities to get arrests. Instead focus on their authorities to get answers to the critical questions.answers to the critical questions.

Questions?

Walter L. Wright

Supervisory Special Agent

Walter L. Wright

Supervisory Special Agent

wwright@fbi.govwwright@fbi.gov(202) 324-0361(202) 324-0361

wwright@fbi.govwwright@fbi.gov(202) 324-0361(202) 324-0361

National Infrastructure Protection CenterNational Infrastructure Protection CenterFederal Bureau of InvestigationFederal Bureau of Investigation

Room 11719Room 11719935 Pennsylvania Avenue, NW935 Pennsylvania Avenue, NW

Washington, DC 20535Washington, DC 20535

National Infrastructure Protection CenterNational Infrastructure Protection CenterFederal Bureau of InvestigationFederal Bureau of Investigation

Room 11719Room 11719935 Pennsylvania Avenue, NW935 Pennsylvania Avenue, NW

Washington, DC 20535Washington, DC 20535