Historically, the motivation behind most cyber attacks was similar to graffiti, in that the main purpose was to make a mark on somebody else’s territory, to demonstrate technical skill by compromising a web server and defacing the main page, with the primary goal seeming to be simply to make a statement of existence. In recent years, this has evolved to being more concerned about making a profit or creating a political impact. Once the domain of the lone-wolf “hacker”, cyber attacks today are more often being planned and executed by teams that have connections to criminal organizations and have profit as their primary objective. From mobilizing vast bot-nets which forward spam or launch denial of service attacks, to penetrating corporate networks for embezzlement or extortion, to raiding data banks for identity information to sell, the face of cyber attacks has changed.
Other similar scenarios have been written about, but in most cases they involved an individual attacker. This paper will attempt to describe such an event as it is orchestrated on an organizational scale. An attack by a professional organization can be expected to be quite different from the single attacker scenarios most often considered by defenders.
In October of 2001, Pat McGregor, Chief Information Security Architect of Intel, delivered a presentation entitled, “Cyberterrorism: The Bloodless War?” This presentation included a slide that asserted: “InfoWarriors are not Scrip Kiddies” and showed the following bullets:
• “Funded by foreign military organizations and terrorist groups
• Likely to have more people and deeper pockets
• Can devote more resources – people and time
• They can crack systems that might withstand casual assault
• Likely to be more experienced
• Will use more sophisticated tactics
• Serious IW attackers would not reveal their activities until it is absolutely necessary”
A national security cyber attack team will have very deep resources behind it, a professional training level in the attackers’ skill sets, and well thought out planning and tactics.
This paper describes a theoretical cyber attack and defense scenario between fictional organizations, using real techniques and tools for both attack and defense. The defenders will be framed as a typical network administration team responsible for the security of a large enterprise network, and using modern security standards. The fictional defending organization is a public hospital network presented as a federal government agency, known as the “Public Hospital Administration” or PHA for short. The PHA oversees the operation of public hospitals in most major cities in the U.S. They use modern information technology practices, including a nationwide network that ties all the hospitals together. Their systems are predominantly Microsoft Windows based. They have national gateways with massive firewalls, proxy servers, enterprise anti-virus software and some level of network intrusion detection capability. The PHA uses NIST SP 800-53 as the backbone of their computer security policy.
The fictional attacking organization was actually a composite of several groups that decided to co-operate with each other for the short term purposes of this attack scenario. The driving group was an international organization of fundamental religious terrorists who wanted to strike the U.S. in any way that will create terror, make headlines and disrupt the U.S. and its economy. They planned an attack against several major cities using biological weapons. In order to maximize the effect of this attack, they decided to also launch a parallel attack against the computer infrastructure of the hospitals in the same cities. They recruited help from a secret Chinese Academy that teaches cyber attack methodology and produces over a hundred new graduates each year that are in essence, well trained professional hackers. They also recruited help from an organized crime group in Russia. The operation was financed by selling identity information harvested from the hospital network before the final attack. The Russian crime group handled this part of the operation and also any needed extortion or “muscle” operations. The Chinese group provided the cyber attackers and oversaw the entire attack operation against the computer network. In exchange, they were grandly rewarded with practical experience in the field for a select team of their graduates as well as information they highly valued on how to attack a U.S. Federal Government Agency. The terrorist group handled the biological weapons attack and coordinated the timing of the overall operation.
The scenarios and organizations presented here are purely fictional and hypothetical, although based on real news stories and extensive documentation. The technical aspects of the tools and techniques used by both attack and defense are accurate and realistic and will be supported by evidence and references. They have either been used in a laboratory environment by the author or referenced to other sources and documentation.