Cyber Attribution

Loading...

Del curso dictado por New York University Tandon School of Engineering

Enterprise and Infrastructure Security

120 calificaciones

Explore Related Videos

At Coursera, you will find the best lectures in the world. Here are some of our personalized recommendations for you

New York University Tandon School of Engineering

Enterprise and Infrastructure Security

120 calificaciones

Curso 4 de 4 en SpecializationIntroduction to Cyber Security

This course introduces a series of advanced and current topics in cyber security, many of which are especially relevant in modern enterprise and infrastructure settings. The basics of enterprise compliance frameworks are provided with introduction to NIST and PCI. Hybrid cloud architectures are shown to provide an opportunity to fix many of the security weaknesses in modern perimeter local area networks. Emerging security issues in blockchain, blinding algorithms, Internet of Things (IoT), and critical infrastructure protection are also described for learners in the context of cyber risk. Mobile security and cloud security hyper-resilience approaches are also introduced. The course completes with some practical advice for learners on how to plan careers in cyber security.

De la lección

Blockchain, Anonymity, and Critical Infrastructure Protection

This module introduces several advanced topics in cyber security ranging from blockchain usage, user anonymity, and critical infrastructure protection.

Assignments and Reading2:29

Hashing Algorithms7:42

Blockchain - Part 16:26

Blockchain - Part 29:50

Cyber Attribution7:51

Onion Routing and Tor8:14

Chaum Binding Algorithm9:50

Critical Infrastructure - Part 1 - Requirements7:11

Critical Infrastructure - Part 2 - Protection Methods8:32

Welcome Roger Thornton (Part 2): CTO, AlienVault9:01

Conoce a los instructores

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC
Computer Science

Hi everybody. Ed Amoroso here and I want to talk to you

about a topic that is very much in the news,

the last couple of a few years.

It's a concept called cyber attribution. And here's what it means.

When a cyber attack is carried out successfully or unsuccessfully,

there's usually a great demand certainly by the victim and

also by law enforcement and maybe by all of us the society to figure out who did it.

Who did this cyber attack.

Now, if you've studied the TCP/IP protocol,

you know that because of spoofing and the ability

to essentially set your source IP address to whatever you want,

you can't just do cyber attribution by looking

at a packet and figuring out the source IP,

and then mapping that somewhere and going,

they did the attack.

You certainly can stop traffic from a region or place by doing that.

For example, in China you could decide you don't want to

allow traffic from America. How would you do that?

Wouldn't be easy which you'd have to go in and do a look at

the numeric mappings from

the authorities that do IP mappings and maybe put some filters in.

I don't know why you would want to do that.

But if he did, you could certainly do that.

Does that mean you are stopping cyber attacks?

No. Does that mean you're able to effectively attribute attacks somewhere?

No. It's just a way of blocking based on geography.

So, that's not the way to do attribution.

But it turns out that law enforcement groups,

intelligence agencies all around the world,

doesn't matter what country you're talking about for the most part,

but in most developed countries,

there is pretty good techniques for doing attribution.

So, as you, as a citizen,

are just thinking through how would an intelligence

agency or a law enforcement group figure out who did a cyber attack,

turns out they have some techniques that are pretty useful.

I want to go through them. There's seven ways that cyber attribution can be carried out.

The first is, in fact,

by doing some cyber forensics.

So, no question that you do want to look at the attack.

You want to look at the malware,

you want to look at how worked,

decode and somehow do some forensic analysis,

deep analysis on whatever you can get your hands on.

If you get your hands on the malware, you should look at it.

Now, there might be a language embedded in the comments and you know,

this is written in Russian.

It must have come from Russia.

It seems like a very weak attribution to me,

and I think to most people,

but it may provide hints. You never know.

I might tie the code, the malware,

to some similar types of things that analysts may have seen.

There might be hints. Who knows what.

But certainly cyber forensics is one technique,

one factor that's used in determining where some sort of an attack may have originated.

Second it's called network monitoring.

So, this is where in addition to looking at the malware, the entire globe,

for the most part,

involves lots of metadata collection from public networks and from private networks.

Those things generally are done under a legal authority.

It's usually perfectly good legal and policy and business acceptability for doing that.

Sometimes it's under contract,

sometimes it's just legal.

Yes, I guess some of it may be illegal.

That's up to you to decide when and

where that sort of thing may occur and that needs to stop.

But where it is legal, there's a lot of data that's out there and

certainly law enforcement will have access to a lot of that,

and they can use that to go rewind the tape and see what may have traveled where.

An enterprise may have,

for example, lost a bunch of data.

Maybe it was all encrypted but you can see a big monster file flew out.

It's some time from their gateway, from here to there.

You can go back and you could look at that,

say if there is anything greater than a gig left

our gateway in the last week and you see and you get some hints.

So, network monitoring is two.

Third is kind of controversial.

This is called offensive attacks.

Certainly not acceptable if it's illegal.

But we do know that nation states break into each other stuff.

That's sort of attributed.

Most people know that.

So for example, if you break into

somebody's apple cart and you see one of your apples there,

pretty good idea, that maybe they aren't stealing your apples.

Now, again, that's kind of controversial because you could

argue for most part that that may not be acceptable.

But it is a technique that's used,

it is something that a lot of militaries will use,

and it's kind of a third technique for cyber attribution.

The fourth involves spies, insiders.

People who are there just watching what's going on.

You can't deny the fact that in the business of

law enforcement and cyber intelligence and so on and so forth, certainly nation state,

there are going to be cases where an insider may be planted

there specifically to hack in back to,

you know, the home office exactly what's going on and

provide some attribution that an attack may be going on.

Could be extremely illegal kinds of things,

but again, I'm just going through the functional techniques that can be used.

Each society, each group,

has to decide what's considered acceptable.

Another one is leaks,

and sort of a fifth, and we see that all the time.

It may be documents describing some sort of aspect

of the attack or someone bragging on social media and it gets leaked out.

You can read the transcripts of this.

Again, very, very, very common in catching hackers,

young people who are hacking many cases will

brag and their bragging is done online and then it leaks out.

This is a time when I think maybe 9 out of 10 cyber attributions were

done with respect to hackers based on

them having bragged and that information leaking out.

You can see how that clearly would be

something that would be a useful means for determining who does what.

A six is basic law enforcement investigation,

going and tracking leads and determining

motives and trying to understand who might be doing what,

for what reason, to whom, why, how.

Very traditional techniques.

Extremely mature.

Law enforcements has been doing that forever. That's a sixth.

And then the seventh is that if you have partners or allies, other countries,

other groups who are doing this sort of thing,

you share and they may be doing the same thing.

So, you put all of these things together.

If you're asking a group of authorized nation state, military,

government or law enforcement group,

are you able to determine who did a particular cyber attack,

it's not one of these, well,

because you can spoof a source IP,

we can't possibly figure it out.

The answer is they have a lot of techniques.

Now, if you are a business and you want to do cyber attribution,

a lot of these things are not available to you.

Better not be doing offensive attacks.

I hope you're not planning spies out there somewhere.

I hope you're not intentionally grabbing leaks.

But the other ones are probably okay,

forensics and monitoring in some sense,

working with law enforcement and having partners sharing threat information with others.

Those are all still pretty powerful.

So, the bottom line here is that cyber attribution is a pretty well-developed field,

certainly in law enforcement,

a little lesser for business and certainly the

least well-developed as individuals trying to determine attribution.

But we've this into your understanding as a cybersecurity fledgling or developing expert,

because it's something that will make him a more informed citizen.

Hope this has been helpful.

I'll see you in a subsequent video.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2019 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play