5 - 1
Information Assurance Foundations - SANS
©2001
1
Information Warfare
Security Essentials
The SANS Institute
"Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this
module we will consider what warfare means in the context of today's information systems and
networks. We will see that the fundamental principles of warfare known for thousands of years are
still relevant on today's new battleground.
5 - 2
Information Warfare - SANS
©2001
2
Agenda
•What is Information Warfare?
• Why is it Important?
• Offensive Tactics
• Introduction to Network Attacks
• Defensive Tactics
After introducing the concept of information warfare, we will be concentrating on warfare principles
and strategies. We will discuss both offensive and defensive tactics, both theory and practice. As a
concrete example of offensive tactics, a quick introduction to TCP/IP network attacks is provided.
5 - 3
Information Warfare - SANS
©2001
3
What is Information Warfare?
Information warfare is the offensive and defensive
use of information and information systems to

time someone uses information as a weapon against an adversary, that is information warfare. The
distinguishing factors are only how the information is obtained, how it is used, and to what impact.
We consider theft of information a form of information warfare, but the most critical issue is how the
stolen information is used against its rightful owner. In terms of the examples, a company who
discovers a list of their competitor's customers might send false or misleading information to the
customers, might market to these people specifically, or might simply see to it that the customers are
harassed by telemarketers and spam (so the recipients think that the company they trusted released
their information without permission).
A foreign government stealing classified backup tapes might be able to discover detailed technical
information concerning the capabilities of their adversary's weapons, or might obtain documents
detailing strategies, names of informants, or maps of secret testing facilities. The possibilities are
endless.
A startup tech company that has a next generation product to release might post information stating
that their product will not be ready for several months. Such a posting might lull the company's
competitors into a false sense of not needing to hurry their own development cycles. When the
startup releases its product months earlier than advertised, the competition is caught flat-footed.
5 - 5
Information Warfare - SANS
©2001
5
Key Points From the Examples
• Information Warfare can be:
–Theft
– Deception
– Sabotage
• Does not have to be technical or
sophisticated
• Attackers will always go after the
weakest link
Abstracting the previous examples a level, we can list out a few fundamental concepts. Theft,

Information Warfare - SANS
©2001
7
How Dangerous is it Really?
A few facts from the Honeynet project concerning
break-ins between April and December 2000:
• Seven default Red Hat 6.2 servers were attacked
within 3 days of connecting to net
• Fastest time for any server to be compromised was
15 minutes from first connection to net
• Default Win98 box compromised in less than 24
hours from first connection, and compromised
another four times in the next three days
But lets back up a minute. Perhaps we are over-reacting. Is it really all that dangerous on the internet
today? Are there really that many "evil-doers" out to do me ill when I connect to the internet?
Unfortunately, yes. The Honeynet project (a group that sets up and monitors whole networks of
honeypots of all different operating systems) recently reported some statistics concerning the rate of
break-ins to their small network over a period of 9 months. The full information concerning the stats
above is quoted from the paper below.
http://project.honeynet.org/papers/stats/
----------------
• Between April and December 2000, seven default installations of Red Hat 6.2 servers were
attacked within three days of connecting to the internet. Based on this, we estimate the life
expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours. The last time we
attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever
for a system to be compromised was 15 minutes. This means the system was scanned, probed, and
exploited within 15 minutes of connecting to the internet. Coincidentally, this was the first honeypot
we ever setup, in March of 1999.
• A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same
configuration found in many homes and organizations. The honeypot was compromised in less than

spreads rapidly but remains undetected because it does not do anything observable. The virus infects
several computers, but because it is not detected the virus program is copied onto the backup tapes
along with legitimate information. Time passes. Ten months later the virus' payload goes into action
and starts destroying files and laying waste to operating systems. You think, no problem, I've got
backups going back 6 months. Oh no! All the backups are contaminated too! What do we do now?
Do you have insurance against information loss? A recent Information Week article (January 2,
2002) explains how many insurance providers have decided to exclude online assets and terrorism-
related damages from their IT policy offerings.
http://www.informationweek.com/story/IWK20020102S0004
5 - 9
Information Warfare - SANS
©2001
9
Threats
• Internal threats
– Employees
– Contractors
–Visitors
• External threats
– Anyone connected to the internet
The threat to a company could really be anything. Threats are typically broken down into internal
and external threats. Internal threats are attacks launched by internal attackers, contractors, or even
visitors to your facility. External threats could really be anyone that is connected to the internet.
Threats can also range from intentional to unintentional events. Unintentional events, like floods or
fires, could also be a threat that impacts a company. Even though these threats are not meant to hurt
the company, the net result is the same. Therefore it is important to understand and react to all
possible threats that are posed to your company.
5 - 10
Information Warfare - SANS
©2001

– Company descriptions
– Public databases (whois, legal, edgar, healthcare,
whitepages)
Over two thousand years ago Sun Tzu noted that deploying spies to gather information such as the
names of people in the enemy organization, and the types of sentries (read defense mechanisms here)
is an important first step in warfare. Things haven't changed very much.
Given today's internet, it is possible for an attacker to find out a great deal about an adversary
without breaking any laws or even raising any eyebrows. If an attacker is interested in an individual
or a company, internet white page directories can provide names, addresses, phone numbers, street
maps, and even satellite photographs. Attackers can often gain access to legal, healthcare, and credit
history databases without too much trouble. A google.com search for an individual's email address
can provide links to newsgroup postings which contain information about the individual's interests,
habits, friends, employer, etc. Information-rich messages posted to security mailing lists such as "I
work for company XYZ and our main www.xyz.com IIS 5.0 web server has been hacked and is
backdoored..." can be very useful.
In addition, companies love giving out information to help fuel growth, but often fail to realize the
negative impact that information could have to the company. For example, an ISP who just built a
new network wants to advertise it to help get additional business. So they have a press release that
describes their new computers -- what brand, what operating systems, what versions, etc. An attacker
can easily use the information to build an attack list for breaking into the ISP's systems. Similarly, a
company that posts a list of employee names provides an attacker with information useful in
username/password guessing attacks.
Public databases can also provide a wealth of information. For example, publicly traded companies
are required to disclose certain information to the SEC. The SEC information is posted online in the
EDGAR database. These documents could be used to obtain the names of key executives, which
could be used in social engineering attacks.
Another common practice is for attackers to notice that a merger or acquisition has taken place, and
capitalize on the ensuing organizational confusion. For example, lets say our attacker's desired target
XYZ has recently acquired Acme Widgets Inc., and the two company's technologies are being
integrated. Our attacker simply phones up an XYZ engineer (name obtained via the company

articles linked below describe an incident where attackers stole source code from Microsoft in
October of 2000. A Microsoft spokesperson called the incident "a deplorable act of industrial
espionage".
http://news.zdnet.co.uk/story/0,,s2082221,00.html
http://news.cnet.com/news/0-1005-200-3308084.html
Interestingly, two of the main concerns in the Microsoft incident were that the attackers would
implant backdoors in the Windows source code (they had access to the data for three months), and
that the attackers would analyze the source code and discover vulnerabilities that no one else knows
about. Other concerns included the notion that a rival company might try to market the stolen
software as their own, or use the proprietary algorithmic and programming techniques to advance
their own products. These concerns illustrate a few of the dangers of proprietary information theft.
5 - 13
Information Warfare - SANS
©2001
13
False Information
"All warfare is based on deception...The one who is skillful
maintains deceitful appearances, according to which the
enemy will act." -Sun Tzu
• If you know someone is watching you, why
not give them misleading information?
– False press releases
– False company information
– False server banners
This warfare tactic has the goal of misleading the enemy. The hope is that the enemy will use the
false information to influence their actions to our advantage. For example, a company might "leak"
the fact that they are going to submit a proposal for a particular job at the price of $5 million. The
competition, upon hearing this information, decides to bid $4.5 million. When the original company
actually bids $4 million (instead of the "leaked" $5 million figure) the spying competitor finds
themselves underbid.

is twofold.
First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's
methods and goals. By leaving a few machines purposely vulnerable but instrumented, we can allow
attackers to break in and then watch what they do. By observing what files they look for we may be
able to guess what they are after, and by watching the tools they use we gain an idea of their
capabilities and methods of operation. For example, if the attacker exploits a MS SQL server
vulnerability to gain access, we would want to be sure to patch that vulnerability on all relevant
systems across the enterprise. Further, if we notice that the attacker likes to set up a Trojan SSH
server on port 50000/tcp, we might want to scan the internal networks for port 50000 listeners.
Second, honeypots can provide a way of diverting an attacker’s attention away from critical systems
for long enough to strengthen the defense. An attacker is likely to go after the "low hanging fruit",
that is, the easily compromised hosts on an enterprise, before moving on to more difficult targets. By
letting the attacker have a few sacrificial machines, we buy some time to learn about the attacker's
capabilities and react appropriately. Of course, Sun Tzu has a quote for this aspect of the strategy
too: "Sacrifice something, that the enemy may snatch at it."
5 - 15
Information Warfare - SANS
©2001
15
Denial of Service Attacks
"So in war, the way is to avoid what is strong and
strike at what is weak." -Sun Tzu
•Easy to wage
• Difficult to defend against
• Can result in lost revenue
• Can hurt public image
Most of us remember the infamous Distributed Denial of Service (DDoS) attacks waged by a
Canadian teenager in February of 2000 resulting in an estimated total loss of $1.7 billion to several
US companies. The attacker, known as "mafiaboy," flooded the webservers of Ebay, Dell, Amazon,
and Yahoo (among others) with meaningless traffic in order to overload the target networks and

A recent CERT report provides the following figures concerning numbers of reported vulnerabilities
for the past three years:
1999: 417 vulnerabilities
2000: 1090 vulnerabilities
2001: 2437 vulnerabilities
CERT further reports that the number of incidents has doubled between 2000 and 2001. 21,756
incidents were reported in 2000, while 52,658 incidents were reported in 2001. Less than 10,000
incidents were reported in 1999.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67318,00.html
http://www.cert.org/stats/cert_stats.html
Clearly it is important to keep up with information on new vulnerabilities, patches, and exploits. It is
also important to understand the fundamental techniques employed by attackers (e.g. buffer
overflows, improperly formatted packets, weak password exploitation, etc.) so that we can spot
vulnerabilities ourselves before an attacker finds them. The administrator who believes that "it
couldn't happen to them" is sure to be in for a rough ride.