Skip to main content

Currently Skimming:

2 Technical and Operational Considerations in Cyberattack and Cyberexploitation
Pages 79-158

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 79...
... Cyberattack and cyberdefense are sometimes intimately related through the practice of active defense (Section 2.5) , which may call for the defender to launch a cyberattack itself in response to an incoming cyberattack on it.
From page 80...
... Several characteristics of weapons for cyberattack are w ­ orthy of note: • The indirect effects of such weapons are almost always more consequential than the direct effects of the attack. (Direct or immediate effects are effects on the computer system or network attacked.
From page 81...
... One consequence can be that collateral damage and damage assessment of a cyberattack may be very difficult to estimate. • Cyberattacks are often very complex to plan and execute.
From page 82...
... 2.2  The Basic Technology of Cyberattack Perhaps the most important point about cyberattack from the standpoint of a major nation-state, backed by large resources, national intelligence capabilities, and political influence is that its cyberattack capabilities dwarf the kinds of cyberattacks that most citizens have experienced in everyday life or read about in the newspapers. To use a sports metaphor, the cyberattacks of the misguided teenager -- even sophisticated ones -- could be compared to the game that a good high school football team can play, whereas the cyberattacks that could be conducted by a major nationstate would be more comparable to the game of a professional football team with a 14-2 win-loss record in the regular season.
From page 83...
...  In the lexicon of cybersecurity, "using" or "taking advantage" of a vulnerability is often called "exploiting a vulnerability." Recall that Chapter 1 uses the term "cyberexploitation" in an espionage context -- a cyber offensive action conducted for the purpose of obtaining information. The context of usage will usually make clear which of these meanings of "exploit" is intended.
From page 84...
... 19.  Defense Science Board, "Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software," U.S.
From page 85...
... • Communications channels. The communications channels between a system or network and the "outside" world can be used by an attacker in many ways.
From page 86...
... In general, it would be expected that an adversary's important and sensitive computer systems or networks would fall into the category of difficult targets. Access paths to a target may be transient. For example, antiradiation missiles often home in on the emissions of adversary radar systems; once  An important caveat is the fact that adversary computer systems and networks are subject to the same cost pressures as U.S.
From page 87...
... Access paths to a target can suggest a way of differentiating between two categories of cyberattack: • Remote-access cyberattacks, in which an attack is launched at some distance from the adversary computer or network of interest. The canonical example of a remote access attack is that of an adversary computer attacked through the access path provided by the Internet, but other examples might include accessing an adversary computer through a dialup modem attached to it or through penetration of the wireless network to which it is connected and then proceeding to destroy data on it.
From page 88...
... can also be targeted through remote access (e.g., penetrating or jamming a wireless network) or through close access (e.g., tapping into a physical cable feeding a network)
From page 89...
... Of greatest significance are the scenarios in which focused but small-scale attacks are directed against a specific computer or user whose individual compromise would have enormous value ("going after the crown jewels") -- an adversary's nuclear command and control system, for example.
From page 90...
... When hosts inside a network begin to attack the internal network infrastructure or servers, they are often hard to identify rapidly because the very tools that are used by network operations staff to diagnose network problems may not be available. An attack spread widely enough can overwhelm the network operations and system 11 These concepts can also be found in epidemiologic models for the spread of malware.
From page 91...
... Alternatively, and perhaps more prosaically, multiple cyberattacks might be needed to ensure the continuing disruption of an adversary computer system or network because the vulnerabilities that an attacker needs to target may not remain static. In an operation that calls for multiple cyberattacks over time, the targeted party may well respond to the first signs of the attack by closing or correcting some or all of the vulnerabilities enabling the attack.
From page 92...
... This section is divided into three subsections: malware suitable for remote attacks, approaches for close-access attacks, and social engineering. In many cases, these tools and methods are known because they have been used in criminal enterprises.
From page 93...
... How ever, because of the resources available to them, high-end attackers may also be able to target a specific computer or user whose individual compromise would have enormous value ("going after the crown jewels")
From page 94...
... A high-capacity attack network can make good use of another layer between the attacker and the handlers, which ideally is highly survivable and hardened so as to remain active in the face of defensive action. This layer is then used to control multiple independent botnets, or lower levels of distributed attack networks, in a manner similar to the regiment/battalion/company hierarchy used by conven tional military forces.
From page 95...
... There is no need for malicious software to be installed on the reflector; hence this makes a good indirect attack method that is very hard to trace back to the attacker. 2 Department of Justice, "Criminal Complaint: United States of America v.
From page 96...
... . Although they are known to be well suited to DDOS attacks, it is safe to say that their full range of utility for cyberattack and cyberexploitation has not yet been examined.
From page 97...
... Similar problems hold for any authenticator that remains constant. An attacker may try to compromise security software to pave the way for the introduction of another attack agent.
From page 98...
... , which in turn grant someone outside the protected network full control of the host inside the network, or to control hosts in an enterprise in the supply chain of the primary target. Anonymizers  Anonymizers are used to conceal the identity of an attacking party.
From page 99...
... Primarily used by Internet service providers (ISPs) and very large private networks such as those of multinational corporations, BGP is the Internet protocol used to characterize every network to each other, for example between ISPs.
From page 100...
... .20 However, in order to reduce the load on the primary name servers, tables containing the relevant information are stored (cached) on secondary DNS servers operated by Internet service providers.
From page 101...
... 2.2.5.2  Possible Approaches for Close-Access Cyberattacks To reduce the threat from tools that enable remote attacks, a potential target might choose to disconnect from easily accessible channels of communication. A computer that is "air gapped" from the Internet is not susceptible to an attack that arrives at the computer through Internet connections.
From page 102...
... Standard antivirus software and intrusion detection or protection systems are significantly less effective. Examples of close-access cyberattacks include the following: • Attacks somewhere in the supply chain.
From page 103...
... Security software is intended to protect a computer from outside threats. In many cases, it does so by identifying and blocking specific malicious software or activities based on some kind of "signature" associated with a given malicious action.
From page 104...
... 2.2.5.3  Compromise of Operators, Users, and Service Providers Human beings who operate and use IT systems of interest constitute an important set of vulnerabilities for cyberattack.  They can be compromised through recruitment, bribery, blackmail, deception, or extortion.  Spies working for the attacker may be unknowingly hired by the victim, and users can be deceived into actions that compromise security.  Misuse of authorized access, whether deliberate or accidental, can help an attacker to take advantage of any of the vulnerabilities previously described -- and in particular can facilitate close-access cyberattacks. For example, the operation of a modern nationwide electric power grid involves many networked information systems and human operators of those systems; these operators work with their information systems to 24 Some possible precedent for such actions can be found in the statement of Eric Chien, then chief researcher at the Symantec antivirus research lab, that Symantec would avoid updating its antivirus tools to detect a keystroke logging tool that was used only by the FBI (see John Leyden, "AV Vendors Split over FBI Trojan Snoops," The Register, November 27, 2001, available at http://www.theregister.co.uk/2001/11/27/av_vendors_split_over_fbi/)
From page 105...
... and the feature is often turned on, the red team was notified as soon as the drive was inserted.  The result: 75 percent of the USB drives distributed were inserted into a computer.27   A final category of vulnerabilities and access emanates from the ITbased service providers on which many organizations and individuals rely. Both individuals and organizations obtain Internet connectivity from 26 See Aaron J
From page 106...
... This can be done using direct attacks against exposed services (e.g., scan and attack behavior seen in worms like S ­ lammer and Blaster) , or indirectly using social engineering techniques (e.g., e-mail with Trojan horse executables as file attachments, instant messages with hypertext links, web pages containing malicious content, Trojan horse executables in modified "free" software download archives, or removable media devices dropped in parking lots)
From page 107...
... As mentioned above, worms to date have been quite noisy and in some cases spread so fast that they disrupt the network infrastructure devices themselves. In order to make direct attacks viable to recruit hosts for the kind of attack described here, a more slow and subtle attack (especially one involving a zero-day attack method whose existence is kept secret)
From page 108...
... The attacker who wishes to redirect a software download request, or web page request, must simply answer an unauthenticated DNS request that is easily seen by the attacker in an open WiFi network. The client is then silently redirected to a malicious site, where malicious software is downloaded and installed onto the system.32 • Cross-site scripting attacks involve redirection of web browsers through embedded content in HTML or Javascript.
From page 109...
... Financial assets of an adversary can be used by an attacker. Rather than paying a defense contractor market rates to develop arms and munitions out of its own public coffers, a nation has the ability to steal money from an adversary for use in developing and advancing its cyberattack capabilities.
From page 110...
... . This distinction between direct and indirect effects is particularly important in a cyberattack context.
From page 111...
... . • The computing systems controlling elements of the nation's critical infrastructure, for example, the electric power grid, the air traffic control system, the transportation infrastructure, the financial system, water purification and delivery, or telephony.
From page 112...
... If so, keeping a 34 For example, the time scales involved may be very different. Restoring the capability of an attacked computer that controls a power distribution system is likely to be less costly or time-consuming compared to rebuilding a power plant damaged by kinetic weapons.
From page 113...
... Effects Although the direct effects of a cyberattack relate to computers, networks, or the information processed or transmitted therein, cyberattacks are often launched in order to obtain some other, indirect effect -- and in no sense should this indirect effect be regarded as secondary or unimportant. The adversary air defense radar controlled by a computer is of greater interest to the U.S.
From page 114...
... The intended indirect effect is that the air defense facility loses power and stops operating. However, if -- unknown to the attacked -- a Zendian hospital is also connected to the same generation facility, the hospital's loss of power and ensuing patient deaths are also indirect effects, and also an unintended consequence, of that cyberattack.
From page 115...
... For example, an attacker might wish to masquerade as the adversary's national command authority or as another senior official (or agency) and issue phony orders or pass faked intelligence information.
From page 116...
... In some instances, the target identification process is a manual, intelligence-based effort. From a high-level description of the targets of interest (e.g., the vice president's laptop, the SCADA systems controlling the electric generation facility that powers the air defense radar complex 10 miles north of the Zendian capital, the transaction processing systems of the Zendian national bank)
From page 117...
... Manual target identification is slow, but is arguably more accurate than automated target identification. Automated target selection is based on various methods of mapping and filtering IP addresses and/or DNS names, for example through programmed pattern matching, network mapping, or querying databases (either public ones, or ones accessible through close-access attacks)
From page 118...
... are required if the attack is intended as a very precise one directed at a particular system and/or if the attack is to be a close-access attack.39 Conversely, a lack of such information will result in large uncertainties about the direct and indirect effects of a cyberattack, and make it difficult for commanders to make good estimates of likely collateral damage. Information collection for cyberattack planning differs from traditional collection for kinetic operations in that it may require greater lead time and may have expanded collection, production, and dissemination requirements, as specific sources and methods may need to be positioned and employed over time to collect the necessary information and conduct necessary analyses.40 As illustrations (not intended to be exhaustive)
From page 119...
... Finally, automated means may be used to obtain necessary intelligence information -- an example is the use of automated probes that seek to determine if a system has ports that are open, accessible, and available for use. Intelligence preparation for a cyberattack is often a staged process.
From page 120...
... Lastly, the fact that considerable intelligence information may be required to conduct a specific targeted attack points to a possible defen 41 Even when the capacity and resources exist to be able to operate at a high response level, there are many reasons why system owners may not respond in a cooperative manner to a widespread computer attack. They may not be capable of immediately responding, may lack adequate resources, may be unable to physically attend to the compromised host, or may even speak a different language than the person reporting the incident.
From page 121...
... For example, the weather may make it impossible to obtain visual imagery of the target site, or the adversary may be able to take advantage of the delay between weapons impact and damage assessment to create a false impression of the damage caused. There are similar needs for understanding the effect of cyberweapons and assessing damage caused by cyberweapons.
From page 122...
... The smallest change in the configuration and interconnections of an IT system can result in completely different system behavior, and the direct effects of a cyberattack on a given system may be driven by the behavior and actions of the human system operator and the specific nature of that system as well as the intrinsic characteristics of the cyberweapon involved. Furthermore, these relatively small and/or obscure and/or hidden characteristics are often important in cyber targeting, and information about these things is difficult to obtain through remote intelligence collection methods such as photo reconnaissance, which means that substantial amounts of relevant information may not be available to the attacker.
From page 123...
... To illustrate, the precise geographical location of a computer is often not available to a software agent running on it, and may indeed be impos 43 These comments presume that the attack software is written correctly as the attacker intended -- mistakes in the worm or virus may indeed lead to unintended effects. A classic example of a worm written with unintended consequences is the Morris worm.
From page 124...
... As for assessing damage caused by a cyberattack, note first that the damage due to a cyberattack is usually invisible to the human eye. To ascertain the effects of a computer network attack over the Internet, an 44 See DOD definitions for "strategic operations" and "strategic air warfare," in Joint Chiefs of Staff, Dictionary of Military and Associated Terms, Joint Publication 1-02, Department of Defense, Washington, D.C., April 12, 2001 (as amended through October 17, 2008)
From page 125...
... Where ping and traceroute as tools for damage assessment depend on the association of a damaged machine with a successful cyberattack, an alternative approach might call for the use of in-place sensors that can report on the effects of a cyberattack. Prior to a cyberattack intended to damage a target machine, the attacker plants sensors of its own on the target machine.
From page 126...
... The bottom line on damage assessment is that the state of the art in damage assessment techniques for cyberattacks is still primitive in comparison to similar techniques for kinetic attacks. Cyberattackers must therefore account for larger amounts of uncertainty in their operational planning than their physical-world counterparts -- and thus may be inhibited from relying solely or primarily on cyberattack for important missions.
From page 127...
... All of these factors increase the complexity of planning a cyberattack. One of the most difficult-to-handle aspects of a cyberattack is that in contrast to a kinetic attack that is almost always intended to destroy a physical target, the desired effects of a cyberattack are almost always indirect, which means that what are normally secondary effects are in fact of central importance.
From page 128...
... The attacker needs to know outcomes of various intermediate steps in the causal chain as well as what responses the victim has made at various stages of the attack, so that he may take appropriate compensating action. The difficulties of collecting such information are at least as hard as those of undertaking damage assessment for the ultimate outcome.
From page 129...
... , decision making that results in an appropriate course of action, communication of the desired course of action to the weapons available (Section 2.3.8.2, below) , and damage assessment that indicates to the decision maker the results of the actions taken (Section 2.3.5)
From page 130...
... against an adversary. Many analysts also include matters such as damage assessment, attack assessment, and tactical warning under the rubric of command and control; this report addresses these matters in Section 2.3.5 (damage assessment)
From page 131...
... . Lastly, an attack agent will often need ways to transmit information to its controller for purposes such as damage assessment, report-back status checking, and specifying its operating environment so that a more customized attack can be put into place.
From page 132...
... Because so much IT is designed, built, deployed, and operated by the private sector, some degree of coordination with the private sector would not be surprising in the planning and execution of certain kinds of cyberattack. For example, a cyberattack may travel over the Internet to an adversary computer, and spillover effects (such as reductions in available bandwidth)
From page 133...
... Of particular relevance to cyberattack is the problem of technical attack attribution (Section 2.4.2) , which has bedeviled the cybersecurity community for many years.50 Many cyberattack capabilities are themselves afforded by various 50 For more discussion of this point, see National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007.
From page 134...
... (Such changes are analogous to randomly changing the schedule of a guard.) Thus, if a specific computer system is to be targeted in a cyberattack, the attacker must hope that the access paths and vulnerabilities on which the cyberattack depends are still present at the time of the attack.
From page 135...
... 2.4.1  Tactical Warning and Attack Assessment Tactical warning and attack assessment (TW/AA) refer to the processes through which the subject of an attack is alerted to the fact that an attack is in fact in progress and made aware of the scale, scope, and nature of an attack.
From page 136...
... From an organizational perspective, the response of the United States to a cyberattack by a non-state actor is often characterized as depending strongly on whether the attack -- as characterized by factors such as those described above -- is one that requires a law enforcement response or a national security response. This characterization is based on the idea that a national security response relaxes many of the constraints that would otherwise be imposed by a law enforcement response.51 But the "law enforcement versus national security" dichotomy is 51 For example, active defense -- either by active threat neutralization or by cyber r ­ etaliation -- may be more viable under a national security response paradigm, whereas a law enforcement paradigm might call for passive defense to mitigate the immediate threat and other activities to identify and prosecute the perpetrators.
From page 137...
... renders a decision about next steps to be taken, and in particular whether a law enforcement or national security response is called for. How might some of the factors described above be taken into account as a greater understanding of the event occurs?
From page 138...
... , the operational arm of the National Cyber Security Division, coordinates defense against cyberattacks.   Further reorganization at DHS moved the Office of Operations Coordination to a freestanding component that runs NICC as part of the National Operations Center. The Office of Infrastructure Protection (OIP)
From page 139...
... • The attack against the United States was launched by low-level agents of the Zendian government without the approval or even the knowledge of the Zendian national command authority. • The attack was launched through the efforts of computer-savvy
From page 140...
... Such sources might include: • Intelligence sources. For example, a well-placed informant in the Zendian government might provide information indicating the responsibility of that nation in initiating the attack, or routinely monitored message traffic might indicate a point of responsibility within the Zendian government.
From page 141...
... . The difference between attribution and having an access path is significant, because in the absence of an access path, neutralization of a cyberattack is not possible, though retaliation for it might be.
From page 142...
...   When inexperienced human beings with little hard information are placed into unfamiliar situations in a general environment of tension, they will often make worst-case assessments.  In the words of a former Justice Department official involved with critical infrastructure protection, "I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it.  That is, they were often wrong, but never in doubt." 2.5  Active Defense for Neutralization As A Partially Worked Example To suggest how the elements above might fit together operationally, consider how a specific active defense scenario might unfold. In this scenario, active defense means offensive actions (a cyber counterattack)
From page 143...
... The IP address of the proximate source of this party can be ascer tained with some degree of confidence, and a corresponding geographic loca tion may be available -- in this case, the geographic location of the proximate source is Zendia. But these facts do not reveal whether the attack was: • Sponsored by Zendia and launched with the approval of the highest levels of the Zendian National Command Authority; • Launched by low-level elements in the Zendian military without high-level authorization or even the knowledge of the Zendian NCA; • Launched by computer-savvy Zendian citizens; • Launched by terrorists from Zendian soil; or • Launched by Ruritania transiting through Zendia, which may be entirely innocent.
From page 144...
... In order to stop the remaining agents, the United States launches a denial of-service attack against the Zendian controller, effectively disconnecting it from the Internet while at the same time issuing a demarche to the Zendian government to cease its hostile actions and to provide information on the SCADA/EMS systems penetrated that is sufficient to effect the removal of all hostile agents. Zendia responds to the U.S.
From page 145...
... An important aspect of any neutralization counterattack is the time it takes to determine the identity of the attacking party and to establish an access path and its geographic location. Perhaps the most plausible justification for a neutralization counterattack is that a counterattack is
From page 146...
... (In this regard, the situation is almost exactly parallel to the issue of riding out a strategic attack on the United States or employing a strategy of launching a land-based strategic missile on warning or while under attack -- the latter being regarded as much more likely during times of tension with a putative adversary.) Under some circumstances, the United States might choose to launch a neutralization cyberattack fully expecting that the adversary would respond with an even larger hostile cyberattack.
From page 147...
... Or somewhere in between? • A counterattack requires only that an access path to the attacker be available.
From page 148...
... , and providing upstream support (e.g., Internet service providers)
From page 149...
... Actions 1-4 are generally non-controversial, in the sense that it would not be legally problematic for a private company to take any of these responses. Actions 6-8 are much more aggressive, fall into the general category of active defense (and more)
From page 150...
... This objective is essentially the same as that for all signals intelligence activities -- to obtain intelligence information on an adversary's intentions and capabilities. • Be a passive observer of a network's topology and traffic.
From page 151...
... One reason is that if the targeted party does not know that its secret information has been revealed, it is less likely to take countermeasures to negate the compromise. A second reason is that the exploiter would like to use one penetration of an adversary's computer or network to result in multiple exfiltrations of intelligence information over the course of the entire operation.
From page 152...
... A hypothetical example of cyberexploitation based on remote access might involve "pharming" against an unprotected DNS server, such as the one resident in wireless routers.61 Because wireless routers at home tend to be less well protected than institutional routers, they are easier to compromise. Successful pharming would mean that web traffic originating at the home of the targeted individual (who might be a senior official in an adversary's political leadership)
From page 153...
... These individuals were subscribers to Vodafone Greece, the country's largest cellular service provider. The taps were implemented through a feature built into the company's switching infrastructure originally designed to allow law enforcement agencies to tap telephone calls carried on that infrastructure.
From page 154...
... -- the vice president's laptop, for example. To the extent that specific systems must be targeted, substantial intelligence efforts may be required to identify both access paths and vulnerabilities.
From page 155...
... 67 As for gathering the intelligence needed to penetrate an adversary computer or network for cyberexploitation, this process is essentially identical to that for cyberattack. The reason is that cyberexploitation and cyberattack make use of the same kinds of access paths to their targets, and take advantage of the same vulnerabilities to deliver their payloads.
From page 156...
... For example, because a given instrument for cyberexploitation can be designed with cyberattack capabilities, the transition between exploitation and attack may be operationally simpler. Also, a cyberattack may be designed to corrupt or degrade a system slowly -- and exploitation is possible as long as the adversary does not notice the corruption.
From page 157...
... This is especially true of DDOS attacks, where attackers must first take control of thousands and thousands of computers by installing their malicious software on them, causing them to join into mass command and control (e.g., join a botnet in IRC channels.) The same bots that are used for DDOS are also used for recruiting new bots through direct attack, sending copies of the malware to addressees in the victimized computer's address book.
From page 158...
... (This is basic intelligence collection and analysis.) Control of internal hosts can also be used to direct attacks -- behind the firewall and intrusion detection systems or intrusion prevention systems -- against other internal hosts.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.