2
Technical and Operational Considerations in Cyberattack and Cyberexploitation

This chapter focuses on technical and operational dimensions of cyberattack and cyberexploitation. Section 2.1 provides the essential points of the entire chapter, with the remainder of the chapter providing analytical backup. Section 2.2 addresses the basic technology of cyberattack. Section 2.3 addresses various operational considerations associated with “weaponizing” the basic technology of cyberattack. These sections are relevant both to the attacker, who uses cyberattack as a tool of his own choosing, and to the defender, who must cope with and respond to incoming cyberattacks launched by an attacker. Section 2.4 focuses on the centrally important issue of characterizing an incoming cyberattack. Cyberattack and cyberdefense are sometimes intimately related through the practice of active defense (Section 2.5), which may call for the defender to launch a cyberattack itself in response to an incoming cyberattack on it. Section 2.6 addresses cyberexploitation and how its technical and operational dimensions differ from cyberattack. Section 2.7 provides some lessons that can be learned from examining criminal use of cyberattack and cyberexploitation.

For perspective on tools used for cyberattack, Table 2.1 provides a comparison of tools for kinetic attack and tools for cyberattack.

Note: The committee has no specific information on actual U.S. cyberattack or cyberexploitation capabilities, and all references in this chapter to U.S. cyberattack or cyberexploitation capabilities are entirely hypothetical, provided for illustrative purposes only.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 79
2 Technical and Operational Considerations in Cyberattack and Cyberexploitation This chapter focuses on technical and operational dimensions of cyberattack and cyberexploitation. Section 2.1 provides the essential points of the entire chapter, with the remainder of the chapter provid- ing analytical backup. Section 2.2 addresses the basic technology of cyberattack. Section 2.3 addresses various operational considerations associated with “weaponizing” the basic technology of cyberattack. These sections are relevant both to the attacker, who uses cyberattack as a tool of his own choosing, and to the defender, who must cope with and respond to incoming cyberattacks launched by an attacker. Section 2.4 focuses on the centrally important issue of characterizing an incoming cyberattack. Cyberattack and cyberdefense are sometimes intimately related through the practice of active defense (Section 2.5), which may call for the defender to launch a cyberattack itself in response to an incoming cyberattack on it. Section 2.6 addresses cyberexploitation and how its technical and operational dimensions differ from cyberattack. Section 2.7 provides some lessons that can be learned from examining criminal use of cyberattack and cyberexploitation. For perspective on tools used for cyberattack, Table 2.1 provides a comparison of tools for kinetic attack and tools for cyberattack. Note: The committee has no specific information on actual U.S. cyber- attack or cyberexploitation capabilities, and all references in this chapter to U.S. cyberattack or cyberexploitation capabilities are entirely hypotheti- cal, provided for illustrative purposes only. 

OCR for page 79
0 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES TABLE 2.1 A Comparison of Key Characteristics of Cyberattack Versus Kinetic Attack Kinetic Attack Cyberattack Effects of significance Direct effects usually Indirect effects usually more more important than important than direct indirect effects effects Reversibility of direct Low, entails Often highly reversible on a effects reconstruction or short time scale rebuilding that may be time-consuming Acquisition cost for Largely in procurement Largely in research and weapons development Availability of base Restricted in many Widespread in most cases technologies cases Intelligence Usually smaller than Usually high compared to requirements for those required for kinetic weapons successful use cyberattack Uncertainties in Usually smaller than Usually high compared to planning those involved in kinetic weapons cyberattack 2.1 IMPORTANT CHARACTERISTICS OF CYBERATTACK AND CYBEREXPLOITATION For purposes of this report, cyberattack refers to the use of deliber- ate actions—perhaps over an extended period of time—to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these sys- tems or networks. Several characteristics of weapons for cyberattack are worthy of note: • The indirect effects of such weapons are almost always more con- sequential than the direct effects of the attack. (Direct or immediate effects are effects on the computer system or network attacked. Indirect or fol- low-on effects are effects on the systems and/or devices that the attacked computer system or network controls or interacts with, or on the people that use or rely on the attacked computer system or network.) That is, the computer or network attacked is much less relevant than the systems controlled by the targeted computer or network or the decision making that depends on the information contained in or processed by the targeted computer or network, and indeed the indirect effect is often the primary purpose of the attack. Furthermore, the scale of damage of a cyberattack can span an enormous range.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS • The outcomes of a cyberattack are often highly uncertain. Minute details of configuration can affect the outcome of a cyberattack, and cas- cading effects often cannot be reliably predicted. One consequence can be that collateral damage and damage assessment of a cyberattack may be very difficult to estimate. • Cyberattacks are often very complex to plan and execute. They can involve a much larger range of options than most traditional military operations, and because they are fundamentally about an attack’s sec- ondary and tertiary effects, there are many more possible outcome paths whose analysis often requires highly specialized knowledge. The time scales on which cyberattacks operate can range from tenths of a second to years, and the spatial scales may be anywhere from “concentrated in a facility next door” to globally dispersed. • Compared to traditional military operations, cyberattacks are rela - tively inexpensive. The underlying technology for carrying out cyberat- tacks is widely available, inexpensive, and easy to obtain. An attacker can compromise computers belonging to otherwise uninvolved parties to take part in an attack activity; use automation to increase the amount of damage that can be done per person attacking, increase the speed at which the damage is done, and decrease the required knowledge and skill level of the operator of the system; and even steal the financial assets of an adversary to use for its own ends. On the other hand, some cyberattack weapons are usable only once or a few times. • The identity of the originating party behind a significant cyberat- tack can be concealed with relative ease, compared to that of a signifi- cant kinetic attack. Cyberattacks are thus easy to conduct with plausible deniability—indeed, most cyberattacks are inherently deniable. Cyberat- tacks are thus also well suited for being instruments of catalytic conflict— instigating conflict between two other parties. Cyberexploitations are different from cyberattacks primarily in their objectives and in the legal constructs surrounding them. Yet, much of the technology underlying cyberexploitation is similar to that of cyberattack, and the same is true for some of the operational considerations as well. A successful cyberattack requires a vulnerability, access to that vulnerability, and a payload to be executed. A cyberexploitation requires the same three things—and the only difference is in the payload to be executed. That is, what technically distinguishes a cyberexploitation from a cyberattack is the nature of the payload. These technical similarities often mean that a targeted party may not be able to distinguish easily between a cyberex- ploitation and a cyberattack—a fact that may result in that party’s making incorrect or misinformed decisions. On the other hand, the primary tech- nical requirement of a cyberexploitation is that the delivery and execution

OCR for page 79
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES of its payload must be accomplished quietly and undetectably—secrecy is often far less important when cyberattack is the mission. 2.2 THE BASIC TECHNOLOGY OF CYBERATTACK1 Perhaps the most important point about cyberattack from the stand- point of a major nation-state, backed by large resources, national intelli- gence capabilities, and political influence is that its cyberattack capabili- ties dwarf the kinds of cyberattacks that most citizens have experienced in everyday life or read about in the newspapers. To use a sports metaphor, the cyberattacks of the misguided teenager—even sophisticated ones— could be compared to the game that a good high school football team can play, whereas the cyberattacks that could be conducted by a major nation- state would be more comparable to the game of a professional football team with a 14-2 win-loss record in the regular season. 2.2.1 Information Technology and Infrastructure Before considering the basic technology of cyberattack, it is helpful to review a few facts about information technology (IT) and today’s IT infrastructure. • The technology substrate of today’s computers, networks, oper- ating systems, and applications is not restricted to the U.S. military, or even just to the United States. Indeed, it is widely available around the world, to nations large and small, to subnational groups, and even to individuals. • The essential operating parameters of this technology substrate are determined largely by commercial needs rather than military needs. Military IT draws heavily on commercial IT rather than the reverse. • A great deal of the IT infrastructure is shared among nations and between civilian and military sectors, though the extent of such sharing varies by nation. Systems and networks used by many nations are built by the same IT vendors. Government and military users often use com- mercial Internet service providers. Consequently, these nominally private entities exert considerable influence over the environment in which any possible cyberconflict might take place. 1A primer on cyberattack in a military context can be found in Gregory Rattray, Strate- gic Warfare in Cyberspace, MIT Press, Cambridge, Mass., 2001. Rattray’s treatment covers some of the same ground covered in this chapter.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS 2.2.2 Vulnerability, Access, and Payload A successful cyberattack requires a vulnerability, access to that vul- nerability, and a payload to be executed.2 In a non-cyber context, a vulner- ability might be an easily pickable lock in the file cabinet. Access would be an available path for reaching the file cabinet—and from an intruder’s perspective, access to a file cabinet located on the International Space Station would pose a very different problem from that posed by the same cabinet being located in an office in Washington, D.C. The payload is the action taken by the intruder after the lock is picked. For example, he can destroy the papers inside, or he can alter some of the information on those papers. 2.2.2.1 Vulnerabilities For a computer or network, a vulnerability is an aspect of the system that can be used by the attacker to compromise one or more of the attri- butes described in the previous section. Such weaknesses may be acci- dentally introduced through a design or implementation flaw. They may also be introduced intentionally. An unintentionally introduced defect (“bug”) may open the door for opportunistic use of the vulnerability by an attacker who learns of its existence. Many vulnerabilities are widely publicized after they are discovered and may be used by anyone with moderate technical skills until a patch can be disseminated and installed.3 Attackers with the time and resources may also discover unintentional defects that they protect as valuable secrets—also known as zero-day exploits.4 As long as those defects go unaddressed, the vulnerabilities they create may be used by the attacker. 2 In the lexicon of cybersecurity, “using” or “taking advantage” of a vulnerability is often called “exploiting a vulnerability.” Recall that Chapter 1 uses the term “cyberexploita- tion” in an espionage context—a cyber offensive action conducted for the purpose of obtain- ing information. The context of usage will usually make clear which of these meanings of “exploit” is intended. 3 The lag time between dissemination of a security fix to the public and its installation on a specific computer system may be considerable, and it is not always due to unawareness on the part of the system administrator. It sometimes happens that the installation of a fix will cause an application running on the system to cease working, and administrators may have to weigh the potential benefit of installing a security fix against the potential cost of rendering a critical application non-functional. Attackers take advantage of this lag time to exploit vulnerabilities. 4 A zero-day attack is a previously unseen attack on a previously unknown vulner- ability. The term refers to the fact that the vulnerability has been known to the defender for zero days. (The attacker has usually known of the attack for a much longer time.) The most dangerous is a zero-day attack on a remotely accessible service that runs by default on all versions of a widely used operating system distribution. These types of remotely accessible

OCR for page 79
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES Two additional factors have increased opportunities for the attacker. First, the use of software in society has grown rapidly in recent years, and the sheer amount of software in use continues to expand across societal functions. For instance, a study by the Center for Strategic and Interna- tional Studies estimated that the amount of software used in Department of Defense systems has been increasing rapidly with no let-up for the foresee- able future.5 More software in use inevitably means more vulnerabilities. Second, software has also grown in complexity. Users demand more and more from software, and thus the complexity of software to meet user requirements increases steadily. Complex software, in turn, is difficult to understand, evaluate, and test.6 In addition, software is generally devel- oped to provide functionality for a wide range of users, and for any par- ticular user only a limited set of functionality may actually be useful. But whether used or not, every available capability presents an opportunity for new vulnerabilities. Simply put, unneeded capability means unneces- sary vulnerability.7 Even custom systems often include non-essential but “nice-to-have” features that from a security perspective represent added potential for risk, and the software acquisition process is often biased in favor of excess functionality (seen as added value) while failing to prop- erly evaluate added risk. Of course, vulnerabilities are of no use to an attacker unless the attacker knows they are present on the system or network being attacked. But an attacker may have some special way of finding vulnerabilities, and nation-states in particular often have special advantages in doing so. For example, although proprietary software producers jealously protect their source code as intellectual property upon which their business is depen- dent, some such producers are known to provide source-code access to governments under certain conditions.8 zero-day attacks on services appear to be less frequently found as time goes on. In response, a shift in focus to the client side has occurred, resulting in many recent zero-day attacks on client-side applications. For data and analysis of zero-day attack trends, see pages 278-287 in Daniel Geer, Measuring Security, Cambridge, Mass., 2006, available at http://geer.tinho. net/measuringsecurity.tutorialv2.pdf. 5 Center for Strategic and International Studies, “An Assessment of the National Se- curity Software Industrial Base,” presented at the National Defense Industrial Association Defense Software Strategy Summit, October 19, 2006, available at http://www.diig-csis. org/pdf/Chao_SoftwareIndustrialBase_NDIASoftware.pdf. 6 Defense Science Board, “Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software,” U.S. Department of Defense, September 2007, p. 19. 7 Defense Science Board, “Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software,” U.S. Department of Defense, September 2007, p. 55. 8 See, for example, http://www.microsoft.com/industry/publicsector/government/ programs/GSP.mspx.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS Availability of source code for inspection increases the likelihood that the inspecting party (government) will be able to identify vulnerabilities not known to the general public. Furthermore, through covert and non- public channels, nation-states may even be able to persuade vendors or willing employees of those vendors to insert vulnerabilities—secret “back doors”—into commercially available products (or require such insertion as a condition of export approval), by appealing to their patriotism or ideology, bribing or blackmailing or extorting them, or applying political pressure. In other situations, a nation-state may have the resources to obtain (steal, buy) an example of the system of interest (perhaps already embed- ded in a weapons platform, for example). By whatever means the sys- tem makes its way into the hands of the nation-state, the state has the resources to test it extensively to understand its operational strengths and weaknesses, and/or conduct reverse engineering on it to understand its various functions and at least some of its vulnerabilities. Some of the vulnerabilities useful to cyberattackers include the following: • Software. Application or system software may have accidentally or deliberately introduced flaws whose use can subvert the intended pur- pose for which the software is designed. • Hardware. Vulnerabilities can also be found in hardware, including microprocessors, microcontrollers, circuit boards, power supplies, periph- erals such as printers or scanners, storage devices, and communications equipment such as network cards. Tampering with such components may secretly alter the intended functionality of the component, or provide opportunities to introduce hostile software. • Seams between hardware and software. An example of such a seam might be the reprogrammable read-only memory of a computer (firm- ware) that can be improperly and clandestinely reprogrammed. • Communications channels. The communications channels between a system or network and the “outside” world can be used by an attacker in many ways. An attacker can pretend to be an “authorized” user of the channel, jam it and thus deny its use to the adversary, or eavesdrop on it to obtain information intended by the adversary to be confidential. • Configuration. Most systems provide a variety of configuration options that users can set, based on their own security versus convenience tradeoffs. Because convenience is often valued more than security, many systems are—in practice—configured insecurely. • Users and operators. Authorized users and operators of a system or network can be tricked or blackmailed into doing the bidding of an attacker.

OCR for page 79
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES • Serice proiders. Many computer installations rely on outside par- ties to provide computer-related services, such as maintenance or Internet service. An attacker may be able to persuade a service provider to take some special action on its behalf, such as installing attack software on a target computer. Appendix E discusses these vulnerabilities in more detail. 2.2.2.2 Access In order to take advantage of a vulnerability, a cyberattacker must have access to it. Targets that are “easy” to attack are those that involve relatively little preparation on the part of the attacker and where access to the target can be gained without much difficulty—such as a target that is known to be connected to the Internet. Public websites are a canonical example of such targets, as they usually run on generic server software and are connected to the Internet, and indeed website defacement is an example of a popular cyberattack that can be launched by relatively unskilled individuals. At the other end of the spectrum, difficult targets are those that require a great deal of preparation on the part of the attacker and where access to the target can be gained only at great effort or may even be impossible for all practical purposes. For example, the on-board avionics of an adver- sary’s fighter plane are not likely to be connected to the Internet for the foreseeable future, which means that launching a cyberattack against it will require some kind of close access to introduce a vulnerability that can be used later (close-access attacks are discussed in Section 2.2.5.2). Nor are these avionics likely to be running on a commercial operating system such as Windows, which means that information on the vulnerabilities of the avionics software will probably have to be found by obtaining a clandestine copy of it. In general, it would be expected that an adversary’s important and sensitive computer systems or networks would fall into the category of difficult targets.9 Access paths to a target may be transient. For example, antiradiation missiles often home in on the emissions of adversary radar systems; once 9 An important caveat is the fact that adversary computer systems and networks are subject to the same cost pressures as U.S. systems and networks, and there is no reason to suppose that adversaries are any better at avoiding dumb mistakes than the United States is. Thus, it would not be entirely surprising to see important and/or sensitive systems con- nected to the Internet because the Internet provides a convenient communications medium, or for such systems to be built on commercial operating systems with known vulnerabilities because doing so would reduce the cost of development. However, the point is that no cy- berattacker can count on such dumb mistakes for any particular target of interest.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS the radar shuts down, the missile aims at the last known position of the radar. Counterbattery systems locate adversary artillery by backtracing the trajectory of artillery shells, but moving the artillery piece quickly makes it relatively untargetable. Similar considerations sometimes apply to an adversary computer that makes itself known by transmitting (e.g., conducting an attack). Under such circumstances, a successful cyberat- tack on the adversary computer may require speed to establish an access path and use a vulnerability before the computer goes dark and makes establishing a path difficult or impossible. Under some other circumstances, an access path may be intermittent. For example, a submarine’s onboard administrative local area network would necessarily be disconnected from the Internet while underwater at sea, but might be connected to the Internet while in port. If the admin- istrative network is ever connected to the on-board operational network (controlling weapons and propulsion) at sea, an effective access path may be present for an attacker. Access paths to a target can suggest a way of differentiating between two categories of cyberattack: • Remote-access cyberattacks, in which an attack is launched at some distance from the adversary computer or network of interest. The canoni- cal example of a remote access attack is that of an adversary computer attacked through the access path provided by the Internet, but other examples might include accessing an adversary computer through a dial- up modem attached to it or through penetration of the wireless network to which it is connected and then proceeding to destroy data on it. 10 • Close-access cyberattacks, in which an attack on an adversary com- puter or network takes place through the local installation of hardware or software functionality by friendly parties (e.g., covert agents, vendors) in close proximity to the computer or network of interest. Close access is a possibility anywhere in the supply chain of a system that will be deployed, and it may well be easier to gain access to the system before it is deployed. These two categories of cyberattack may overlap to a certain extent. For example, a close-access cyberattack might result in the implantation of friendly code in online, Internet-propagated updates to a widely used 10The Department of Defense (DOD) definition of computer network attack (CNA)— “actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves”—is similar in spirit to this report’s use of “remote-access” cyberattack. See Joint Publication 3-13, Information Operations, February 13, 2006.

OCR for page 79
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES program. Such an attack would embody elements of the two categories. Also, communications channels (the channels through which IT systems and networks transfer information) can also be targeted through remote access (e.g., penetrating or jamming a wireless network) or through close access (e.g., tapping into a physical cable feeding a network). 2.2.2.3 Payload Payload is the term used to describe the things that can be done once a vulnerability has been exploited. For example, once a software agent (such as a virus) has entered a given computer, it can be programmed to do many things—reproducing and retransmitting itself, destroying files on the system, or altering files. Payloads can have multiple capabilities when inserted into an adver- sary system or network—that is, they can be programmed to do more than one thing. The timing of these actions can also be varied. And if a com- munications channel to the attacker is available, payloads can be remotely updated. Indeed, in some cases, the initial delivered payload consists of nothing more than a mechanism for scanning the system to determine its technical characteristics and an update mechanism to retrieve from the attacker the best packages to further its attack. A hostile payload may be a Trojan horse—a program that appears to be innocuous but in fact has a hostile function that is triggered immedi- ately or when some condition is met. It may also be a rootkit—a program that is hidden from the operating system or virus checking software but that nonetheless has access to some or all of the computer’s func- tions. Rootkits can be installed in the boot-up software of a computer, and even in the BIOS ROM hardware that initially controls the boot-up sequence. (Rootkits installed in this latter manner will remain even when the user erases the entire hard disk and reinstalls the operating system from scratch.) Once introduced into a targeted system, the payload sits quietly and does nothing harmful most of the time. However, at the right moment, the program activates itself and proceeds to (for example) destroy or corrupt data, disable system defenses, or introduce false message traffic. The “right moment” can be triggered because a certain date and time are reached, because the payload receives an explicit instruction to activate through some covert channel, because the traffic it monitors signals the right moment, or because something specific happens in its immediate environment. An example is a payload that searches for “packets of death.” This payload examines incoming data packets on a host for a special pattern embedded within it. For almost all packets, the payload does nothing. But when it sees a particular sequence of specially configured packets,

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS it triggers some other hostile action—it crashes the system, deletes files, corrupts subsequent data packets, and so on. (Note that the hostile action may be to do nothing when action should be taken—an air-defense sys- tem that ignores the signature of certain aircraft when it receives such a packet has clearly been compromised.) Note that payloads for cyberattack may be selective or indiscriminate in their targeting. That is, some payloads for cyberattack can be config- ured to attack any computer to which access may be gained, and others can be configured to attack quite selectively only certain computers. 2.2.3 Scale and Precision A cyberattack can be conducted over a wide range of scales, depend- ing on the needs of the attacker. An attack intended to degrade confidence in the IT infrastructure of a nation might be directed against every Inter- net-connected desktop computer that uses a particular operating system. Attacks intended to “zombify” computers for later use in a botnet need not succeed against any particular machine, but instead rely on the fact that a large fraction of the machines connected to the Internet will be vulnerable to being compromised. Alternatively, a cyberattack might be directed to all available targets across one or more critical infrastructure sectors. A probe intended to test the feasibility of a large-scale cyberattack might be directed against just a few such computers selected at random. An attack might also be directed against a few selected key targets in order to have secondary effects (e.g., disruption of emergency call dispatch centers timed to coincide with physical attacks, thus amplifying the psychological effect of those physi- cal attacks). A cyberattacker may also care about which computers or networks are targeted—an issue of precision. Of greatest significance are the sce- narios in which focused but small-scale attacks are directed against a specific computer or user whose individual compromise would have enormous value (“going after the crown jewels”)—an adversary’s nuclear command and control system, for example. Or, a cyberattack may be directed against a particular electric power generation plant that powers a specific building in which adversary command and control systems are known to operate, rather than all of the generation facilities in a nation’s entire electric grid. 2.2.4 Critical Periods of Cyberattack How a cyberattack evolves over time is relevant, and there are sev- eral time periods of interest. The first, Tintelligence collection, is the period

OCR for page 79
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES BOX 2.4 A Possible Taxonomy of Active Responses There is a broad range of actions possible to respond to a cyberattack. One possible taxonomy of response actions was developed by Sergio Caltagirone.1 This taxonomy identifies eight types of response in increasing order of activity required by the responder, potential impact on the attacker, and potential for col- lateral and unintended consequences. 1. No action—a conscious decision to take no action in response to an identified attack. Not taking any action is active insofar as it involves a thoughtful decision process that considers the benefits and costs of potential options. 2. Internal notification—notifying users, administrators, and management of the system attacked. Some subset of these may be notified depending on the type of attack, but the attack is not reported to anyone outside the organization of the affected system. 3. Internal response—taking specific action to protect the system from the attacker. The response likely depends on the type of attack, but might include blocking a range of IP addresses or specific ports, segmenting or disconnecting parts of the system, and purposely dropping connections. 4. External cooperative response—contacting external groups or agencies with responsibility for classifying, publicizing and analyzing attacks (e.g., CERT, DShield), taking law enforcement action (e.g., FBI, Secret Service), providing protection services (e.g., Symantec, MacAfee), and providing upstream support (e.g., Internet service providers). There is a broad consensus that Actions 1-4 are legitimate actions under almost any set of circumstances. That is, an individual or organization is unambigu- ously allowed to take any of these actions in response to a cyberattack. However, the same is not true for Actions 5-8 described below, which are listed in order of increasing controversy and increasing likelihood of running afoul of today’s legal regime should the target of a cyberattack take any of these actions. Lastly, given the difficulties of knowing if a cyberattack is taking or has taken place; whether a given cyberattack is hostile, criminal, or mis- chievous in intent; the identity of the responsible party; and the extent to which it poses a significant threat, the neutralization option must not be seen as the only way to respond to an attack. Box 2.4 describes a spectrum of possible responses to a cyberattack—note that the neutralization option corresponds to Action 6 or Action 7, and as such is a more aggressive form of response.

OCR for page 79
4 TECHNICAL AND OPERATIONAL CONSIDERATIONS 5. Non-cooperative intelligence gathering—the use of any tools to gather information about the attack and the attacker. Tools might include honeypots, honeynets, traceroutes, loose source and record routes, pings and fingers. 6. Non-cooperative “cease and desist”—the use of tools to disable harmful services on the attacker’s system without affecting other system services. 7. Counterstrike—response taking two potential forms: direct action (active counterstrike) such as hacking the attacker’s systems (hack-back) and transmitting a worm targeted at the attacker’s system; passive counterstrike that redirects the attack back to the attacker, rather than directly opposing the attack. Examples of passive counterstrike are a footprinting strike-back that sends endless data, bad data, or bad SQL requests, and network reconnaissance strike-back using trace- route packets (ICMP “TTL expired”). 8. Preemptive defense—conducting an attack on a system or network in anticipation of that system or network conducting an attack on your system. Different actions may be taken based on the type of attack and an analysis of the benefits and costs associated with each type of response. Multiple types of responses may be taken for any given attack. Actions 1-4 are generally non-controversial, in the sense that it would not be legally problematic for a private company to take any of these responses. Actions 6-8 are much more aggressive, fall into the general category of active defense (and more), and certainly raise many questions under the statutory pro- hibitions against conducting cyberattack. In addition, system administrators often express concern about the legality of Action 5 in light of the various statutes gov- erning electronic surveillance. 1 S. Caltagirone and D. Frincke, Information Assurance Workshop, 2005, IAW ‘05, Pro- ceedings from the Sixth Annual IEEE SMC, June 15-17, 2005, pp. 258-265. See also David Dittrich and Kenneth Einar Himma, “Active Response to Computer Intrusions,” The Handbook of Information Security, Hossein Bidgoli, editor-in-chief, John Wiley & Sons, Inc., Hoboken, N.J., 2005. 2.6 TECHNICAL AND OPERATIONAL CONSIDERATIONS FOR CYBEREXPLOITATION 2.6.1 Technical Similarities in and Differences Between Cyberattack and Cyberexploitation The cyberexploitation mission is different from the cyberattack mis- sion in its objectives (as noted in Chapter 1) and in the legal constructs surrounding it (as discussed in Chapter 7). Nevertheless, much of the technology underlying cyberexploitation is similar to that of cyberattack, and the same is true for some of the operational considerations as well.

OCR for page 79
0 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES As noted in Section 2.2.2, a successful cyberattack requires a vulner- ability, access to that vulnerability, and a payload to be executed. A cyber- exploitation requires the same three things—and the only technological difference is in the payload to be executed. That is, what distinguishes a cyberexploitation from a cyberattack is the nature of the payload. Whereas the attacker might destroy the papers inside a locked file cabinet once he gains access to it, the exploiter might copy them and take them away with him. In the cyber context, the cyberexploiter will seek to compromise the confidentiality of protected information afforded by a computer system or network. 2.6.2 Possible Objectives of Cyberexploitation What might cyberexploitations seek to accomplish? Here are some hypothetical examples. The cyberexploiter might seek to: • Exploit information aailable on a network. For example, an attacker might monitor passing traffic for keywords such as “nuclear” or “pluto- nium,” and copy and forward to the attacker’s intelligence services any messages containing such words for further analysis. A cyberexploita- tion against a military network might seek to exfiltrate confidential data indicating orders of battle, operational plans, and so on. Alternatively, passwords are often sent in the clear through e-mail, and those passwords can be used to penetrate other systems. This objective is essentially the same as that for all signals intelligence activities—to obtain intelligence information on an adversary’s intentions and capabilities. • be a passie obserer of a network’s topology and traffic. As long as the attacker is a passive observer, the targeted adversary will experience little or no direct degradation in service or functionality offered by the network. Networks can be passively monitored to identify active hosts as well as to determine the operating system and/or service versions (through signatures in protocol headers, the way sequence numbers are generated, and so on).58 The attacker can map the network and make inferences about important and less important nodes on it simply by performing traffic analysis. (What is the organizational structure? Who holds positions of authority?) Such information can be used subsequently to disrupt the network’s operational functionality. If the attacker is able to read the contents of traffic (which is likely, if the adversary believes the network is secure and thus has not gone to the trouble of encrypting 58 Annie De Montigny-Leboeuf and Frederic Massicotte, “Passive Network Discovery for Real Time Situation Awareness,” 2004, available at http://www.snort.org/docs/ industry/ADeMontigny NatoISTToulouse2004.pdf.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS traffic), he can gain much more information about matters of significance to the network’s operators. As importantly, a map of the network provides useful information for a cyberattacker, who can use this information to perform a more precise targeting of later attacks on hosts on the local network, which are typically behind firewalls and intrusion detection/ prevention systems that might trigger alarms. • Obtain technical information from a company’s network in another country in order to benefit a domestic competitor of that company. For example, two former directors of the DGSE (the French intelligence ser- vice) have publicly stated that one of the DGSE’s top priorities was to col- lect economic intelligence. During a September 1991 NBC news program, Pierre Marion, former DGSE director, revealed that he had initiated an espionage program against U.S. businesses for the purpose of keeping France internationally competitive. Marion justified these actions on the grounds that the United States and France, although political and military allies, are economic and technological competitors. During an interview in March 1993, then-DGSE director Charles Silberzahn stated that politi- cal espionage was no longer a real priority for France but that France was interested in economic intelligence, “a field which is crucial to the world's evolution.” Silberzahn advised that the French have had some success in economic intelligence but stated that much work is still needed because of the growing global economy. Silberzahn advised during a subsequent interview that theft of classified information, as well as information about large corporations, was a long-term French government policy.59 The examples above suggest certain technical desiderata for cyberex- ploitations. For instance, it is highly desirable for a cyberexploitation to have a signature that is difficult for its target to detect, since the cyberex- ploitation operation may involve many separate actions spread out over a long period of time in which only small things happen with each action. One reason is that if the targeted party does not know that its secret information has been revealed, it is less likely to take countermeasures to negate the compromise. A second reason is that the exploiter would like to use one penetration of an adversary’s computer or network to result in multiple exfiltrations of intelligence information over the course of the entire operation. That is, the intelligence collectors need to be able to maintain a clandestine presence on the adversary computer or network despite the fact that information exfiltrations provide the adversary with opportunities to discover that presence. Also, an individual payload can have multiple functions simultane- 59 See page 33, footnote 1, in National Research Council, Cryptography’s Role in Securing the Information Society, National Academy Press, Washington, D.C., 1996.

OCR for page 79
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES ously—one for cyberattack and one for cyberexploitation—and which function is activated at any given time will depend on the necessary command and control arrangements (see Section 2.3.8). For example, a payload delivered to an adversary command and control network may be designed to exfiltrate information during the initial stages of a conflict and then to degrade service on the network when it receives a command to do so. In addition, the relationship between technologies for cyberexploita- tion and cyberattack is strong enough that the cost of equipping a tool for the former with the capability for the latter is likely to be low—so low that in many cases acquisition managers could find it sensible as a matter of routine practice to equip a cyberexploitation tool with attack capabilities (or provide it with the ability to be modified on-the-fly in actual use to have such capabilities).60 2.6.3 Approaches for Cyberexploitation As is true for cyberattack, cyberexploitation can be accomplished through both remote-access and close-access methodologies. A hypothetical example of cyberexploitation based on remote access might involve “pharming” against an unprotected DNS server, such as the one resident in wireless routers.61 Because wireless routers at home tend to be less well protected than institutional routers, they are easier to compromise. Successful pharming would mean that web traffic originat- ing at the home of the targeted individual (who might be a senior official in an adversary’s political leadership) could be redirected to websites controlled by the exploiter. With access to the target’s home computer thus provided, vulnerabilities in that computer could be used to insert a payload that would exfiltrate the contents of the individual’s hard disk, possibly providing the exploiter with information useful for blackmailing the target. As a historical precedent, Symantec in January 2008 reported an incident directed against a Mexican bank in which the DNS settings on a customer’s home router were compromised.62 An e-mail was sent to the target, ostensibly from a legitimate card company. However, the e-mail 60 If these cyberexploitation tools were to be used against U.S. citizens (more precisely, U.S. persons as defined in EO 12333 (Section 7.3.6)), legal and/or policy implications might arise if these tools were to have attack capabilities as well. Thus, the observation is most likely to be true for tools that are not intended for such use. 61 “Pharming” is the term given to an attack that seeks to redirect the traffic to a par- ticular website to another, bogus website. 62 Ellen Messmer, “First Case of ‘Drive-by Pharming’ Identified in the Wild,” Network World, January 22, 2008, available at http://www.networkworld.com/news/2008/012208- drive-by-pharming.html.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS contained a request to the home router to tamper with its DNS settings. Thus, traffic intended for the bank was redirected to the criminal’s web- site mimicking the bank site. A hypothetical example of cyberexploitation based on close access might involve intercepting desktop computers in their original shipping cartons while they are awaiting delivery to the victim, and substitut- ing for the original video card a modified one that performs all of the original functions and also monitors the data being displayed for subse- quent transmission to the exploiter. There is historical precedent for such approaches. One episode is the 1984 U.S. discovery of Soviet listening devices in the Moscow embassy’s typewriters—these devices captured all keystrokes and transmitted them to a nearby listening post.63 A second reported episode involves cameras installed inside Xerox copiers in Soviet embassies in the 1960s.64 A third episode, still not fully understood, is the 2004-2005 phone-tapping affair in Greece.65 2.6.4 Some Operational Considerations for Cyberexploitation 2.6.4.1 The Fundamental Similarity Between Cyberattack and Cyberexploitation Because the cyber offensive actions needed to carry out a cyber- exploitation are so similar to those needed for cyberattack, cyberexploitations and cyberattacks may be difficult to distinguish in an operational context. (The problem of distinguishing between them is compounded by the fact that an agent for exploitation can also contain functionality to be used at another time for attack purposes.) This fundamental ambiguity—absent with kinetic, nuclear, biological, and chemical weapons—has several consequences: 63 Jay Peterzell, “The Moscow Bug Hunt,” Time, July 10, 1989, available at http://www. time.com/time/magazine/article/0,9171,958127-4,00.html. 64 Ron Laytner, “Xerox Helped Win The Cold War,” Edit International, 2006, available at http://www.editinternational.com/read.php?id=47ddf19823b89. 65 In this incident, a number of mobile phones belonging mostly to members of the Greek government and top-ranking civil servants were found to have been tapped for an ex- tended period of time. These individuals were subscribers to Vodafone Greece, the country’s largest cellular service provider. The taps were implemented through a feature built into the company’s switching infrastructure originally designed to allow law enforcement agencies to tap telephone calls carried on that infrastructure. However, those responsible for the taps assumed control of this feature to serve their own purposes and were also able to conceal their activities for a long time. The sophistication of the programming required to undertake this compromise is considerable, and has led to speculation that the affair was the result of an inside job. See Vassilis Prevelakis and Diomidis Spinellis, “The Athens Affair,” IEEE Spectrum, July 2007, available at http://www.spectrum.ieee.org/print/5280.

OCR for page 79
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES • The targeted party may not be able to distinguish between a cyber- exploitation and a cyberattack, especially on short time scales, even if such differences are prominent in the minds of the party undertaking cyber offensive actions. • Because the legal authorities to conduct cyberexploitations and cyberattacks are quite different, clarity in the minds of the operators about their roles in any given instance is essential. • From a training and personnel standpoint, developing expertise at cyberattack also develops most of the required skill set for conducting cyberexploitation, and vice versa. 66 2.6.4.2 Target Identification and Intelligence Preparation Although some intelligence operations may be characterized by a “vacuum cleaner” approach that seeks to obtain all available traffic for later analysis, a cyberexploiter may be very concerned about which com- puters or networks are targeted—an issue of precision. Very precise cyber- exploitations would be characterized by small-scale operations against a specific computer or user whose individual compromise would have enormous value (“going after the crown jewels”)—the vice president’s laptop, for example. To the extent that specific systems must be targeted, substantial intel- ligence efforts may be required to identify both access paths and vulner- abilities. For example, even if the vice president’s laptop is known to be a Macintosh running OS-X, there may well be special security software running on her laptop; finding out even what software might be run- ning, to say nothing of how to circumvent it, is likely to be very difficult in the absence of close access to it. The same considerations are true of Internet-connected computer systems that provide critical functionality to important companies and organizations—they may well be better pro- 66 For example, Air Force Doctrine Document 2-5 (issued by the Secretary of the Air Force, January 11, 2005) explicitly notes that “military forces under a combatant commander derive authority to conduct NetA [network attack] from the laws contained in Title 10 of the U.S. Code (U.S.C.). However, the skills and target knowledge for effective NetA are best developed and honed during peacetime intelligence or network warfare support (NS) opera- tions. Intelligence forces in the national intelligence community derive authority to conduct network exploitation and many NS [national security] operations from laws contained in U.S.C. Title 50. For this reason, ‘dual-purpose’ military forces are funded and controlled by organizations that derive authority under laws contained in both Title 10 and Title 50. The greatest benefit of these ‘dual-purpose’ forces is their authority to operate under laws contained in Title 50, and so produce actionable intelligence products while exercising the skills needed for NetA. These forces are the preferred means by which the Air Force can organize, train, and equip mission-ready NetA forces.” See http://www.herbb.hanscom. af.mil/tbbs/R1528/AF_Doctrine_Doc_2_5_Jan_11__2005.pdf.

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS tected than is the average system on the Internet. Nevertheless, as press reports in recent years make clear, such measures do not guarantee that their systems are immune to the hostile actions of outsiders. 67 As for gathering the intelligence needed to penetrate an adversary computer or network for cyberexploitation, this process is essentially identical to that for cyberattack. The reason is that cyberexploitation and cyberattack make use of the same kinds of access paths to their targets, and take advantage of the same vulnerabilities to deliver their payloads. In the event that an adversary detects these intelligence-gathering attempts, there is no way at all to determine their ultimate intent. 2.6.4.3 Rules of Engagement and Command and Control Rules of engagement for cyberexploitation specify what adversary systems or networks may be probed or penetrated to obtain information. A particularly interesting question arises when a possible target of oppor- tunity becomes known in the course of an ongoing cyberexploitation. For example, in the course of exploring one adversary network (Network A), the exploiter may come across a gateway to another, previously unknown network (Network B). Depending on the nature of Network B, the rules of engagement specified for Network A may be entirely inadequate (as might be the case if Network A were a military command and control network and Network B were a network of the adversary’s national com- mand authority). Rules of engagement for cyberexploitation must thus provide guidance in such situations. In at least one way, command and control for cyberexploitation is more complex than for cyberattack because of the mandatory requirement of report-back—a cyberexploitation that does not return information to its controller is useless. By contrast, it may be desirable for a cyberattack agent or weapon to report to its controller on the outcome of any given attack event, but its primary mission can still be accomplished even if it is unable to do so. Report-back also introduces another opportunity for the adversary to discover the presence of an exploiting payload, and thus the exploiter must be very careful in how report-back is arranged. 67 For example, the Slammer worm attack reportedly resulted in a severe degrada- tion of the Bank of America’s ATM network in January 2003. See Aaron Davis, “Computer Worm Snarls Web: Electronic Attack Also Affects Phone Service, BOFA’s ATM Network,” San Jose Mercury News, January 26, 2003, available at http://www.bayarea.com/mld/ mercurynews/5034748.htm+atm+slammer+virus&hl=en.

OCR for page 79
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES 2.6.4.4 Effectiveness Assessment The cyberexploitation analog to damage assessment for cyberattack might be termed effectiveness assessment. If a cyberexploitation does not report back to its controller, it has failed. But even if it does report back, it may not have succeeded. For cyberexploitation, the danger is that it has been discovered and that somehow the adversary has provided false or misleading information that is then reported back. Alternatively, the adversary may have compromised the report-back channel itself and inserted its own message that is mistaken for an authentic report-back message. (In a worst-case scenario, the adversary may use the report-back channel as a vehicle for conducting its own cyberattack or cyberexploita- tion against the controller.) These scenarios for misdirection are not unique to cyberexploita- tion, of course—they are possible in ordinary espionage attempts as well. But because it is likely to be difficult for an automated agent to distin- guish between being present on a “real” target versus being present on a “decoy” target, concerns about misdirection in a cyberexploitation context are all too real. 2.6.4.5 Tradeoffs Between Cyberattack and Cyberexploitation In contemplating what to do about an adversary computer or net- work, decision makers have essentially two options—render it unavail- able for serving adversary purposes or exploit it to gather useful informa- tion. In many cases, these two options are mutually exclusive—destroying it makes it impossible to exploit it. In some cases, destroying it may also reveal to the adversary some vulnerability or access path previously unknown to him, and thus compromise friendly sources and methods. These tradeoffs are no less present in cyberattack and cyberexploita- tion. But in some ways, the tradeoffs may be easier to manage. For exam- ple, because a given instrument for cyberexploitation can be designed with cyberattack capabilities, the transition between exploitation and attack may be operationally simpler. Also, a cyberattack may be designed to corrupt or degrade a system slowly—and exploitation is possible as long as the adversary does not notice the corruption. 2.7 HISTORICAL PRECEDENTS AND LESSONS To provide a sense of what might be possible through cyberattack and cyberexploitation, it is useful to consider some of the ways in which crimi- nals have used them. A number of such cases are described in Appen-

OCR for page 79
 TECHNICAL AND OPERATIONAL CONSIDERATIONS dix C, and some of the lessons derived from considering these cases are provided below. • Attacks can have multiple phases, as illustrated in several of the cases in Appendix C, that last over a relatively long period of time (over a year, in many cases.) This is especially true of DDOS attacks, where attackers must first take control of thousands and thousands of comput- ers by installing their malicious software on them, causing them to join into mass command and control (e.g., join a botnet in IRC channels.) The same bots that are used for DDOS are also used for recruiting new bots through direct attack, sending copies of the malware to addressees in the victimized computer’s address book. The less visible or “noisy” the activ- ity, the longer the multiphase attack can last before being detected and mitigated. • Attacks can also have multiple foci. In the Invita case (Appendix C), there was a primary focus on trying to locate credit card data to per- petrate fraud, but the attackers also used extortion to obtain financial gain. In some of the botnet cases, the botnets would be used for extortion or click-fraud. The Stakkato case was multitarget, but this was primarily a by-product of following login trust relationships between systems and sites. • The same tactics used to compromise one host can be extended to compromise 1,000 hosts, given enough resources to repeat the same steps over and over, assuming the attacked systems are part of the same system monoculture all running the same targeted software (such as the same operating system). Automating these steps makes the job even easier, which can readily be done. (Anything that a user can do by typing at a keyboard can be turned into a scripted action. This is how the Invita attackers managed the creation and use of e-mail and online bidding accounts.) A corollary is the notion that an indirect attack can be as successful as a direct attack, given the resources necessary to work through the entire set of login relationships between systems. For example, one can attempt to get access to another person’s account by attacking that target’s lap- top or desktop system. This may fail, because the target may secure its personal computers very well. But the target may depend on someone else for system administration of its mail spool and home directory on a shared server. The attacker can thus go after a colleague’s, a fellow employee’s, or the service provider’s computer and compromise it, and then use that access to go after an administrator’s password on the file server holding the target’s account. The best case (from an attacker’s standpoint) is when the same vul-

OCR for page 79
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES nerability exists at all levels within large interconnected systems, where “redundant” resources can be compromised, resulting in cascading effects.68 This situation could allow an adversary to very quickly com- mandeer a large and diverse population of systems, as has been witnessed in various worm outbreaks over the past few years. • The theft of credentials, either for login authentication or execut- ing financial transactions, is a popular and successful avenue of attack. All that is necessary is either to direct a user to pass his or her keystrokes through a program under control of the attack (e.g., as in “phishing” attacks), or to get administrative control of either clients or servers and install software that logs keystrokes. • Highly targeted attacks against specific companies are possible, as was seen in the Israeli industrial espionage case, as well as a variant of the BugBear trojan in 2003 that specifically targeted the domains of more than 1,000 specific banks in several countries.69 Discovery and tak- ing advantage of implicit business trust relationships between sites are also possible, as was seen in the Stakkato case. An attacker need only start with the most basic information that can obtained about a company through open sources (e.g., press releases, organizational descriptions, phone directories, and other data made public through websites and news stories). She then uses this information to perform social engineering attacks, a pretext designed to trick users into giving out their passwords so that she can gain access to computers inside an organization’s net- work. Once in control of internal hosts, she effectively has insider access and can leverage that access to do more sensitive intelligence gathering on the target. She can learn business relationships, details about active projects and schedules, and anything necessary to fool anyone in the company into opening e-mail attachments or performing other acts that result in compromise of computer systems. (This is basic intelligence col- lection and analysis.) Control of internal hosts can also be used to direct attacks—behind the firewall and intrusion detection systems or intrusion prevention systems—against other internal hosts. 68 See, for example, Daniel E. Geer, “Measuring Security,” 2006, pp. 170-178, available at http://geer.tinho.net/measuringsecurity.tutorialv2.pdf. 69 F-Secure, “F-Secure Virus Descriptions: Bugbear.B,” 2003, available at http://www. f-secure.com/v-descs/bugbear_b.shtml.