Fontpage

Trends in Cyber Operations:

An Introduction :
Cyber Operations is an interdisciplinary major encompassing the entire scope of
cyberspace and related operations that are both technical and non-technical (i.e.,
ethical, legal, human-centered, etc.) in nature. Cyber Operations is a
complementary discipline to Cybersecurity. Cyber Operations places a particular
emphasis on technologies and techniques applicable to all operational and system
levels. Coursework in Cyber Operations balances theory, practice and hands-on
labs inspired by real-life scenarios. Skills and competencies emphasized are in
system attack, infiltration, exploitation, defense, mitigation, and recovery
The internet has made the world smaller in many ways but it has also opened us up
to influences that have never before been so varied and so challenging. As fast as
security grew, the hacking world grew faster. There are two ways of looking at
the issue of cyber security. One is that the companies that provide cloud computing
do that and only that so these companies will be extremely well secured with the
latest in cutting edge encryption technology

WHAT IS CYBER SECURITY ?

Its being protected by internet-connected systems, including hardware,
software and data, from cyber attacks. In a computing context, security
comprises cyber security and physical security both are used by enterprises to
safe against unauthorized access to data centre and other computerized systems.
The security, which is designed to maintain the confidentiality, integrity and
availability of data, is a subset of cyber security.
WHY DO WE NEED CYBER SECURITY ?

The range of operations of cyber security involves protecting information

and systems from major cyber threats. These threats take many forms. As a
result, keeping pace with cyber security strategy and operations can be a
challenge, particularly in government and enterprise networks where, in their
most innovative form, cyber threats often take aim at secret, political and
military assets of a nation, or its people. Some of the common threats
are :
 Cyber terrorism It is the innovative use of information technology by

Vulnerabilities :
For a computer or network, a vulnerability is an aspect of the system that can be
used to compromise that system (for illustrative vulnerabilities,see the Appendix).
“Compromise” is used here as a verb meaning to attack or exploit. Weaknesses
may be introduced accidentally through design or implementation flaws. A defect
or “bug” may open the door for opportunistic use of that vulnerability by an
adversary. Many vulnerabilities are widely publicized after discovery and may be
used by anyone with moderate technical skills until a patch can be disseminated
and installed. Adversaries with the time and resources may also discover
unintentional defects that they protect as valuable secrets, also known as zero-
day exploits. As long as those defects go unaddressed, the vulnerabilities they
create may be used by adversaries. Vulnerabilities may also be introduced
intentionally. Of course, vulnerabilities are of no use to an adversary unless the
adversary knows they are present on the system or on the network being
compromised. But an adversary may have some special way of finding
vulnerabilities, and nation states in particular often have special advantages in
doing so. For example, although proprietary software producers jealously protect
their source codes as intellectual property upon which their businesses are
dependent, some such producers are known to provide source code access to
governments under certain conditions. Availability of source code for inspection
increases the likelihood that the inspecting party will be able to identify
vulnerabilities not known to the general public. Furthermore, through covert and
nonpublic channels, nation states may even be able topersuade vendors or willing
employees of those vendors to insert vulnerabilities – secret “back doors” – into
commercially available products(or require such insertion as a condition of export
approval), by appealing to their patriotism or ideology, by bribing, blackmailing, or
extorting them, or by applying political pressure.

Access :
In order to take advantage of a vulnerability, an adversary must have access to it.
Targets that are “easy” to compromise are those that involve relatively little
preparation on the part of the adversary and where access to the target can be
gained without much difficulty, such as a target that is known to be connected to
the Internet. “Difficult” targets require a great deal of preparation on the part of
the adversary, and access to the target can be gained only with great effort, or
may even be impossible for all practical purposes. For example, the onboard
avionics of an adversary’s fighter plane are not likely to be connected to the
Internet for the foreseeable future, which means that launching a cyber attack
against it will require some kind of close access to introduce a vulnerability that
can be used later. In general, it would be expected that an adversary’s important
and sensitive computer systems or networks would fall into the category of
difficult targets.Access paths to a target may be intermittent. For example, a
submarine’s on-board administrative local area network would necessarily be
disconnected from the Internet while underwater at sea but might be connected
to the Internet while in port. If the administrative network is ever connected at
sea to the on-board operational network, which controls weapons and
propulsion, a useful though intermittent access path may be present for an
adversary.Access paths to a target can suggest a way of differentiating between
two categories of compromise:

 Remote access: Where a compromise is launched at some distance

from the adversary computer or network of interest. The canonical
example of a remote access compromise is using the access path
provided by the Internet, but other examples might include accessing an
adversary computer through a dial-up modem attached to it or through
penetration of the wireless network to which it is connected.

 Close access: Where a compromise takes place through the local

installation of hardware or software functionality by friendly parties
(e.g., covert agents, vendors) in close proximity to the computer or
network of interest. Close access is a possibility anywhere in the supply
chain of a system that willbe deployed. It may well be easier to gain
access to the system before it is deployed.

Payload :
“Payload” is the term used to describe the things that can be done once a
vulnerability has been exploited. For example, once a software agent, such as a
virus, has entered a given computer, it can be programmed to do many things –
reproduce and retransmit itself, and destroy or alter files on the system. Payloads
can have multiple capabilities when inserted into an adversary system or network;
they can be programmed to do more than one thing. The timing of these actions
can also be varied, and if a communications channel to the adversary is available,
payloads may be remotely updated. Indeed, in some cases, the initially delivered
payload consists of nothing more than a mechanism for scanning the system to
determine its technical characteristics and another mechanism through which the
adversary can deliver the best software updates to further the compromise.

Effects :
Cyber exploitations target the confidentiality of information stored on or passing
through a system or a network. Under normal circumstances, such information
should be available only to authorized parties. A successful cyberexploitation
compromises the confidentiality of such information and makes the information
available to the adversary. Cyber attacks (as opposed to cyberexploitations) target
one of several attributes of these components or devices and seek to cause a loss
of integrity, a loss of authenticity, or a loss of availability, which includes theft
of services:
 Integrity: A compromise of integrity refers to the alteration of
information (a computer program, data, or both) so that under some
circumstances of operation, the computer system does not provide the
accurate results or information that one would normally expect even
though the system may continue to operate.
 Authenticity: A compromise of authenticity obscures or forges the
source of a given piece of information. A message whose authenticity
has been compromised will fool a recipient into thinking it was properly
sent by the asserted originator.
 Availability: A compromise in availability means that the functionality
provided by the target system or network is not available to the user:
email sent by the targeted user does not go through, the target user’s
computer simply freezes, or the response time for that computer
becomes intolerably long, possibly leading to catastrophe if a physical
process is being controlled by the system.
 The compromises above are direct effects of a cyber attack. In addition,
cyber attacks may result in indirect effects on the systems and (or) devices that
the attacked computer system or network controls or interacts with, or on the
people who use or rely on the attacked computer system or network. For
example, an adversary’s electric power grid may be controlled by computer. An
attack on the grid’s computers may have effects on the power grid itself – indeed,
producing those indirect effects on the grid may be the primary purpose of the
attack. Furthermore, because virtually anything can be connected to a computer
system or network, the scope and nature of effects resulting from a cyber attack
can span an enormous range. The indirect effects of a cyber attack are almost
always more important to the attacker than the direct effects, although both
direct and indirect effects must be taken into account when ascertaining the
significance of a cyber attack.

POSSIBLE OBJECTIVES FOR OFFENSIVE CYBER OPERATIONS

 Exploit information available on a network

cyber operator might monitor passing network traffic for keywords such
as “nuclear” or “plutonium,” and copy and forward to the cyber
operator’s intelligence services any messages containing the words for
further analysis. A cyberexploitation against a military network might
seek to exfiltrate confidential data indicating orders of battle,
operational plans, and so on. Alternatively, passwords are often sent in
unencrypted form through email, and those passwords can be used to
penetrate other systems. This objective is essentially the same as that
for all signals intelligence activities – to obtain intelligence information
on an adversary’s intentions and capabilities.

 Be a passive observer of a network’s topology and traffic.

Networks can be passively monitored to identify active hosts as well as
to determine the operating system and/or service versions through
signatures in protocol headers, the waysequence numbers are
generated, and so on. The cyber operator can map the network and
 make inferences about important and less important nodes on it simply
by performing traffic analysis to determine what the organizational
structure is and who holds positions of authority. Such information may
be subsequently used to disrupt its operational functionality. If the
cyber operator is able to read the contents of traffic (which is likely if the
adversary believes the network is secure and thus has not gone to the
trouble of encrypting traffic), he can gain much more information about
matters of significance to the network’s operators. A map of the
network is just as important to provide useful information for a cyber
attacker, who can use this information to perform a more precise
targeting of later attacks on hosts on the local network, which are
typically behind firewalls and intrusion detection and prevention
systems that might trigger alarms.

 Conduct industrial espionage.

For example, two former directors of the Direction Générale de la
Sécurité Extérieure (DGSE), the French intelligence service, have publicly
stated that one of the DGSE’s top priorities is to collect economic
ntelligence. In a September 1991 NBC news program, Pierre Marion,
former DGSE director, revealed that he had initiated an espionage
program against U.S. businesses for the purpose of keeping France
internationally competitive.

 Destroy data on a network or a system connected to the network.

A cyber attacker might seek to delete and permanently erase all data
files or to reformat and wipe clean all hard disks that it can find.
Moreover, destruction of a network also has negative consequences for
anything connected to it. For example, power generation facilities
controlled by a network are likely to be adversely affected by a disabled
network.

 Be an active member of a network and generate bogus traffic.

 a cyber attacker might wish tomasquerade as the adversary’s national
command authority or as another senior official or agency and issue
phony orders or pass faked intelligence information. Such an
impersonation (even under a made-up identity) might well be successful
in a large organization in which people routinely communicate with
others that they do not know personally. An impersonation objective
can be achieved by a cyber attacker taking over the operation of a
trusted machine that belongs to the agency or of interest (e.g., the
national command authority) or by obtaining the relevant keys that
underlie their authentication and encryption mechanisms and setting up
a new node on the network that appears to be legitimate because it
exhibits knowledge of those keys.

 Clandestinely alter data in a database stored on the network.

the logistics deployment plan for an adversary’s armed forces may be
driven by a set of database entries that describe the appropriate arrival
sequence of various items such as food, fuel, vehicles, and so on. A
planner relying on a corrupted database may well find that deployed
forces have too many of certain items and not enough of others. The
planner’s confidence in the integrity of the database may also be
affected.

 Degrade or deny service on a network.

A cyber attacker might try to degrade the quality of service available to
network users by flooding communications channels with large amounts
of bogus traffic. A denial-of-service attack on the wireless network (e.g.,
a jamming attack) used to control a factory’s operations might well shut
it down. Taking over a telecommunications exchange might give a cyber
attacker the ability to overwhelm an adversary’s defense ministry with
bogus phone calls and make it impossible for its employees to use its
telephones to do any work. A denial-of- service attack might be used to
prevent an adversary from using a communications system and thereby
 force him to use a less secure method for communications against which
a cyberexploitation could be successful.

Metasploit :
Metasploit is a popular penetration testing tool that comes preinstalled on Kali
systems. It is composed of separate tools, including msfconsole, the core
interactive text program that allows a user to interact with the different
Metasploit components; and msfvenom, which is used to generate payloads and
stand-alone malware.There are graphical user interfaces available for Metasploit;
one popular tool available on Kali is Armitage.Metasploit is a modular tool and
separates the exploit, which attacks the vulnerable target, from the payload,
which is what is run on the target after a successful exploit. Metasploit also
provides separate auxiliary modules, many of which are used for network
discovery; and post-exploitation modules, which are run on targets after a
successful exploit, often to escalate privileges on the target

Cyber operations in practice

During the first session, the discussion focused on gaining a better shared
understanding of cyber operations and how to analyse them. It should be noted
that the terms “cyber attacks” and “cyber operations” are used throughout this
report in a technical (or mainstream) sense and not as they may be understood
under IHL, unless otherwise mentioned. In general, cyber attacks refer to any
cyber operation carried out without the consent or knowledge of the owner of
the targeted system, to obtain access, extract data and/or encrypt, degrade,
delete, modify or disable data or services. This understanding is far broader than
the meaning these terms would have under IHL, as IHL applies only during armed
conflicts, and the notion of attack has specific meanings under this body of law.6
A. Understanding cyber operations with the cyber kill chain model
The experts agreed that the cyber kill chain model is a useful tool for describing
cyber operations. The
cyber kill chain model comprises seven phases, namely:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objectives7
The cyber kill chain needs to be understood as a non-linear model. In practice, kill
chain steps are repeated in order to achieve the final aim. The timespan of a given
operation will vary depending on factors such as the aim, the type of target and
its environment, the circumstances, the urgency of achieving the aim and the risk
that the attacker is prepared to accept for the operation – including the risk that
the attack is subsequently attributed to it. One expert gave the example of the ,
where the entire operation was estimated to have taken around two months.
The command and control phase enables the implanted malware to be controlled
and situational awareness to be maintained. Command and control offers the
controller the ability to decide which actions to take, and when, including with a
view to reducing the risk entailed by the operation. Command and control is also
necessary if the operators want to maintain the ability to perform additional
actions (such as cleaning up after the operation). On the other hand, if the
operators already know the environment, malware can be designed to omit some
of the kill chain phases. For example, when access to the target facility and the
right knowledge already exists (i.e. from past reconnaissance), there may be no
need for the command and control phase: the malware can be set to operate on
its own, in a “fire and forget” manner.
One expert noted that Stuxnet had specific rules in deciding when the destructive
payload had to actually be delivered; this measure was probably meant to reduce
the risk of attracting unwanted attention or damaging the wrong target, and to
ensure functionality in case the command and control channel was disrupted. It
also had the command and control component, although it wasn’t clear whether
that was really needed in the final stage of the operation. In the more recent case
of Olympic Destroyer, the malware did not need command and control either,
since the operators knew exactly how to reach their goals, and the malware was
set in motion through a timer and a self-propagation algorithm.

B. Operational purpose
The experts emphasized that the characteristics, operational approaches and
impacts of cyber attacks could vary widely depending on the purpose of the
operation and the tools and techniques employed. They noted that the most
common operations were conducted for purposes of reconnaissance, surveillance
and the exfiltration of data and information (for espionage or other purposes,
often referred to as computer network exploitation (CNE)) and would usually
involve gaining access to, and often maintaining a persistent presence on, the
targeted system or device. These operations are generally designed to avoid
detection and are not aimed at harming the targeted system or device, which
could nevertheless be disrupted or destroyed unintentionally.

C. Trusted systems and software supply chain attacks

The discussion turned to trust in the operating systems on devices or computers
and the software running on them, and the notion that trust is often an implied
assumption. In particular, connected devices trust other devices to supply
components such as software (or updates) or to input data. This means that the
device receiving the data from the trusted source will assume that the command,
update or other data received are correct and will implement them accordingly.

D. Cyber capabilities and exploits

One expert explained the notion of exploit as the combination of two elements:
knowledge of a programming mistake in a target operating system or software,
and a sequence of steps to be performed to exploit that mistake and cause an
undesired and unexpected effect in the targeted program or device. In most
cases, exploits offer options for gaining unauthorized access to a targeted
computer system (including privilege escalation) and, in some cases, for delivering
a follow-on effect. One expert considered that Stuxnet was still one of the most
sophisticated “cyber weapons” ever used.

E. Evolving nature of the threat actors and the growing attack surface
The experts noted the wide range of actors carrying out cyber operations:
individual hackers; criminal groups, potentially motivated by financial gain; States;
non-State armed groups; and other non-State actors. Furthermore, various actors
may cooperate, whether it be State alliances, States supporting groups, or
criminal groups selling cyber capabilities to other actors. Some of the active
sophisticated actors are known under the term advanced persistent threats
(APTs), namely threat actors that establish a persistent, long-term access to the
targeted system(s).

F. Cyber vs kinetic attacks

The experts offered some considerations with regard to the strategic and
operational nature of cyber operations, including how they compared with kinetic
weapons. Some experts noted that cyber operations might enable one State to
attack another State in the absence of the kinetic capability to do so. Also, most
advanced weapon systems rely on connected computing systems, which could
present vulnerabilities (even if such systems are probably well-protected). Cyber
capabilities could therefore be used in an asymmetrical manner by less
sophisticated or powerful belligerents.

G. Attack and defence

The experts discussed attack and defence in detail. They agreed that the
defensive side was improving – some of them considered it to be improving fast.
But the problem of the security posture in general is complex. The experts
provided various views. One expert said that while malware was becoming more
advanced, the ability to defend against it was also getting better. The expert
acknowledged that the question of access was one issue where eliminating the
risk was difficult: since the role of networks is to facilitate communication, cutting
network access is often practically impossible. However, looking only at successful
attacks puts too much focus on organizations at the lower end of the security
scale. In the view of this expert, despite the contrary stance often mentioned
publicly, actual defensive capabilities had greatly improved, in particular with
regard to detecting threats within systems and removing them. The expert said
that, as a result, the persistence of APT operations was decreasing, although this
was disputed by another expert. Even if progress has been made in developing
software with fewer vulnerabilities.

Cyber security and it’s importance