Cyber Operations Quiz
password hash
# mathematically generated for a persons password, reverse hash by guessing password and seeing if any numbers match
Lee's Sliding Scale of Cybersecurity
1. Architecture 2. Passive Defense 3. Active Defense 4. Intelligence 5. Offense
Basic states of Data
1. Data at rest 2. Data in motion 3. Data in use
Buchanon Intrustion Model
1. Target Reconnaissance 2. Development 3. Authorization 4. (Initial) Entry 5. Establishing C2 6. Internal Reconnaissance and Pivoting 7. Action on Objective 8. Confirmation
Monte's Life Cycle of an Operation
1. Targeting 2. Initial Access 3. Persistence** 4. Expansion 5. Exfiltration 6. Detection**
Backdoor
A backdoor or implant is a piece of software, hardware, or modification to an existing piece of software or hardware that enables the Attacker to circumvent security Ensures future access without hassle of initial entry
Vulnerabilities
A flaw in a system or software system
zero-day exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence. Once known, you have "zero days" to patch it Rare but powerful
Scope
Ability to go broad, potentially hit targets in the thousands
Scale
Ability to go deep, steal valuable secrets and gain econ/political advantages or cause deep damage
Computer Network Defense (CND)
Actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within information systems and computer networks.
Computer Network Attack (CNA)
Actions taken using computer networks to disrupt, deny, degrade or destroy information resident in computers and computer networks or the computers and networks themselves. EX: DDOS, Wiper, Ransomware
5 Categories of CND/Lee's Sliding Scale of Cybersecurity
Architecture Passive Defense Active Defense Intelligence Offense
Shaping
Change the state of play, stealing deck or opponents card
Intelligence (CND)
Collecting data, exploiting it into information, and producing intelligence
CIA Triad
Confidentiality, Integrity, Availability What harms can occur
Example of CNA
DDOS, wiper, ransomware
Data in motion (or in transit)
Data crossing or temporarily resident in a network. Sitting in computer to be read, updated, or processed.
Data at rest
Data stored on a device or backup medium. This data is not currently being transmitted across a network or actively being read or processed
Data in use
Data undergoing analysis, change, or other manipulation. Being processed by 1 or more applications rather than stored passively on a hard drive or external storage media.
Wiper
Definition/Description: Wiper was a 2012 cyber operation named after the wiper malware that targeted Iran's oil and natural gas sector and was attributed (by some, given similarities to Stuxnet) to the US and potentially even Israel, despite an inability by private cybersecurity firms to discover robust examples of its code in targeted systems. Example of this Identification/What is this identification an example of: The operation is a classic example of a wiper attack, which typically attacks a target network by erasing or overwriting the master boot record, files and folders, and backups. In so doing, Wiper also destroyed most traces of its own code in the targeted systems. Significance: Wiper was significant in that it (likely unintentionally) revealed the existence of another operation, Flame, which had been previously undiscovered in these same systems and was later attributed to the same actor(s).
Availability
Denying access to data or systems (attack) 2007 Russian DDOS attacks against Estonia
DCS
Distributed Control System provides human operators with the ability to remotely monitor and control an industrial process. computerized control system consisting of computers, software applications and controllers
Stuxnet
EX: CNA, someone (US and Israel) used this program to directly target and degrade the Iranian nuclear facility at Natanz by making centrifuges self-destruct. Definition: A piece of malware directly targeted to the Iranian nuclear facility at Natanz, malware speeds up, then slows down centrifuges to self-destruct while playing back a "business as usual" message. Significance:
Microsoft Exchange
EX: CNE Definition: Attack perpetrated by China through a zero-days vulnerability in Microsoft's system, when it was clear that Microsoft may be patching, smash and grab, use of ransomware Significance: Smash and grab when clear Microsoft is patching; debate over timing of announcing a patch
Equation Group
EX: CNE Definition: One of most sophisticated cyber espionage organizations, infect 500 systems in 42 countries, may be NSA tailored access organization Significance: Malware they install can self-destruct, affiliated with Stuxnet, may be predecessor
Slingshot
EX: CNE program Definition: Cyber espionage with operations across Africa and ME, 6 years of access Significance: Attacked through routers, very unusual
APT 10
EX: CNE, as data was stolen from clients once MSP were infiltrated Definition: Enter through managed service providers, choose victim from customer list, extract data; Target US, Europe, Japan Significance: Display of risk posed by 3rd party partnerships, Use of "supply chain" as an avenue to hack as governments get better at security
Flame
EX: CNE, connecting groups through TTP, as early Stuxnet had a flame module in it, so likely came from same source Definition: Cyber espionage software deployed against Iran Significance: With ability to forge Microsoft signing certificate and turning an infected computer into a Microsoft update server, able to infect network without ever compromising a password; Flame was outed by Wiper, so whoever did so have choices to make
APT 1
EX: CNE, shaping, use of spearphishing to gain initial access Definition: Multi year, enterprise scale computer espionage by China. Stole from 141 companies in 20 industries. Significance: 1st time a private company exposed a state hacking operation, speed and momentum denote significance of APT 1.
SolarWinds
EX: CNE, within bounds of acceptability as it was highly targeted, disabled other backdoors Definition: Russian group 1st discovered in 2020, accessed many systems, chose to pursue access to narrow number of solarwinds systems, targeted DoE. Put backdoor into critical infrastructure across US. Significance: Scale of hack, number of systems targeted, sophistication of what's used, length undetected
Operation Ababil
EX: DDOS attack Definition: Target NYSE, B of A, Chase with flood of internet traffic. Significance: Not quiet, loud protest to innocence of Muslims video
Estonia 2007
EX: DDOS attack, signaling Definition: 4 wave DDOS attacks against Estonia to prevent the movement of a statue from Tallinn to outskirts. 1. DDOS on govt. websites, DNS systems 2. DDOS govt. websites 3. DDOS on govt. websites, financial industry 4. Govt. websites, banks Significance: Attempt by Russia to signal capability, compel Estonia to keep statue/force resignation of government. Signaling didn't work, didn't impose severe econ cost, did get Estonia increased NATO support and center for excellence in cybersecurity; Existence of strong Estonian cybersecurity community made consequences of attacks mild; if Russia had been successful, creates illusion it can limit Estonia FP
Sands Casino
EX: Signaling, signals full of sound and fury; wiper attack, got into small casino in PA to get into wider Adelson system Definition: Wiper attack by Iran against Sheldon Adelson Casino network Significance: $40 million in damage, one of most significant cyber attacks; hacking as a means to attack Sheldon Adelson without escalating to level of armed conflict; failed signaling as Iran denied responsibility, spent capability as soon as it was gained
Sony
EX: Use of spearphishing for initial access. Definition: Hacking attempt by DPRK to compel Sony to change mind on "The Interview". Attack master boot record, wiper, overwrote files of value Significance: Perfect op for signaling in Cyber OP--1. motivation to compel Sony to cancel 2. Clear communication by DPRK 3. Ability to do real harm to Sony 4. Credible ability to further raise harm 5. Film wasn't as important to Sony as it was to DPRK
Shamoon
EX: wiper attack overcoming MBR, initial entry with spear-phishing, persistence in copying self over all of ARAMCO's servers Definition: August 2012 Iranian attack on ARAMCO Significance: Loud and disruptive attack, not Stuxnet or Wiper
Computer Network Exploitation (CNE)
Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.
DDOS attacks
Floods bandwidth or resources of targeted system
Confidentiality
Gaining access to data that was supposed to be private (espionage) APT1
HMI
Human Machine Interface How you interact with SCADA
Targeting (Monte)
ID of the target network and IDing the attack stretegics and tactics necessary to exploit that network
IT/OT Difference
IT manages data, OT manages world IT security driven by CIA
Expansion (Monte)
Increasing access to a target network. Done to establish more robust level of persistence or locate and access wanted data.
ICS
Infrastructure control systems Part of OT Built specifically for industry, control operated processes, circuit breakers SCADA, DCS, HMI all fall into this
Establishing Command and Control (C2) (Buchanon)
Intruders (usually) need to be able to control their code once it is on the target network
(Initial) Entry (Buchanon)
Intruders have to get access to systems belonging to the target
Development (Buchanon)
Intruders must develop programs and infrastructure to enable an intrusion
Target reconnaissance (Buchanon)
Intruders must find our "where" the target is located and "what" the target is, technically
Payload Delivery (action on objective) (Buchanon)
Intruders need ot do what they came to do: destroying something, stealing data, altering something
Internal Reconnaissance and Pivoting (Buchanon)
Intruders need to figure out what they have gained access to as well as where they need to go and how they get there Map overall network
Confirmation (Buchanon)
Intruders need to verify attack was successful
Moonlight Maze
Large, wide hacking attempt against DOD, Govt. Public in 1999, since 1996 Primary target was military technical info Highlighted IT as part of revolution in military affairs, weakness of US IT
Offense (CND)
Legal countermeasures and self-defense action against an adversary
virus
Malicious program that can infect other programs, carry out mission, self-replicate
Integrity
Manipulating data or systems (attack) Stuxnet
PRISM
NSA program for collection, can conduct surveillance (forward looking) and stored communications collection (backward looking). Collaborate with private US companies Daily contributor to PDB, about 500 reports in one week
Dilemma of interpretation
Once presence discovered in my network, how do I interpret it? Is it state prepping for an attack, or conducting espionage? OPE or espionage?
Dilemma of Interpretation
Once presence discovered in network, how do I determine how to interpret it: Is state prepping for an attack, or conducting espionage? Is it OPE or espionage?
Detection (Monte)
Operation exposed to target
OT
Operational Technology Controls physical world Safety, then availability, then integrity, then confidentiality
Initial Access (Monte)
Penetrating any defensive security and gaining the abilit to ru commands other software on one of the target's computers or network devices
Architecture (CND)
Planning, establishing, and upkeep of systems with security in mind
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access. Originally to protect data in motion, increasingly used for data at rest, data in use
Worm
Program in and of itself (unlike virus), can replicate self over network without any user interaction
Turla
Prolific scope Vintage web server connects Turla to 1998, as Turla used LOKI2 backdoor from 1996 Either same group as Moonlight Maze or successor group with same TTP
Exfiltration (Monte)
Retrieval of wanted data from the target network.
SIS
Safety instrumental system autonomous control system that independently monitors the status of the process under control. If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process.
Titan Rain/Byzantine Hades (early 2000s)
Series of coordinated attacks by computer systems in US, CNE against NASA, FBI Attributed to China Notable for time for 1. Level of deception 2. Multiple attack vectors Very sophisticated, much more sophisticated than previously seen; APT 1 most likely
Authorization (Buchanon)
Sometimes, intruders need to get permission to operate, and must operate within certain parameters Policy environment dependent
Dumping password hashes
Stealing hashed passwords, brute force "dumping" them until login credential appear real
SCADA
Supervisory Control and Data Acquisition Family of industrial control packages Geographically diverse, leveraged across infrastructure
Passive Defense (CND)
Systems added to the architecture to provide reliable defense or insight against threats
TTPs
Tactics Techniques Procedures Can signal who a group is, can be reverse engineered once made public
Persistence (Monte)
The art of turning initial access into reoccurring access Foundation that makes sustaining an operation possible
Active Defense (CND)
The process of analysts monitoring for, responding to, and learning from adversaries internal to the network
Signal
To hint credibly at the cards one holds
Persistence (Monte)
Turning Initial access into reoccurring access. Foundation that makes operation sustainable.
Home field advantage
US and allies home field advantage in cyber ops Positioned along key cables, US telecom providers serve many clients, US tech essential to global ecosystem Companies compelled to partner on foreign intelligence collection
Cuckoo's egg
USSR in W Germany accessing military systems Pre-internet 1st case of cyber espionage Story of institutional limitations
Cryptography
Used to ensure the confidentiality of data Encryption and decryption methods
Detection (Monte)
When an operation is exposed to a target
Exploits
attacks that take advantage of vulnerabilities
DDOS attacks target
availability
The Iranian denial of service attacks against US banks in 2012 impacted their ________ for their customers
availability
The Chinese hack of OPM in 2015 targeted the ________ of millions of private data records
confidentiality
CIA
confidentiality, integrity, availability
3 types of data
data in motion, data at rest, data in use
The DPRK bank hacking operations affected the _______ of numerous financial institutions
integrity
wiper attacks target
integrity
ransomware
malware that compromises or disables a suer's system until the user pays a ransom. Encrypt victim's data, render it unusable to the victim who owns it until victim pays for encryption key
OPE
operational preparation of the environment (OPE) Tough to tell if network intrusion OPE for attack or intel collection
Trojan horse
program with something malicious hidden inside, like virus or worm
tactical intelligence
respond to need of operators or military field commands
spear phishing
sending socially engineered emails in order to dupe a target into surrendering vital information or opening malicious code common Chinese tactic
Cybersecurity is more a tool of _______ rather than ________
shaping; signaling
Malware
software that is intended to damage or disable computers and computer systems.
Packet
the term given for the smallest unit of information transmitted across certain types of digital networks (e.g. internet or LAN) Internet data divided into packets, sent through variety of different routes across internet
strategic intelligence
to formulate new policy and military planning
wiper attacks
wipes/overwrites/removes data from the victim
