Dynamics of Cyber Conflict
Firmware and hardware
• Firmware is a software or set of instructions programmed or "built into" a hardware device. • Hardware is the physical components of a computing device such as the case, central processing unit, monitor, mouse, keyboard, computer data storage, graphics card, sound card, speakers and motherboard.
Target hack
In one of the biggest data breaches to hit a U.S. retailer, Target had reported that hackers stole data from up to 40 million credit and debit cards of shoppers who had visited its stores during the 2013 holiday season. It resulted partly from the retailer's failure to properly segregate systems handling sensitive payment card data from the rest of its network. Access was gained to Target's network with a username and password stolen from Fazio Mechanical Services that specialiezed in HVAC systems for Target. The hackers were able to move about undetected on Target's networks and uploaded malware programs on the company's Point of Sale (POS) systems. A Latvian computer programmer was sentenced to 14 years
Firewalls
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall will block traffic based on network information such as IP address, network port and network protocol.
Submarine cable and landing station
A submarine communications cable is a cable laid on the sea bed between land-based stations to carry telecommunication signals across stretches of ocean and sea
Buckshot Yankee
An Russian attributed incident where an infected thumb drive was inserted into a US military laptop on a base in the Middle East. The compromise involved the exposure of unclassified and classified networks of U.S. war-fighting central command in 2008. The Pentagon spent nearly 14 months cleaning the worm, named agent.btz, from military networks. Agent.btz, a variant of the SillyFDC worm, has the ability to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server. It is considered an important cyber wake-up call due to the direct targeting of the US military by Russia. In order to try to stop the spread of the worm, the Pentagon banned USB drives, and disabled Windows autorun feature. The U.S. military was also the center of the response to the attack and is believed to lead to the creation of USCYBERCOM.
Botnet and DDoS
Botnets - millions of machines can be controlled by a single actor through a range of different command and control mechanisms. Most computer users won't know if they are part of one. Distributed denial of service (DDoS) attack - targets the subsystems that handle connections to the Internet, such as web services. Vulnerabilities are based on the principle that responding to an incoming query consumes computational and bandwidth resources. Uses a botnet of thousands or even millions to overwhelm the victim.
Anti-virus, anti-malware
Computer program that detects viruses and repairs files/remove viruses.
Eligible Receiver 1997
Eligible Receiver is the code name of a 1997 DoD internal exercise that involved multiple agencies including CIA, NSA, FBI, DoD, State, Justice, and others. A "red team" of hackers from NSA was organized to infiltrate the Pentagon systems using only publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities. The exercise led to the creation of U.S. Cyber Command.
Flame and Gauss
Flame - a cousin of Stuxnet. Discovered by Kaspersky Lab in May 2012. It gathers intelligence but 20x larger than Stuxnet and more diverse than Duqu. It steals docs, takes screenshots from computers, records audio, and even accesses remote Bluetooth devices connected to computers to send and receive information. Operated undiscovered for more than 2 years before it was found. Gauss - a cousin of Stuxnet. Nation-state-sponsored malware very similar to Flame and Stuxnet but blends nation-state cyber-surveillance with online banking Trojan. It can steal access credentials for online banking systems and payment methods and other data from infected Windows machines. Payload is run by infected USB sticks and remains dormant in systems until needed (programmed with built in time-to-live or TTL like Flame and Duqu).
Black Energy / Havex
Havex malware, also known as "Backdoor.Oldrea", is a RAT employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly." Havex was discovered in 2013 and is one of five known Integrated Control System (ICS) tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, industroyer/CRASHOVERIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors.The campaign targeted victims primarily in the United States and Europe. BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm (aka Voodoo Bear) is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.
IXPs
Internet eXchange Points:An Internet Exchange Point (IXP) is simply a physical location where different IP networks meet to exchange traffic with each other with copper or fibre cables interconnecting their equipment, usually via one or more Ethernet switches
NotPetya
NotPetya is malware that originally targeted Ukraine but spread quickly around the world in June 2017. The main purpose of the malware appeared to be to destroy data and disk structures on compromised systems. The malware gets its name from a ransomware code called Petya, but attackers never intended to make the encrypted data recoverable. It was thought to be created by Russia and it affected companies like Merck, Fedex, and Maersk--totalling over hundreds of million dollars in damages for each company.
Project Aurora
Project Aurora was a DHS test undertaken in 2007 at the Idaho National Laboratory to demonstrate how easy it was to hack critical components in power and water systems. Engineers at the lab created about 21 lines of code and injected it into a closed-test SCADA network, which caused a generator to blow up. This project proved the ease of weaponizing code and using it to conduct kinetic activities.
Rootkit and RATs
RAT stands for Remote Access Tool or Remote Access Trojan. RATs are really scary when used as malware. An attacker who successfully installs a RAT on your computer can gain full control of your machine. A rootkit is a particular type of malware that lives deep in your system and is activated each time you boot it up, even before your operating system starts. This makes rootkits hard to detect, persistent, and able to capture practically all data on the infected computer.
Georgia 2008 & Russian DDOS
Russia's 2008 combined cyber and kinetic attack on Georgia was the first practical test of this doctrine. Although it was not fully successful, we must assume that the Russian military has studied the lessons learned, just as it has done for every other facet of its poor performance against Georgia. Given all the doctrinal attention paid to the subject, we must assume that Russia is honing far more sophisticated military cyber capabilities. . . . In 2008, it was Georgia's turn in the first ever combined kinetic and cyber-attack. Many of the same techniques and computers involved against Estonia a year earlier resurfaced against Georgia. Exhibiting remarkable insight on the part of the perpetrators, DDoS attacks on Georgian government websites, particularly the president's website, began more than two weeks before the kinetic Russian invasion. On the day the kinetic war started, sites such as stopgeorgia.ru sprang up with a list of sites to attack, instructions on how to do it and even an after-action report page. It is instructive that all this was ready to go—surveys, probing, registrations, and instructions—on day one! An Internet blockade was traced to five autonomous systems—four in Russia and one in Turkey—all controlled by the criminal syndicate RBN.
DNC and Russia election hacking
Russian intelligence officers stole information from the DCCC, DNC, and members of the Clinton campaign during the 2016 presidential election to hurt Clinton's chances against her opponent, Donald Trump. (1) Clinton campaign chair John Podesta fell for a phishing email in March 2016. The hackers collected email passwords after leading staffers to phishing sites and accessed 50,000 emails from Podesta's account. (2) In March/April 2016, hackers targeted and accessed the DCCC network and used information from that hack to access the DNC network. They installed malware on their computers, X-Agent, that tracked user's activity by logging keystrokes. (3) In June 2016, Russians released information using DCLeaks.com and other social media accounts. When the DNC said it was hacked by Russians, 'Guccifer 2.0' claimed credit for the leaks, claiming he was a lone Romanian hacker. In July, WikiLeaks released 20,000 emails.
Phishing and social engineering
Social engineering - manipulating people into revealing confidential information and thereby helping the attacker. Phishing - phishing emails... look like official emails from the victim's bank, employer, or some other trusted entity. They claim to require some action by the victim and are asked to enter their credentials.
Stuxnet
Stuxnet is a computer worm created by American and Israeli intelligence agencies. It was aimed at Iran's nuclear facilities and has since mutated and spread to other industrial and energy-producing facilities. The original malware targeted industrial control systems, rewriting the computer code on programmable logic controllers (PLC) or Siemens Supervisory and Control and Data Acquisitions (SCADA) systems. The zero day vulnerability permitted the virus to gain access to the computer through a digital certificate would convince the computer that the malware was trusted piece of software.
TCP/IP packet and v4 and v6
TCP/IP, or Transmission Control Protocol/Internet Protocol, is a suite of communication protocols used to interconnect network devices on the internet. TCP/IP can also be used as a communications protocol in a private computer network (an intranet or extranet). A packet is the basic unit of information in network transmission. The rules of TCP/IP require information to be split into packets that contain both a segment of data to be transferred and the address where the data is to be sent.Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks Internet Protocal version 6 (IPv6) was developed by Internet Engineering Task Force (IETF) to deal with the problem of IP v4 exhaustion. It is considered better than v4 in terms of complexity and efficiency On the massive network known as the Internet, computing devices send all kinds of messages to other computing devices. A message might be a tiny ping to check if another device is online or a message could be an entire webpage. But there's a limit to how large a message can be, since there's a limit to how much data can be reasonably transmitted at once by the physical network connections between devices. That's why many networking protocols split each message into multiple small packets. The Internet Protocol (IP) describes the structure of the packets that whizz around the Internet. Just like the postal system routes postal letters around the world, the Internet Protocol routes IP packets around the Internet.
DNS, DNSSEC and root servers
The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources. DNS by itself is not secure. DNS was designed in the 1980s when the Internet was much smaller, and security was not a primary consideration in its design. Engineers in the Internet Engineering Task Force (IETF), the organization responsible for the DNS protocol standards, long realized the lack of stronger authentication in DNS was a problem. Work on a solution began in the 1990s and the result was the DNSSEC Security Extensions (DNSSEC).DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. Root servers are a network of hundreds of servers in many countries around the world that serve the DNS root zone. The administration of the Domain Name System (DNS) is structured in a hierarchy using different managed areas or "zones", with the root zone at the very top of that hierarchy. The root servers contain the information that makes up the root zone, which is the global list of top level domains. The root zone contains:• generic top level domains - such as .com, .net, and .org• country code top level domains - two-letter codes for each country, such as .se for Sweden or .no for Norway• internationalized top level domains - generally equivalents of country code top level domain names written in the countries' local character sets
WannaCry
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers (considered to be attributed to North Korea) at least a year prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. The attack was halted within a few days of its discovery due to emergency patches released by Microsoft and the discovery of a kill switch by Marcus Hutchins (England) that prevented infected computers from spreading WannaCry further. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging $4 - 8B dollars.
Cuckoo's Egg
The computer hack at the Lawrence Berkeley National Laboratory. Clifford Stoll, an astronomer noticed an abnormality with a accounting error of 75 cents. Stoll eventually realized was a hacker and monitored him. Stoll used/created some of the techniques that we still use today to attribute hackers - noting the hacker's time zone, creating honey pots etc. Stoll eventually traced the hacker to Germany, (Markus Hess) who was working for the Soviets.
Dark Web
The dark web is made up of sites that are not indexed by Google and are only accessible through specialty networks such as Tor. Often, the dark web is used by website operators who want to remain anonymous. Everything on the dark web is on the deep web, but not everything on the deep web is on the dark web.
Encryption
The process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.
Lockheed Martin and JSF hack
Uncovered in 2008, the Lockheed hack was perpetrated by Chinese hackers working on behalf of the Chinese state, the theft was aimed at the F-35 joint strike fighter (JSF) jet then in development, and its subsidiary components and plans. This incident is emblematic of the increasing great power competition occurring in the cyber domain which was ramping up during this period between the United States and China.
Data Center
is a special facility that becomes central host of IT equipment and operation. It features as the place where the equipment and operation is stored managed and its data disseminated
Mafiaboy attacks in 2000
one of the largest denial-of-service attacks ever staged. Several major commercial websites, including CNN.com, Amazon.com, eBay and Yahoo, are rendered inaccessible to their customers by the attack, which is later traced to a 16-year-old Canadian miscreant using the handle Mafiaboy. Using a bot network to gain control of millions of computers, this not-so-callow youth staged a classic DoS attack lasting a week, flooding the websites with an overwhelming volume of traffic. Their servers unable to cope, the sites collapsed. https://www.wired.com/2012/02/feb-7-2000-mafiaboys-moment/
Shamoon
2012 "Cutting Sword of Justice" (Iran related APT) used a piece of similar "wiper" malware to overwrite the hard drives of 30,000 computers at Saudi Aramco. Data was deleted and replaced with an image of a burning American flag. DoD called it the most descriptive attack that the private sector has seen to date.
Internet of Things security
4 attack vectors include: 1. Credential theft for remote control 2. Malware installed on an access point 3. Hacking of home and wireless networks and 4. Other malware installed on IoT devices. Could be medical devices, smart home products, cars, and other vehicles. 2011 London police case of stolen 300+ new BMWs. Robbers used radio frequency jammers to block the signal of a car's electronic key. Car won't lock when owners would lock it and walk away so the car would remain unlocked. Robbers would plug into OBD-II connector (electronic port that mechanics use to diagnose car's problems) and then use that to obtain the car's unique key fob digital ID. would reprogram a blank electronic key to correspond with the car's ID. Shows that building a new complex system can create new vulnerabilities that can be exploited.
Backbone
A backbone or core network is a part of a computer network which interconnects networks, providing a path for the exchange of information between different LANs or subnetworks. A backbone can tie together diverse networks in the same building, in different buildings in a campus environment, or over wide areas. Backbone Network is as a Network containing a high capacity connectivity infrastructure that backbone to the different part of the network.A backbone network allows multiple LANs to get connected in a backbone network; not a single station is directly connected to the backbone but the stations are part of LAN, and backbone connect those LANs. sub definition: A local area network (LAN) is a computer network that interconnects computers within a limited area such as a university campus.
Ports and port scanning
A port is a virtual point where network connections start and end. Ports are software-based and managed by a computer's operating system. Each port is associated with a specific process or service. Ports allow computers to easily differentiate between different kinds of traffic: emails go to a different port than webpages, for instance, even though both reach a computer over the same Internet connection. Ports are standardized across all network-connected devices, with each port assigned a number. Most ports are reserved for certain protocols, for example HTTP messages go to port 80. Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities. This scanning can't take place without first identifying a list of active hosts and mapping those hosts to their IP addresses. This activity, called host discovery, starts by doing a network scan. The goal behind port and network scanning is to identify the organization of IP addresses, hosts, and ports to properly determine open or vulnerable server locations and diagnose security levels. Both network and port scanning can reveal the presence of security measures in place such as a firewall between the server and the user's device.
Estonia 2007 & Russian DDOS
April 27, the Estonian government removed a 6-foot-tall bronze statue in downtown Tallinn, the capital of Estonia. The Soviets had built the monument in 1947 to commemorate their war dead after driving the Nazis out of the region. Having rid the country of German occupation, the Russians decided to settle in. The Soviet secret police deported masses of Estonians to Siberia. To many citizens, the statue was a symbol of an oppressive occupation. After 16 years of independence, the Estonians had finally ignored the protests of Russian government — which had warned ominously that the removal would be "disastrous for Estonians" — and uprooted the statue. The cyberattacks on Estonia, like most other ambitious campaigns, unfolded across multiple fronts. Script kiddies used the ping attack, a simple request for a response from a Web server, repeated hundreds of times per second. When deployed by masses of attackers, the pings overwhelmed a server. The script kiddies were stoked into a fervor on Russian-language chat rooms. First they were goaded by overheated rhetoric about the April 27 removal of the statue. A week later, hundreds of posts called for a coordinated attack at the stroke of midnight on May 9. Botnets of hundreds of thousands of individual computers around the world had been hijacked for a DDOS attack by russian hackers as well. Also, hackers infiltrated individual Web sites, deleting legitimate content, and posting their own messages. They used private chat rooms to communicate among themselves, but in public forums they hinted at their intentions. "DDoS is occurring even now but something more potent is on its way. :)," wrote a hacker named S1B. "On the 9th of May a mass attack is planned. The action will be massive — it's planned to take Estonnet the **** down :)."
BGP and BGPSEC
Border Gateway Protocol (BGP) is the routing protocol used to route traffic across the internet and could be considered the postal service of the Internet. When someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems (AS). Within the Internet, an autonomous system (AS) is a network controlled by a single entity typically an Internet Service Provider or a very large organization with independent connections to multiple networks. BGPSec was created as a way to make BGP more secure. BGPsec is an extension to the Border Gateway Protocol (BGP) that provides security for the path of autonomous systems (ASes) through which a BGP update message propagates. BGPsec creates a path that carries digital signatures produced by each autonomous system propagating the update message. The digital signatures provide confidence that every AS on the path of ASes listed in the update message has explicitly authorized the advertisement of the route.
Conficker worm
Conficker is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. It infected roughly 15 million computers including government, business and home computers in over 190 countries and rapidly propagated across networks via network shares, removable media or software vulnerabilities.
CAN bus
Controller Area Network (CAN bus) is a broadcast type of bus and a system of standards that define how communication happens, how wiring is configured, and how messages are constructed. A controller area network is an electronic communication bus defined by the ISO 11898 standards. They allow devices to communicate with each other's applications without a host computer. There is no encryption in standard CAN implements, which leaves these networks open to man-in-the-middle frame interception. Failure to implement adequate security measures may result in various sorts of attacks if the opponent manages to insert messages on the bus.
ICANN, IANA and governance
ICANN= The Internet Corporation for Assigned Names and Numbers. A not-for-profit organization that brings together individuals, industry, non-commercial and government representatives to discuss, debate and develop policies about the technical coordination of the internet's domain name system. IANA=The Internet Assigned Numbers Authority is the organisation responsible for maintaining the registries of the internet's unique identifiers. These consist of three categories: the root zone management for domain names, maintaining the registries with protocol parameters and internet numbers (such as IP addresses and autonomous system numbers)
Authentication and identification
Identification: the act of mapping an entity to some information about that entity. This can be as mundane as a fantasy football website accepting the association between a person and the name a person claims, or as critical as matching a medical record to an unconscious patient. Authentication: Proof of the Identification. Often defined as "something you know"= password, "something you have"=phone, or "something you are"=biometric
Morris Worm
In 1988, with the Internet in its infancy, The Morris Worm was the first Internet-borne computer virus. Earlier viruses had been limited to individual computers, and the Morris Worm highlighted how the Internet for the first time served as a road to infect computers, not for the road itself to be infected. The 6000 computers did not lose any files or have passwords stolen, but Internet connectivity was simply temporarily disabled and generally required local university computer experts around the country to repair damage individually. This incident first raised awareness of the need for any kind of internet management.
Solar Sunrise
In February 1998, a number of Department of Defense networks were attacked using a well-known vulnerability in the Solaris (UNIX-based) computer system. The attackers probed Defense Department servers to see if the vulnerability existed; exploited the vulnerability and entered the system; planted a program to gather data; and then returned later to collect that data. In the end, over 500 military, government and private-sector computer systems were impacted and investigators learned that two California teenagers were responsible.
Sony hack
In November 2014, North Korean hackers, known as "Guardians of Peace," sent fake Apple ID verification emails to Sony executives that prompted them to enter their Apple ID information. The hackers then used that information, combined with data collected from the individuals' LinkedIn profiles, to decipher the executives' Sony credentials. Once those accounts were successfully infiltrated, Guardians of Peace released a piece of malware (known as "Wiper"), which eventually compromised Sony's entire computer network. This hack not only impacted Sony's entire network but it also caused a significant loss of proprietary data and prevented employees from accessing their computers for days. Guardians of Peace then leaked several movies and thousands of documents while also threatening to attack movie theaters if Sony didn't cancel the release of a particular movie, The Interview, which was critical of the North Korean government. Sony suffered devastating financial and data loss, and in response, the United States placed sanctions on the North Korean government as well as specific individuals.
Mirai
Mirai (Japanese: 未来, lit. 'future') is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki. The software was initially used by the creators to DDoS Minecraft servers and companies offering DDoS protection to said servers, with the authors using Mirai to operate a protection racket. The source code for Mirai was subsequently published on Hack Forums as open-source. Since the source code was published, the techniques have been adapted in other malware projects
Ukraine power grid hacks
On 23 December 2015, hackers compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. It is the first known successful cyberattack on a power grid. The cyberattack was complex and consisted of the following steps: - prior compromise of corporate networks using spear-phishing emails with BlackEnergy malware seizing SCADA under control - remotely switching substations off - disabling/destroying IT infrastructure components (uninterruptible power supplies, modems, RTUs, commutators) - destruction of files stored on servers and workstations with the KillDisk malware - denial-of-service attack on call-center to deny consumers up-to-date information on the blackout - In total, up to 73 MWh of electricity was not supplied (or 0.015% of daily electricity consumption in the Ukraine). Cyber attacks on the energy distribution companies took place during an ongoing conflict in Ukraine and is attributed to a Russian advanced persistent threat group known as "Sandworm".
OPM hack
On April 15, 2015, a network engineer noticed a strange signal emanating from the US Office of Personnel Management. IT staffers discovered some of its personnel files had been hacked, including millions of SF-86 forms and fingerprints. The hack began in November 2013 - the attacker dubbed X1 breached OPM networks and exfiltrated manuals and IT system architecture information. - In December 2013, X1 attempted to breach two contractors, USIS and KeyPoint, who conduct background checks. - In March 2014, OPM officials realized they'd been hacked but didn't publicize the breach, determining that the attackers were localized to a part of the network that didn't have personnel data. They planned to reset the system in May 2014 to get rid of the attackers, but earlier that month, an attacker dubbed X2 installed malware to create a backdoor , which allowed them to remain undetected and unaffected by the reset. - In July/August 2014, X2 exfiltrated background investigation data from OPM's systems. Deemed one of the largest breaches of government data in US history, about 22.1 million records were affected. Wide consensus is that the attack was carried out by state-sponsored attackers for the Chinese government: originated in China, backdoor tool used (PlugX) was previously used by Chinese-language hacking groups, use of superhero names.
OSI 7-layer model
Open Systems Interconnection (OSI) model is a a conceptual framework that describes the functions of a networking or telecommunication system. The model uses layers to help give a visual description of what is going on with a particular networking system. The OSI layers are listed "top down" from the application layer that directly serves the end user, down to the physical layer. 7. Application Layer 6. Presentation Layer 5. Session Layer 4. Transport Layer 3. Network Layer 2. Data Link Layer 1. Physical Layer Here is a sentence to remember the order: All People Seem To Need Data Processing The Transfer Control Protocol/Internet Protocol (TCP/IP) is older than the OSI model and was created by the US Department of Defense (DoD)
Operation Aurora
Operation Aurora was a series of cyberattacks from China (specifically, the Elderwood Group) that targeted U.S. private sector companies in 2010. The threat actors exploited a zero-day flaw in Internet Explorer and conducted a phishing campaign that spread malware and compromised the networks of Yahoo, Adobe, Dow Chemical, Morgan Stanley, Google, and more than two dozen other companies. According to McAfee, the primary goal of the attack was to gain access, conduct espionage, and potentially modify source code repositories at these high tech, security and defense contractor companies.
Glowing Symphony
Operation Glowing Symphony was the last cyber offensive of the Obama administration. Its purpose was to gain access to high profile administrator accounts of ISIS' networks and cause general havoc within their networks. while there is initial disruption, the offensive was unsuccessful, because ISIS leaders ultimately shifted traffic to other servers within American allied countries, and the United States, while intending to combine the best talents of cyber command and the NSA, ended up with a jurisdictional problem by needing to inform allied countries such as Germany that they were utilizing their network infrastructure for cyber-attacks against the freshly routed ISIS networks.
Moonlight Maze
PG152, Healey, "Wake up call" attack on US announced by FBI in 1999, suspected to be Russian state insisted but not confirmed. Accessed DOD, DOE, public universities, and others. The persistent intrusion is suspected to have gone on for at least three years. Much information is still classified so methods and durations aren't completely known to the public. The wake up call led to many lessons learned, highlighted DOD technically deficiencies, and an increased awareness of the cyber threat among US policy makers.
Industrial control system security
PPD-63 established a national program called the Critical Infrastructure Protection (CIP). Idea is to assure the security of several interconnected infrastructures within the US. It recognizes certain infrastructure as critical to the national security of the US. Industrial control systems cyber emergency response team -ICS-CERT is one of the 4 branches of National Cybersecurity & Communications Integration Center of NCIIC. Almost all industrial equipment are controlled by a computer-based device called the programmable logic controller (PLC).
PRISM
PRISM is a code name for a program under which the United States National Security Agency (NSA) collects internet communications from various U.S. internet companies. PRISM began in 2007 in the wake of the passage of the Protect America Act under the Bush Administration.The program is operated under the supervision of the U.S. Foreign Intelligence Surveillance Court (FISA Court, or FISC) pursuant to the Foreign Intelligence Surveillance Act (FISA).[12] Its existence was leaked six years later by NSA contractor Edward Snowden, who warned that the extent of mass data collection was far greater than the public knew.
Packet versus circuit switching
Packets are small digital envelopes of data. At the beginning of each packet, essentially the 'outside' of the envelope, is the header, which contains details about the network source, destination, and some basic information about the packet contents. By breaking up flows of data into smaller components, each can be delivered in an independent and decentralized fashion, then reassembled at the endpoint. The network routes each packet as it arrives, a dynamic architecture that creates both flexibility and resiliency. Developed to better enable more reliable, more efficient connections between computers. (~ Internet) Circuits required direct links/dedicated circuits/preassigned bandwidth between computers, meaning resources couldn't be used by anyone else, even when no data was being transmitted. (~ telegraphs and telephone networks)
Password Wallet
Password Wallet is a form of password manager that stores ALL of your passwords and other private information in one location. A Password Manager is an application that stores, generates, and manages random, secure passwords for all the sites you need, and enters them automatically. Modern password manager applications work across platforms and devices, requiring you to only have to remember one password for the tool itself. Downsides can include if they are a single sign on, and the password is discovered.
SWIFT heist
SWIFT is the international clearinghouse for banking transactions, and as discussed in David Sanger's book The Perfect Weapon, could be used as a means to cut off banking access to the Russian economy as a dramatic reprisal for Russian hostile action against the United states. In 2015 and 2016, a series of cyberattacks using the SWIFT banking network were reported, resulting in the successful theft of millions of dollars. The attacks were perpetrated by a hacker group known as APT 38 whose tactics, techniques and procedure overlap with the infamous Lazarus Group who are believed to be behind the Sony attacks. Experts agree that APT 38 was formed following the March 2013 sanctions and the first known operations connected to this group occurred in February 2014. If the attribution to North Korea is accurate, it would be the first known incident of a state actor using cyberattacks to steal funds. The attacks exploited vulnerabilities in the systems of member banks, allowing the attackers to gain control of the banks' legitimate SWIFT credentials. The thieves then used those credentials to send SWIFT funds transfer requests to other banks, which, trusting the messages to be legitimate, then sent the funds to accounts controlled by the attackers.
GameOver Zeus takedown
The original Zeus was a program described as the Microsoft office for cyber criminals, created and relesased in 2009 by a Russian national named Slavik, the man's real name eventually turned out to be Bogachev. He transformed the program into GameOver Zeus, which became a more exclusive platform for a small club of 50 cybercriminals who utilized its central command and control servers to utilized a malware which infected and drained bank accounts while simultaneously hitting banks with denial of service attacks, which covered the illegal transactions tracks until they cleared. The malware was so effective because in spreading to new computers globally, the malware's code had a backup mechanism where if central control from the hackers was attacked by authorities targeting central servers, Bogachev could instead reestablish control through a peer-to-peer backdoor mechanism that the malware provided between hundreds of thousands of infected machines around the world. Not only did Bogachev turn out to be linked with Russian intelligence, and also used the malware to search infected Ukrainian computers during Russia's invasion of that country, and this provided the legal justification necessary for law enforcement to takedown the group. It took dozens of local ISP's, governments, from Canada to Japan to the United States and others, who eventually in 2014 launched a coordinated attack to disable Bogachev's servers while directing peer to peer traffic into a sinkhole program in order to prevent Bogachev regaining peer-to peer-access. This disabled the network effectively. This case is a good example of how a criminal group may have operated with impunity and never being crippled, whereas the espionage ties provided the jurisdiction for legal authorities to disrupt the criminal network.
VPN
VPNs, or Virtual Private Networks, allow users to securely access a private network and share data remotely through public networks. Much like a firewall protects your data on your computer, VPNs protect it online. And while a VPN is technically a WAN (Wide Area Network), the front end retains the same functionality, security, and appearance. VPNs are popular with corporations as a means of securing sensitive data when connecting remote data centers. VPNs use a combination of dedicated connections and encryption protocols to generate virtual P2P connections. VPNs allow individuals to spoof their physical location—the user's actual IP address is replaced by VPN provider—allowing them to bypass content filters
VPN
Virtual Private Networks, allow users to securely access a private network and share data remotely through public networks. VPNs are hugely popular with corporations as a means of securing sensitive data when connecting remote data centers. These networks are also becoming increasingly common among individual users Because VPNs use a combination of dedicated connections and encryption protocols to generate virtual P2P connections, even if snoopers did manage to siphon off some of the transmitted data, they'd be unable to access it on account of the encryption. What's more, VPNs allow individuals to spoof their physical location—the user's actual IP address is replaced by VPN provider—allowing them to bypass content filters.
Operating system and software
• An OS is the software that acts as the foundation layer on a computing device. It manages computer hardware, software resources, and provides common services for computer programs. Common OS are Microsoft Windows, Apple macOS, Linux, Android and Apple's iOS. • Software is a set of instructions or programs instructing a computer to do specific tasks.
IDS and IPS
• Intrusion detection system (IDS) analyzes and monitors network traffic for signs of intrusion. • Intrusion prevention systems (IPS) proactively inspects and denies network traffic based on a security profile if that packet represents a known threat. • Main difference is that IDS monitors for intrusions and alerts humans of the dangers. IPS is a control system that can actively reject packets.
Malware, exploit, vulnerability
• Malware is a software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. • Vulnerability is state of being exposed on the cyber domain and any weak spot. • Exploit is a tool that allows a hacker to leverage a vulnerability for their own ends.
