Cyber Operations ch 1,5,7
In your own words, describe three similarities between Solar Sunrise attack and Stuxnet.
1) In both cases, the attack was a targeted, focused attack. The Solar Sunrise attacks were aimed specifically at Air Force systems and the Stuxnet attacks were aimed at the PLC in the Iranian Nuclear Facility in Natanz. 2) In both cases, the attackers were hard to track because they routed their attack via many different countries. This shows that the domain of the attack is a lot harder to pin down than a traditional kinetic attack because cyberspace isn't as clearly defined as traditional country borders. This showed (in both cases) that more security measures were needed. 3) Both attacks exploited a zero-day vulnerability. In Stuxnet, extensive recon and scanning was done to find the holes in the Siemens F-7300 PLC in order to successfully infiltrate the nuclear facility. In Solar Sunrise, the hackers Mac and Stimpy (and the Analyzer) found the holes in the DoD system and exploited them before the DoD was even aware of the holes.
Describe three differences between semi-targeted attacks and focused attacks
1) Semi- targeted attacks are aimed generally at achieving a goal (e.i. stealing bank account information) but focused attacks are aimed specifically at achieving one goal (e.i. stealing one specific individuals bank info) 2) Semi-targeted attacks use phishing and focused attacks use spear phishing 3)Semi-targeted attacks are simple/moderately sophisticated and focused attack are highly sophisticated
List three different types of malicious actors (aka cyber adversaries).
1. Nation-States 2. business competitor 3. ideologically motivated hacktivists
According to the U.S. Department of Justice indictment, what Chinese unit was involved?
61398
Offensive information operations
Actions taken to deny, exploit, corrupt, or destroy an adversary's info or info functions
Defensive information operations
Actions taken to protect your own information and information systems from an adversary's' attempt to deny, exploit, corrupt, or destroy them
Stakkato
Attacks from Sweeden's University of Uppsala 16 yr old named Philip Gabriel Petterson 5 felony charges (NASA, Cisco, Standford, Cali Institute of Tech, San Diego Supercomputer Center)
FOXACID
Automated Decision making to select weapons based upon the value of the target, likelihood of detection, and nature of defenses
Strategic Web Compromises
Basically a watering hole. It occurs when attackers compromise a website that is frequented by members of the target organization. They instal malware and stay dormant until the target logs on and then they infect the targeted system
Why are zero day exploits often associated with advanced persistent threat (APT)?
Because an adversary is targeting a specific, many specific targets, they ideally want to find utilized a zero-day attack because even the software company does not know about the vulnerability in the system. This allowed the hacker to keep the APT a secret from the system and be ready for future attacks as well. In addition, a zero-day exploit takes advantage of the window of vulnerability, which allows the hacker to be in the system until a patch is found and and installed onto the system. However, some residual risk still remains until every needed patch is installed on the system.
Which members of C-suite are responsible for planning operations and campaigns to defend against this level of cyber operations?
CIO, CISO
Semi-targeted attack
Category 2 of attacks seeks to infiltrate a specific organization or type of target often through emails phishing
DID
Defense In Depth
US Cyber Command (USCYBERCOM)
DoD's reaction to new cyber domain to manage cyberspace risk
two differences between recon and scanning
During the recon phase, the hacker is looking at the more than just the system. They are understanding the structure of the targets (who has access to what) and they understand the social engineering, so that they can deliver the attack in the most effective way. However, the scanning phase only scans for vulnerabilities in the target's network and computer systems to find the technical weaknesses, this is a more active research than the passive research of the recon phase
Solar Sunrise
February 1998 Attack on DoD (Air Force) Stimpy and Mak and The Analyzer Israeli based attack No significant damage, but showed that cyber hacks have no boundary
Titan Rain
Figured out in 2005, had been going on for 2 years Attack from Chinese Web servers (unclear if it was sponsored by Chinese government) into DoD and other agencies continued work of SS and MM
Traditional Kill Chain
Find Fix Track Target Engage Assess (F2T2EA)
Operation Aurora
Hack against Google used social engineering to trick victim at the targeted company into visiting site Website contained malicious code that installed malware on comp connected to C2 gained admin access Used password cracking techniques Access company's Virtual Private Network (VPN) Steal sensitive info
Insider threats
Have the most power, avoid detection, know their way around a system (~40%)
Entity types
In Semantical Pro, person and vehicle are ________
Mandiant
In reference to the U.S. Department of Justice indictment, what cyber security company identified the adversary who allegedly conducted cyber espionage?
Deliver
In the cyber kill chain, what phase can take weeks, months, or years, after the Weaponize phase?
Information Warfare
Info operations conducted during a time of crisis or conflict to achieve specific objectives
Three reasons why understanding geo-political situations are important in cyber security
It can give motivations behind an attack. It can give insight into who the adversary is. It can help to understand which groups or states have the capabilities to utilize a specific attack, or how a country will to retaliate (either with conventional force or use of a cyber attack).
What does the Strategic Cyber Intel level do?
It deals with security objectives and guidance and develops the resources to reach those goals
What does the Tactical Cyber Intel level do?
It focuses on the ordered arrangement and maneuver of combat elements in relation to each other and to the enemy to achieve combat objective.
Why is cyber warfare at a turning point?
It is at a turning point because it has now started to have physical ramifications. Attacks through computers are increasingly dangerous for average citizens, and not just the targeted company.
What does the Operational Cyber Intel level do?
It plans major campaigns and operations to achieve the strategic level
Who is Kevin Mitnick? Why did he say that it is harder to play defense than offense?
Kevin Mitnick is a widely known hacker, who is known for manipulating the telephone network. He says it is harder to play defense than offense because when playing defense, you have to find and plug EVERY possible hole in your network in order to keep your network safe. To play offense, you only have to get lucky(find a hole in the network) ONE time to hack and get into the network.
Four Traditional Domains
Land, Sea, Air, Space
Describe the difference between a manufacturing and process controls
Manufacturing controls are often shut down at night and can be updated at that time. However, process controls (chemical plants etc) are often not shut off for years and only for a few days and only updates that can be done in those few days are completes. Process controls are critical infrastructure.
Moonlight Maze
March 1998 Recon and infiltration of computer systems owned and operated by government agencies, universities, and research labs Thought to be connected with Russia Demonstrated the difficulty of attributing attacks to their original source
Do attackers generally have any contact with the target environment during the weaponize phase?
No
In your own words, describe two differences between Moonlight Maze and Honker Union.
One difference between Moonlight Maze and Honker Union is that Moonlight Maze is an attack that hasn't been fully attributed to a specific group, although it is thought to be related to Russia and Honker Union is a known group of Chinese hackers. Another difference is that Moonlight Maze was aimed at stealing files, but Honker Union aimed to infect and breakdown the Internet through the SQL Slammer.
Honker Union
Organized group of Chinese Hackers wage against those who's views and actions are against the Chinese government Attacks: SQL Slammer, Tibetan Tsering Woeser, Japanese territorial disputes
Posion Ivy
RAT released in 2005 often used by Script Kiddies Allows user to retain control of infected systems Ketstroke logging, screen capture capability, File scanning and exfiltration, Relaying of traffic destined for other systems Report detailing how to notice - Calamine
Cyber Kill Chain
Reconnaissance Weaponize Deliver Exploit Install Command and Control Act on Objectives
SOC
Security Operation Center
Careto
Spanish meaning "Mask" operating since 2007 state-sponsored one of the most advanced APTs at the current time
TTP
Tactics, Techniques, Procedures
Flame
Targeted Windows US_Israeli effort 1000 systems in the middle East (highly targeted)
Darknet
The US Navy designed an onion router (TOR) to be able to explore and gain access into the darknet without being discovered. Selling zero-day vulnerabilities is a business.
How is the Hacker Life Cycle, Cyber Kill Chain, and Course of Action Matrix related?
The cyber kill chain is created by using and understanding the hacker life cycle. It builds off of the hacker life cycle. The course of action matrix is built from the cyber kill chain to determine how possible future targets should react to an adversary.
Man in the Middle attack
The hacker breaks into the between the PLC and the human interface. The send a signal to the human interface that the PLC is working correctly, but the PLC is actually being attacked and has changed in some way.
What is the source of the name: Solar Sunrise?
The source of the name Solar Sunrise comes from the operating systems called SunSolaris that were targeted in the attack
DMZ
The space between the business network and the systems network
Malware
This helps standardize the attack process. The attacker might instal a RAT to gain permanent access to that system so it can be exploited in the future.
Pivot Attack
When somebody attacks, they attack at one level, and get into that machine, and that specific machine might not be worth much, but then they pivot to a more important machine somewhere else and continue pivoting until they reach their target
Duqu
Worm Precursor to the next Stuxnet Written by same as Stux or someone who had it Targeted ICS
SQL Slammer
Worm by Honker Union Against Microsoft SQL Server 2000
Offensive
Would you classify the Stuxnet cyber attack as offensive or defensive information operation?
Botnet
a large collection of bots executing the same commands simulateneously
Bot
a system under control of a C2 server
Military decptions
actions designed to mislead adversary forces about operational capabilities, plans, and actions
Computer Network Defense (CND)
activities designed to protect, monitor, analyze, detect, and respond to unauthorized activity in friendly information systems and networks
IT needs of Process controls
availability, integrity, confidentiality
White-Hat Hackers
benevolent security practitioners who use hacking skills for good purposes with permission
Opportunistic Attack
category 1 of attacks uses brute force approach to attack millions and exploit a system for financial gains not sophisticated phishing
Focused Attack
category 3 of attacks spear phishing seek to compromise a specific system or individual user APT
Ontology
concepts describing a domain (universe of investigation), a logical order for how information and data will fit together, categories for sorting, organizing and content addition of information and data.
IT needs of business network
confidentiality, integrity, availability
Operations Security (OPSEC)
designed to deny an adversary access to information about friendly forces that would reveal capabilities, plans, or actions
Script Kiddies
download exploited scripts written by other and run them against chosen targeted system without a real understanding of the technical details behind the attack
Eligible Receiver
first major cyberwarefare attack that took place in the 1990s revealed weaknesses in the US militarys ability to detect and defend against cyber attacks
Buffer overflow
forces applications to write more data to an area of memory that has been set aside for overflow.
Gray-Hat Hackers
having seemingly noble purposed but don't have permission to be hacking
Code Red
infected more that 350000 computers in the world in one day running Microsoft's Internet Information Server (IIS) Used a buffer overflow technique
Remote access trojan (RAT)
install to gain permanent access to a system so that it might be exploited in the future
IT needs of Manufacturing controls
integrity, availability, confidentiality
Advanced persistent Threat (APT)
make use of advanced technologies, select specific targets, and then remain focused on those targets until they achieve victory
Worm
malicious software that quickly spreads between vulnerable computer systems
Senior Suter
managed by an Air Force unit known as Big Safari three versions for use
Psychological Operations (PSYOPs)
operations planned to convey selected info and indicators to foreign governments, organizations, groups, etc in order to influence their emotions, motives, objective reasoning, and behavior.
zero-day vulnerability
refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack
Information operations
term used to describe the many ways that information affects military operations
window of vulnerability
the time between when a new vulnerability is discovered and a patch is released
Computer Network Attack (CNA)
type of offensive information operations action taken through the use of computer networks to disrupt, deny, degrade, or destroy adversary info
Black-Hat Hackers
use skills for malicious intent
Computer Network Exploitation (CNE)
uses the capabilities of CNA to gain access to information systems and then infects them with malicious software designed to steal sensitive infomation
Characteristics of the APT
• Sophisticated technical tools • Use of social engineering • Clear, defined objectives • Financial and human resources • Organization and discipline
