Cyber Operations ch 1,5,7

In your own words, describe three similarities between Solar Sunrise attack and Stuxnet.

1) In both cases, the attack was a targeted, focused attack. The Solar Sunrise attacks were aimed specifically at Air Force systems and the Stuxnet attacks were aimed at the PLC in the Iranian Nuclear Facility in Natanz. 2) In both cases, the attackers were hard to track because they routed their attack via many different countries. This shows that the domain of the attack is a lot harder to pin down than a traditional kinetic attack because cyberspace isn't as clearly defined as traditional country borders. This showed (in both cases) that more security measures were needed. 3) Both attacks exploited a zero-day vulnerability. In Stuxnet, extensive recon and scanning was done to find the holes in the Siemens F-7300 PLC in order to successfully infiltrate the nuclear facility. In Solar Sunrise, the hackers Mac and Stimpy (and the Analyzer) found the holes in the DoD system and exploited them before the DoD was even aware of the holes.

Describe three differences between semi-targeted attacks and focused attacks

1) Semi- targeted attacks are aimed generally at achieving a goal (e.i. stealing bank account information) but focused attacks are aimed specifically at achieving one goal (e.i. stealing one specific individuals bank info) 2) Semi-targeted attacks use phishing and focused attacks use spear phishing 3)Semi-targeted attacks are simple/moderately sophisticated and focused attack are highly sophisticated

List three different types of malicious actors (aka cyber adversaries).

1. Nation-States 2. business competitor 3. ideologically motivated hacktivists

According to the U.S. Department of Justice indictment, what Chinese unit was involved?

61398

Offensive information operations

Actions taken to deny, exploit, corrupt, or destroy an adversary's info or info functions

Defensive information operations

Actions taken to protect your own information and information systems from an adversary's' attempt to deny, exploit, corrupt, or destroy them

Stakkato

Attacks from Sweeden's University of Uppsala 16 yr old named Philip Gabriel Petterson 5 felony charges (NASA, Cisco, Standford, Cali Institute of Tech, San Diego Supercomputer Center)

FOXACID

Automated Decision making to select weapons based upon the value of the target, likelihood of detection, and nature of defenses

Strategic Web Compromises

Basically a watering hole. It occurs when attackers compromise a website that is frequented by members of the target organization. They instal malware and stay dormant until the target logs on and then they infect the targeted system

Why are zero day exploits often associated with advanced persistent threat (APT)?

Because an adversary is targeting a specific, many specific targets, they ideally want to find utilized a zero-day attack because even the software company does not know about the vulnerability in the system. This allowed the hacker to keep the APT a secret from the system and be ready for future attacks as well. In addition, a zero-day exploit takes advantage of the window of vulnerability, which allows the hacker to be in the system until a patch is found and and installed onto the system. However, some residual risk still remains until every needed patch is installed on the system.

Which members of C-suite are responsible for planning operations and campaigns to defend against this level of cyber operations?

CIO, CISO

Semi-targeted attack

Category 2 of attacks seeks to infiltrate a specific organization or type of target often through emails phishing

DID

Defense In Depth

US Cyber Command (USCYBERCOM)

DoD's reaction to new cyber domain to manage cyberspace risk

two differences between recon and scanning

During the recon phase, the hacker is looking at the more than just the system. They are understanding the structure of the targets (who has access to what) and they understand the social engineering, so that they can deliver the attack in the most effective way. However, the scanning phase only scans for vulnerabilities in the target's network and computer systems to find the technical weaknesses, this is a more active research than the passive research of the recon phase

Solar Sunrise

February 1998 Attack on DoD (Air Force) Stimpy and Mak and The Analyzer Israeli based attack No significant damage, but showed that cyber hacks have no boundary

Titan Rain

Figured out in 2005, had been going on for 2 years Attack from Chinese Web servers (unclear if it was sponsored by Chinese government) into DoD and other agencies continued work of SS and MM

Traditional Kill Chain

Find Fix Track Target Engage Assess (F2T2EA)

Operation Aurora

Hack against Google used social engineering to trick victim at the targeted company into visiting site Website contained malicious code that installed malware on comp connected to C2 gained admin access Used password cracking techniques Access company's Virtual Private Network (VPN) Steal sensitive info

Insider threats

Have the most power, avoid detection, know their way around a system (~40%)

Entity types

In Semantical Pro, person and vehicle are ________

Mandiant

In reference to the U.S. Department of Justice indictment, what cyber security company identified the adversary who allegedly conducted cyber espionage?

Deliver

In the cyber kill chain, what phase can take weeks, months, or years, after the Weaponize phase?

Information Warfare

Info operations conducted during a time of crisis or conflict to achieve specific objectives

Three reasons why understanding geo-political situations are important in cyber security

It can give motivations behind an attack. It can give insight into who the adversary is. It can help to understand which groups or states have the capabilities to utilize a specific attack, or how a country will to retaliate (either with conventional force or use of a cyber attack).

What does the Strategic Cyber Intel level do?

It deals with security objectives and guidance and develops the resources to reach those goals

What does the Tactical Cyber Intel level do?

It focuses on the ordered arrangement and maneuver of combat elements in relation to each other and to the enemy to achieve combat objective.

Why is cyber warfare at a turning point?

It is at a turning point because it has now started to have physical ramifications. Attacks through computers are increasingly dangerous for average citizens, and not just the targeted company.

What does the Operational Cyber Intel level do?

It plans major campaigns and operations to achieve the strategic level

Who is Kevin Mitnick? Why did he say that it is harder to play defense than offense?

Kevin Mitnick is a widely known hacker, who is known for manipulating the telephone network. He says it is harder to play defense than offense because when playing defense, you have to find and plug EVERY possible hole in your network in order to keep your network safe. To play offense, you only have to get lucky(find a hole in the network) ONE time to hack and get into the network.

Four Traditional Domains

Land, Sea, Air, Space

Describe the difference between a manufacturing and process controls

Manufacturing controls are often shut down at night and can be updated at that time. However, process controls (chemical plants etc) are often not shut off for years and only for a few days and only updates that can be done in those few days are completes. Process controls are critical infrastructure.

Moonlight Maze

March 1998 Recon and infiltration of computer systems owned and operated by government agencies, universities, and research labs Thought to be connected with Russia Demonstrated the difficulty of attributing attacks to their original source

Do attackers generally have any contact with the target environment during the weaponize phase?

No

In your own words, describe two differences between Moonlight Maze and Honker Union.

One difference between Moonlight Maze and Honker Union is that Moonlight Maze is an attack that hasn't been fully attributed to a specific group, although it is thought to be related to Russia and Honker Union is a known group of Chinese hackers. Another difference is that Moonlight Maze was aimed at stealing files, but Honker Union aimed to infect and breakdown the Internet through the SQL Slammer.

Honker Union

Organized group of Chinese Hackers wage against those who's views and actions are against the Chinese government Attacks: SQL Slammer, Tibetan Tsering Woeser, Japanese territorial disputes

Posion Ivy

RAT released in 2005 often used by Script Kiddies Allows user to retain control of infected systems Ketstroke logging, screen capture capability, File scanning and exfiltration, Relaying of traffic destined for other systems Report detailing how to notice - Calamine

Cyber Kill Chain

Reconnaissance Weaponize Deliver Exploit Install Command and Control Act on Objectives

SOC

Security Operation Center

Careto

Spanish meaning "Mask" operating since 2007 state-sponsored one of the most advanced APTs at the current time

TTP

Tactics, Techniques, Procedures

Flame

Targeted Windows US_Israeli effort 1000 systems in the middle East (highly targeted)

Darknet

The US Navy designed an onion router (TOR) to be able to explore and gain access into the darknet without being discovered. Selling zero-day vulnerabilities is a business.

How is the Hacker Life Cycle, Cyber Kill Chain, and Course of Action Matrix related?

The cyber kill chain is created by using and understanding the hacker life cycle. It builds off of the hacker life cycle. The course of action matrix is built from the cyber kill chain to determine how possible future targets should react to an adversary.

Man in the Middle attack

The hacker breaks into the between the PLC and the human interface. The send a signal to the human interface that the PLC is working correctly, but the PLC is actually being attacked and has changed in some way.

What is the source of the name: Solar Sunrise?

The source of the name Solar Sunrise comes from the operating systems called SunSolaris that were targeted in the attack

DMZ

The space between the business network and the systems network

Malware

This helps standardize the attack process. The attacker might instal a RAT to gain permanent access to that system so it can be exploited in the future.

Pivot Attack

When somebody attacks, they attack at one level, and get into that machine, and that specific machine might not be worth much, but then they pivot to a more important machine somewhere else and continue pivoting until they reach their target

Duqu

Worm Precursor to the next Stuxnet Written by same as Stux or someone who had it Targeted ICS

SQL Slammer

Worm by Honker Union Against Microsoft SQL Server 2000

Offensive

Would you classify the Stuxnet cyber attack as offensive or defensive information operation?

Botnet

a large collection of bots executing the same commands simulateneously

Bot

a system under control of a C2 server

Military decptions

actions designed to mislead adversary forces about operational capabilities, plans, and actions

Computer Network Defense (CND)

activities designed to protect, monitor, analyze, detect, and respond to unauthorized activity in friendly information systems and networks

IT needs of Process controls

availability, integrity, confidentiality

White-Hat Hackers

benevolent security practitioners who use hacking skills for good purposes with permission

Opportunistic Attack

category 1 of attacks uses brute force approach to attack millions and exploit a system for financial gains not sophisticated phishing

Focused Attack

category 3 of attacks spear phishing seek to compromise a specific system or individual user APT

Ontology

concepts describing a domain (universe of investigation), a logical order for how information and data will fit together, categories for sorting, organizing and content addition of information and data.

IT needs of business network

confidentiality, integrity, availability

Operations Security (OPSEC)

designed to deny an adversary access to information about friendly forces that would reveal capabilities, plans, or actions

Script Kiddies

download exploited scripts written by other and run them against chosen targeted system without a real understanding of the technical details behind the attack

Eligible Receiver

first major cyberwarefare attack that took place in the 1990s revealed weaknesses in the US militarys ability to detect and defend against cyber attacks

Buffer overflow

forces applications to write more data to an area of memory that has been set aside for overflow.

Gray-Hat Hackers

having seemingly noble purposed but don't have permission to be hacking

Code Red

infected more that 350000 computers in the world in one day running Microsoft's Internet Information Server (IIS) Used a buffer overflow technique

Remote access trojan (RAT)

install to gain permanent access to a system so that it might be exploited in the future

IT needs of Manufacturing controls

integrity, availability, confidentiality

Advanced persistent Threat (APT)

make use of advanced technologies, select specific targets, and then remain focused on those targets until they achieve victory

Worm

malicious software that quickly spreads between vulnerable computer systems

Senior Suter

managed by an Air Force unit known as Big Safari three versions for use

Psychological Operations (PSYOPs)

operations planned to convey selected info and indicators to foreign governments, organizations, groups, etc in order to influence their emotions, motives, objective reasoning, and behavior.

zero-day vulnerability

refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack

Information operations

term used to describe the many ways that information affects military operations

window of vulnerability

the time between when a new vulnerability is discovered and a patch is released

Computer Network Attack (CNA)

type of offensive information operations action taken through the use of computer networks to disrupt, deny, degrade, or destroy adversary info

Black-Hat Hackers

use skills for malicious intent

Computer Network Exploitation (CNE)

uses the capabilities of CNA to gain access to information systems and then infects them with malicious software designed to steal sensitive infomation

Characteristics of the APT

• Sophisticated technical tools • Use of social engineering • Clear, defined objectives • Financial and human resources • Organization and discipline