Posts by RichardKaplan:

    Offensive cyber operations

    December 28th, 2014

    By Richard Kaplan.

     

     

    An Overview of the Intricacies and Multifaceted Dimensions of Offensive Cyber Operations

    In the past several weeks there have been numerous stories in the press regarding hacking incidents against major newspapers in the United States that have been attributed to the People’s Republic of China. These incidents follow closely on other reports of hacking incidents against U.S. financial institutions that were attributed to the Islamic Republic of Iran.

    The purpose of this paper is to serve as a short primer on the “Intricacies and Multifaceted Dimensions of Offensive Cyber Operations.” In the paragraphs that follow, I will attempt to provide the reader with some basic information on offensive cyber techniques, so that readers have a better understanding of the technology and practices that our adversaries are employing to obtain data from U.S. computer information systems.

    Within the global community there are two major “Hacker Groups.” The first are independent hackers, usually young disenfranchised youth that conduct computer intrusions as sport. The second, and most dangerous to the national security of the United States are the “State Sponsored Hackers,” such as those from the People’s Republic of China and the Islamic of Iran. State Sponsored Hackers, on any given day conduct tens of thousands of “probes and scans” of U.S. Federal Government and Commercial Websites looking for system vulnerabilities.

    There attempt in this regard, is to gain access to sensitive information on national defense and critical technology subjects. To understand the finer points of these offensive cyber activities, a “scan” is an evaluation of a computer system in which an adversary is looking for system vulnerabilities. A “probe” is an actual attempt by an adversary to try and gain access to a computer system once a vulnerability has been discovered.

    On any given day, U.S. Government computer systems, especially those of the Department of Defense, and defense contractors, are subjected to hundreds of thousands of scans and probes by foreign entities, individual hackers, hacker groups, and information brokers. The Department of Defense, like most private sector organizations, afford various degrees of computer network protection to its category’s of information systems.

    At the present time, the Department of Defense maintains three distinct computer information systems. The first is for unclassified information, the second is for information classified as secret, and the third is for information classified as top secret and above. Department of Defense unclassified computer systems are, out of necessity, connected to the Internet. These are systems that deal with logistics and personnel related information that need to interface with non-Department of Defense information systems.

    Both the secret and top secret computer systems are not linked to the Internet, therefore, there is less chance that unauthorized users can gain access to these sensitive categories of information. The only caveat here is, that out of operational necessity, the secret and top secret systems that contain our nation’s most sensitive information, have what are known as Secret and Below Interoperability (SABI) Connections, which are essentially bridges to the unclassified Internet. The one and only time that the two Department of Defense classified systems were ever compromised was when the “I Love You” virus found a SABI connection and infected one classified system.

    Of course classified systems are always subject to what is commonly referred to as the “Insider Threat,” such as the actions of PFC Bradley Manning when he downloaded data from a computer system containing secret information then passed that data on to Wiki Leaks. In the last several years the U.S. Intelligence Community has taken measures to try and eliminate the “Insider Threat” by making it difficult to download data from classified systems. Unfortunately the Army failed to install these secure systems with non-write CD Rom capability in Iraq.

    In order to place this discussion within a proper perspective, the Internet is the “Information Super Highway” for computer network intruders to gain access to both government and private sector computer systems. Once an adversary discovers a system vulnerability, they can usually bypass the Intrusion Detection Sensors (IDS), and the “System Firewall” to gain entrance into a computer system. Once they have entered a system, the intruder can conduct a number of activities that range of defacing a website, to conducting computer network exploitation, to removing data from the system. Such activities have occurred on both commercial and government computer systems.

    The ability of an unauthorized user to gain access to a computer system is wholly dependent upon the cyber security devices that are installed on a given system. Those computer systems that employ a mix of IDS Sensors will observe more offensive cyber scans and probes, and be able to take immediate measures to protect the security of their computer systems. These actions also include employing the most latest firewall and IDS technology.

    For U.S. financial institutions and other sectors of the U.S. National Critical Infrastructure, these institutions most often maintain an Intranet for the exchange of sensitive information. A company Intranet would not be linked to the Internet, therefore, it would be almost impossible for an intruder to gain access to a closed system. Financial institutions that do maintain a presence on the Internet for such activities as customer online banking, maintain redundant, or backup systems in the event of an unauthorized intrusion.

    This is to ensure that customer accounts are not subject to the unauthorized removal of funds. Computer systems that are vital to the operations of the U.S. National Critical Infrastructure in addition to financial institutions, including electric power generation facilities, dams, hydroelectric facilities, communications, air traffic control, and a multitude of other critical assets, are controlled by Supervisory Control and Data Acquisition (SCADA) Systems. SACDA Systems are independently controlled “Stand Alone” computer systems that, once again, are not linked to the Internet so there is no opportunity for unauthorized users to gain access to these critical operating systems.

    Given the recent series of cyber intrusions by “State Sponsored Hackers,” I must relay the fact that the United States is not defenseless against foreign offensive cyber operations. Since the invention of DARPA Net, which is also considered to be the birth of the Internet, the U.S. Government has been actively engaged in developing protective tools and methods for responding to the hacker threat. For years this responsibility fell to the National Security Agency.

    Today, this responsibility falls to the United States Cyber Command, which is collocated with the National Security Agency at Fort Meade, Maryland. In addition, each military service also maintains its own Cyber Operations and Computer Emergency Response Team (CERT) capability. For Departments and agencies outside of the Department of Defense, the monitoring and protection of those computer networks fall to the Federal Computer Emergency Response Team (FEDCERT).

    For the private sector, in the event of attempted foreign cyber intrusions, that information is passed up to the FEDCERT for action. In addition to monitoring the security of computer networks, the U.S. Cyber Command, and the various CERT’s, employ preventive measures to maintain the security of computer networks. These activities include constant monitoring and evaluation of the tactics, techniques, and procedures employed by adversaries to gain access to U.S. computer networks.

    This also includes a review of a majority of scans and probes of critical networks to determine foreign intentions. When new tools and software have been employed by an adversary, the U.S. develops “Patches” for employment to safeguard networks. In addition, the U.S. Cyber Command and the military service cyber elements constantly conduct “Vulnerability Assessments.” These are accomplished in the form of “Penetration Testing,” where certain tools are employed to test the operational security of a computer network.

    In addition, “Red Teaming” techniques are also employed. This procedure is where U.S. Cyber Security Specialists use adversarial hacking tools previously employed against U.S. computer systems to once again test the operational security of a computer network. In the event of a computer intrusion, the Department of Defense, and the military services maintain “Computer Forensics Laboratory’s” where any hard drive from a computer can be evaluated to determine what data had been taken, as well as the type of adversarial tool that was employed for system intrusion.

    The U.S. Cyber Command requested from the Washington Post Newspaper on 1 February, certain computer hard drives for forensic testing for the purposes referenced above. One of the main questions that seem to perplex people is how a computer network intrusion can be attributed to a specific individual or “State Sponsored Hacker Group.” This process is referred to as “Trace Back” or “Hop Back.” The process allows cyber security professionals to follow the path of the intrusion back through the Internet Protocol (IP) addresses of the machines involved in the intrusion.

    Even if a hacker is using what are commonly referred to as “Ghost Sites” or “Jump Sites,” which are computers that belong to individuals, companies, or groups not associated with the intruder, the digital signal can be traced back to its point of origin. Using this technique allowed U.S. Cyber Officials to determine that the People’s Republic of China was the point of origin for the cyber intrusions of U.S. newspapers, and the Islamic Republic of Iran being responsible for the intrusions of certain U.S. financial institutions.

    Offensive Cyber Operations is the new “Arms Race” of the 21st century. The adversaries of the United States and its Allies will continue to refine, expand, and develop new tools, techniques, and procedures for offensive computer network exploitation and computer network attack. The United States must work aggressively to meet this threat by developing effective cyber countermeasures, because Cyberspace will be the new battlefield of tomorrow.

    It is also clear that the Internet is and remains the pathway for “State Sponsored Hackers” and others to obtain data, disrupt computer system operations, and other forms of offensive cyber operations. Unfortunately, as in the publication of scientific and technical research by universities and private sector organizations, maintaining a presence on the Internet, and running the risk of having data removed from a system, is the price that organizations and individuals must pay for living in a free and open society.

    Comments Off on Offensive cyber operations

    Adversarial Cyber Capabilities and the Conduct of Economic Warfare

    December 9th, 2014

     

    By Richard Kaplan.

     

     

    On 21 September 2012, attacks attributed to Iranian Hackers conducted a “Denial of Service Attack” on the Bank of America Corporation, JP Morgan Chase & Company and Citigroup Inc. In addition to the attack on 21 September, there have been a series of attempted penetrations over the past year, as part of a broad “Cyber Campaign” targeting the United States.

    The attacks, which began in late 2011 and escalated this year, have been primarily cyber attacks that have disrupted banking websites and corporate networks by saturating them with massive incoming e-mail traffic that simply overwhelmed these networks. “Denial of Service Attacks” can be accomplished by an individual hacker or group of hackers, as well as “State Sponsored” entities.

    On any given day, computer networks that support financial, communications, transportation, defense, energy and all other sectors that support the operation of the national critical infrastructure of the United States, are continually “Scanned and Probed” for vulnerabilities that could be exploited by unauthorized individuals and foreign entities.

    In the case of the recent attacks against banking institutions, the impact of the “Denial of Service Attacks” resulted in the institutions websites being taken off-line. This disrupted the ability of banking customers and merchants that depend on these banking websites from conducting transactions.

    Although these websites were protected by a “Firewall” that prevents unauthorized individuals from altering information on a website, the “Denial of Service Attacks” did not require penetration of a firewall, but just simply overwhelmed the systems with e-mail traffic. By virtue of the fact that firewall had not been penetrated does not negate the seriousness of these incidents. Customers and merchants were seriously inconvenienced, and the probability exists that these attacks resulted in financial loss for the banking institutions affected during the period there websites were non-operational.

    The incident of 21 September illustrates the most common and rudimentary form of Computer Network Attack technique. In the last fifteen years, the U.S. Government has witnessed a number of “State Sponsored” Computer Network Exploitation and Computer Network Attacks where intruders gained access to numerous Government computer systems, including many within the Department of Defense.

    Some of the more significant cyber intrusions that have been given special investigative designations include Moonlight Maze, Storm Cloud, Quiet Storm and Titan Rain to name a few. These intrusions have since been attributed to countries including Iran, China, and Russia. What was particularly disconcerting in several of these intrusions, was the ability of the intruder to penetrate a firewall by “hijacking” a legitimate user session, than roaming freely throughout systems with impunity removing U.S. Government Proprietary Information.

    During the last fifteen years since the first major series of intrusions into U.S. Government computer systems (Moonlight Maze), firewall technology and other cyber security measures have been greatly enhanced, but so too have the capabilities of hackers, hacker groups, and State Sponsored entities to conduct probes and scans of U.S. cyber networks for Computer Network Exploitation and Computer Network Attack purposes.

    The American public may not have been fully informed as to the extent of foreign Computer Network Exploitation and Computer Network Attack’s that have been conducted against the U.S. national critical infrastructure. It can certainly be surmised because of certain incidents, that foreign cyber operations have been initiated against U.S. financial, communications and power systems within the last five years.

    The technical sophistication of U.S. adversaries with cyber capabilities is expanding faster than our ability to counter these capabilities. Nevertheless, the continued viability of our critical operational cyber systems demand that we continue to develop effect countermeasures to all adversarial cyber threats.

    In defense of the U.S. national critical infrastructure, especially the financial and banking sector, it is possible to “Block Ports” that would prevent hackers and foreign entities from certain foreign countries from conducting offensive cyber operations. The U.S. can also “Block” Internet Service Provider (IP) addresses associated with hackers and hacker groups. However, as a counter to these initiatives, it is possible for adversaries to “Spoof” an IP address, or to use “Jump Sites” to attack computers thereby masking the original location of an attack.

    Thankfully, several elements of the U.S. national critical infrastructure, including power and transportation are not connected to the Internet, but are operated by Supervisory Control and Data Acquisition (SCADA) Systems that are protected from external cyber interdiction. It is not publically known about the extent to which the banking and financial sector of the U.S. are protected by SCADA systems.

    The Economic Warfare Institute recently delivered a series of presentations on the Economic Warfare Threat to the United States on Capitol Hill where the subject of the “Cyber Threat” to U.S. banking and financial institutions were addressed at length.

    The discussion on the cyber threat to banking and financial institutions was presented with such forcefulness, that it negated any contradiction on the part of any the attendees. Having said this, it remains to what extent any U.S. Government mandated regulations will be taken to strengthen the banking and financial infrastructure of the United States from cyber attack.

    The following are recommendations from the Economic Warfare Institute that can be implemented to assist in the cyber security of U.S. banking and financial institutions:

    Ø Establish SCADA Systems for sensitive banking operations involving currency

    Ø Implement U.S. Government Standard Data Encryption for sensitive documents

    Ø Institute a comprehensive Cyber Vulnerability Assessment Program

    Ø Conduct Penetrating Testing of sensitive banking and financial systems

    Ø Upgrade Intrusion Detection Sensors

    Ø Maintain a Mix of IDS Sensors to identify different probing & scanning activity

    Ø Conduct “Red Teaming” of banking & financial systems connected to the Internet

    Ø Work with the U.S. Cert to analyze Probing and Scanning Data

    Ø Institute Blocking of suspicious IP addresses

    Ø Maintain strictest employee adherence to computer security regulations

    Ø Remove CD read and write capability to protect against viruses & financial information theft 

    The protection of the banking and financial sector of the U.S. national critical infrastructure is an ongoing task that must maintain pace with the dramatic technological advances that hackers, hacking groups, and State Sponsored entities are taking in an attempt to expand their influence in the Cyberspace environment.

    Comments Off on Adversarial Cyber Capabilities and the Conduct of Economic Warfare

    Some Concerns on the Current Defense Posture of the United States

    December 6th, 2014

     

    By Richard Kaplan.

     

    During the past ten years there have been some dramatic reductions in the defense posture of the military forces of the United States, including reduction in the number of combat brigades, a 25 percent reduction in our submarine fleet, as well as a significant reduction in the training, readiness, and equipment holdings of our Reserve and National Guard units.

    In addition to reductions in our conventional forces, the United States has just reduced its nuclear arsenal in response to the latest Strategic Arms Treaty to 800 warheads (after we learned that the Russians have been cheating on the Intermediate Nuclear Arms Treaty). These actions beg the question, can the United States still “Maintain Peace Through Strength,” which was the major national security doctrine during the Reagan Administration.

    Given the recent actions of Russia in the Crimea and in Ukraine, as well as the growing conventional and nuclear capabilities of China and North Korea, can the military forces of the United States response to aggression at the same level at which it is offered given our current force structure. In the event of a major superpower confrontation, does the United States still maintain the necessary Strategic Lift capability to move both forces and additional equipment beyond current (Pre-Positioned Configurated Unit Sets) to Europe or Asia.

    Do U.S. defense industries have the ability to surge production of critical military material (given the experience of the U.S. Army in trying to obtain additional armor for Humvee’s during Operation Iraqi Freedom). Most importantly, can the U.S. military rapidly expand conventional forces with the current number of basic training centers currently in operation.

    Has the global threat environment evolved to such an extent that the United States, with its worldwide security commitments no longer need to maintain a current force mix that can respond to aggression at any level along the “Conflict Spectrum.” Are the military forces of the United States preparing for combat just with International Terrorist Organizations, or response to War’s of National Liberation, and ignoring the possibility of a large scale superpower confrontation.

    The current U.S. and Allied Air Campaign again the Islamic State (IS) is an excellent example. While the Obama Administration does not want to commit ground troops to this fight, the Chairman of the Joint Chiefs of Staff, General Martin Dempsey argues that any campaign against IS cannot be won without the introduction of ground troops.

    While there has been some success in halting the movement of IS forces toward Baghdad, there are indications that IS fighters are integrating themselves into the local population, and thus becoming harder to attack from the air. If this trend continues, it will become necessary to deploy ground troops in a counterinsurgency role to destroy the IS organization.

    The arguments in the above paragraphs notwithstanding, some would argue that because of the current economic situation, not only in the United States, but in Europe, has created an atmosphere of constrained economic resources that have necessitated reductions in national defense spending. While this may be true at certain levels, this of course also begs the question, how much are citizens willing to devote in defense of their national security.

    In the United States since September 11, 2001, most Americans would agree that the world has become increasingly dangerous, not only from global terrorist organizations, but from certain nation state actors such as Russia, China and North Korea.

    While it is clear that the U.S. Department of Defense is trying to provide the best defense posture it can in an atmosphere of constrained defense spending, in addition to Congressionally mandated sequestration, I can’t help but feel that there is a lack of appreciation on the part of both the Senate and Congress for the current and future global threat environment.

    I can only hope that as the U.S. economic outlook improves, that additional defense authorizations will be provided to the Department of Defense so that once again the hallmark of our military doctrine will be “Peace Through Strength.”

    Comments Off on Some Concerns on the Current Defense Posture of the United States