1.1. Background
Since 2008, several countries have published new national cyber security strategies that allow for the possibility of offensive cyber operations. Typically, the strategy documents call for the establishment of a cyber operations centre capable of computer network defence, exploitation, and, in some nations, attack. For example, the Netherlands’ Defence Cyber Strategy lists cyber defence as spear-point 2 and offensive cyber as spear-point 3 (MinDef, 2012). The cyber operations centre will be manned by professionals and operate under government authority compliant with national and international law. It will need to be provided with the right resources, in the form of personnel, accommodation, computing and networking infrastructure, tools and technologies, doctrine, and training. The research reported in this paper focuses on the tools and technologies needed for professional offensive cyber operations.
A quick look at the information available on the Internet shows that there are many lists of malware used by cyber criminals and, to a lesser extent, that used by ethical hackers. For example, the SANS institute – a well-known cooperative research and education organization for security professionals – identifies five categories of malware (SANS, 2012): worms, rootkits, exploits, Trojans, and backdoors. The MalwareInfo site (MalwareInfo, 2012) – provided by a consortium of anti-malware tool suppliers to inform Dutch home computer users – has a longer list of malware types (virus, worm, spyware and adware, keylogger, tracking cookie, browser hijacker, Trojan, dropper, dialler, rootkit, backdoor, and rogueware) and identifies six malware techniques (stealth, anti-antivirus, AutoStart Entry Points, image file execution options, social engineering, and alternate data streams). Wikipedia’s (2012) Malware template distinguishes infectious malware (viruses and worms), concealment (Trojans, rootkits, backdoors, and zombies), and for-profit malware (privacy-invasive, adware, spyware, botnets, keystroke logging, web theats, fraudulent diallers, malbots, scareware, rogue security software, and ransomware).
We contend that these lists are one-sided, over-emphasizing malware. There are at least three reasons why such lists give an unbalanced view of the tools and technologies that a professional team operating under government authority would need. Firstly, cyber criminals and ethical hackers are organized differently to professional teams. Rivalry among criminals hinders cooperation. Expert hackers regard less knowledgeable colleagues with disdain, as the term “script-kiddie” shows. Moreover, it is not unknown for one criminal to take over the target or botnet of another. While criminals may be part of a group, this is more to exchange knowledge on specific vulnerabilities, targets, or attack technologies than to attack a target together as a disciplined team of specialists. Ethical hackers tend to concentrate on penetration testing and on reporting what target information is at risk, rather than on the whole attack process. It is unlikely that an ethical hacker would be tasked with executing a denial of service attack, for example. Secondly, such lists emphasize the tools that a victim is likely to encounter – the “weapons” – rather than the mundane tools supporting the “logistics” of the attack process. For example, intercepts show that cyber criminals use chat for communicating with one another (Honeynet, 2008), but this technology does not appear in the lists. Thirdly, those who do know what tools and technologies a professional team needs are not telling. A recent Center for Strategic and International Studies report (Lewis & Timlin, 2011) identifies five to seven countries as already possessing military offensive cyber capabilities, with such capabilities under development in a further ten to twelve nations (one of which is The Netherlands). Of the 32 nations surveyed, only six had a purely defensive strategy, with the strategic posture of seven nations being as yet unknown. Cyber professionals from nations with an operational offensive capability are loath to reveal their capabilities (McAfee, 2011).
There are several ways in which tools and technologies could be identified systematically, including:
- •
Case study: Researchers could observe a set of cyber attacks and note the tools and technologies that the attackers used;
- •
Software engineering: The attack process could be modelled using software engineering techniques, with the tools and technologies being extracted from the analysis;
- •
Literature survey: A canonical list of tools and technologies could be constructed by comparing the multiple lists, taxonomies, and ontologies to be found in the open literature. There are three sources of literature: experienced hackers, the vendors of cyber security software products (e.g. anti-virus (AV) packages, firewalls (FW), and intrusion detection systems (IDS)) and services, and scientific publications.
Besides the questionable ethicality of the case study approach, it is doubtful if this would be representative of offensive cyber operations performed by a professional group. A literature survey is likely to over-emphasize malware. Hence, this paper takes the software engineering approach. In the research reported here, a canonical process model was obtained by rationally reconstructing a set of existing attack process models found in the literature. This canonical model was formalized using SADT notation, in which processes are logically linked by inputs, outputs, controls, and mechanisms. A set of tools and technologies was extracted from these mechanisms. The canonical model and set of tools and technologies have been checked by subject matter experts.