You're reading from Cyber Warfare – Truth, Tactics, and Strategies Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare

Product type Paperback

Published in Feb 2020

Publisher Packt

ISBN-13 9781839216992

Length 330 pages

Edition 1st Edition

Tools

DeepFakes

Concepts

Cybersecurity

Author (1):

Dr. Chase Cunningham

View More author details

Table of Contents (14) Chapters

Preface

1. A Brief History of Cyber Threats and the Emergence of the APT Designator

2. The Perimeter Is Dead FREE CHAPTER

3. Emerging Tactics and Trends – What Is Coming?

4. Influence Attacks – Using Social Media Platforms for Malicious Purposes

5. DeepFakes and AI/ML in Cyber Security

6. Advanced Campaigns in Cyber Warfare

7. Strategic Planning for Future Cyber Warfare

8. Cyber Warfare Strategic Innovations and Force Multipliers

9. Bracing for Impact

10. Survivability in Cyber Warfare and Potential Impacts for Failure

11. Other Books You May Enjoy

12. Index

Appendix – Major Cyber Incidents Throughout 2019

The dawn of Advanced Persistent Threats (APTs)

The field of specific targeted cyber threats and especially cyber threat research did not truly exist in any real formality prior to the early 2000s, beyond that of what was in practice within the US government and other nation state agencies. The first mentions of cyber threats and cybercrime outside of government arenas appeared in 2001 during an unclassified briefing from the National Security Agency (Werlinger, Muldner, Hawkey, & Beznosov, 2010). This report was actually supposed to be focused on the issue of securing a network as large as that of the Department of Defense (DoD). However, thanks to leaks and the unclassified nature of the report, the spread of the threats that were becoming common knowledge within the DoD came to light in public circles.

Certain aspects of the report alluded to a highly trained and motivated cyber threat that was likely already deeply embedded in many DoD networks and was actively targeting commercial businesses as part of their plan to proliferate their attacks in the future.

The term APT, or Advanced Persistent Threat, came to light for the first time during a discussion at the Air Force Intelligence Agency (Iracleous, Papadakis, Rayies, & Stavroulakis, n.d.). The discussion involved a group of Lieutenant Colonels trying to determine which term to use to classify the new type of computer hacker, the ones who were very well trained and very successful and were in all likelihood funded and trained by nation state adversaries or well-financed criminal organizations. Since these attackers were advanced, persistent, and certainly a threat, the term APT was born and then quickly became the industry norm term for foreign government cyber operators and skilled threat teams. While this single term is used to categorize and identify a rather wide swath of possible threats, it is worth noting that APT is now used by almost every cyber warfare magazine and cyber-security official, from think tanks all the way to the White House.

In order to truly be considered an APT-specific attack, there are a few general criteria that are accepted by some (but not all) analytic groups across both industry and cyber operations personnel. For these groups, both the totality of the operation that took place and the means by which the group conducted the attack must generally fall into the following three categories for the attack to be even considered as a likely APT attack or exploitation event:

Advanced – Operators behind the threat must have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging.
While individual components of the attack may not be classed as particularly "advanced" (for example, malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from "less advanced" threats.
Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. If the operator loses access to their target, they will usually reattempt access, and most often, successfully. One of the operator's goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task, such as run-of-the-mill hackers and those seeking financial gain via computer hacking.
Threat – APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized, and well-funded. This funding has typically been known to come from either a host nation's government or from an extremely well-funded nefarious group, such as mafia or crime syndicates. However, in some cases there has been an indication that funding may have come from one or more of these providers and there are even cases where the source of funding appears to be interwoven between criminal enterprises and host nation agents.

In most of the circles that study or classify cyber-security threats and APTs there are normally a few major players in the space that have relatively specific targets, tactics, and procedures or TTPs (Targets, Tactics, and Procedures):

Russia – Mainly focused on improving the Russian power position across the globe. They are typically noted as engaging in long-term threat operations that often include the use of spies and human assets to conduct their operations. Added to that, the Russian APT is known to be extremely well funded and capable of engaging in kinetic cyber action (physical strikes on infrastructure or assets that result in destruction) when needed, as noted in the attacks on Estonia and Crimea. The Russian APT also has significant focused technology and capability in the area of targeted influence and disinformation campaigns and sees the proliferation of social media and consumer interactions as an avenue for exploitation.
China – The Chinese APT groups are the most successful at the theft of intellectual property via cyberspace operations. This is done via a concerted focused national effort within the Chinese military and government, with strategic plans aimed at "leapfrogging" the enemy via their operations. This leapfrogging approach to gaining an advantage is a national-level area of focus for the Chinese. Chinese leaders are open in detailing their strategic plans in that they aim to enhance their capability in science and technology wherever possible. The Chinese APT is willing to engage in espionage all the way down to implanting hardware and chips within manufactured devices that are built in China, and they are known to use American and British internships and education programs to embed their operatives within research and development groups at companies and government institutions.
North Korea – The North Korean APT is not usually as persistent as they would like. Due to limited connectivity in the country and sanctions that are in place on travel and logistics, the North Korean APT groups are mainly noted for launching attacks on those entities that disparage or damage their national image.
While they do have a dedicated cyber operations group with extensive training (most often gained in China), their ability to conduct any significant operation beyond basic ransomware attacks is limited. As noted during the SONY exploit operation, attacking weaker targets of opportunity is their most common activity.
Israel – Unit 8200 is the elite of the elite for the Israeli cyber group. This unit is comprised of their most well trained and experienced cyber operations personnel and they are well funded and focused in their operations to counter perceived threats. Often, Unit 8200 engages directly with the Iranians in cyber threat operations, but it is logical to think they are under attack by the majority of Middle Eastern nation states as well as the usual suspects that the United States and NATO countries encounter. The Israeli cyber operations group conducted one of the first kinetic responses to a cyber-attack this year when they bombed an Iranian-affiliated hacker group building after the hacker group was discovered to be responsible for an attack on an Israeli asset. In many research circles, this extermination of the hacker group via missile attacks was seen as one of the most significant responses to cyber threat operations and demonstrates that there are literal life and death outcomes of actions in cyber warfare.

APT exploitation and targeting also follow a well-defined methodology and practice of attempting to maintain anonymity both during and following exploitation or compromise. Again, this is likely due to several factors, the primary of which is that the host nation funding and guiding the operation does not wish to have it known that they are participating in such a covert and possibly damaging attack.

However, the preceding definitions for APT and the clarification of the usage for this classification of attack are still not adopted across the entirety of cyberspace. For many different agencies, companies, and governments, the definition of any APT exploitation event is extremely difficult to concretely define. Consider that an organization such as NATO has more than 28 different countries working within its combined operations center.

Each one of these different groups has been actively targeted and independently hacked or exploited by different APT groups and actors, but there are literally no reporting criteria or vehicles across NATO that succinctly and definitively detail the need for an APT designation; each country and each group that has been reporting or analyzing their relative exploitation event determines APTs differently. Even within different agencies of the US government, attempting to specifically detail an APT exploitation event or hack cannot be done well. The National Security Agency (NSA) has its own specific set of criteria for determining an APT attack while the CIA and FBI have their own criteria, most of which do not cross-reference each other and none of which possess the same rules for delineating specifics on these items.

The lack of a cohesively uniform definition for APT operations and exploitation provides a great example of just how fluid and dynamic this area of study currently is and has been. Further, this example shows how the lack of consensus and broad term definition is so prevalent within cyber operations and analysis that even defining one of the most important terms used in the industry is difficult at best, as it is almost impossible to clearly identify and isolate any one threat group, the generic APT term is used across such a wide spectrum.