Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense

Jim Walter (2014) “Analyzing the Target Point-of-Sale Malware,” McAfee Labs, Jan 16, 2014. https://​blogs.​mcafee.​com/​mcafee-labs/​analyzing-the-target-point-of-sale-malware/​ and Fahmida Y. Rashid (2014) “How Cybercriminals Attacked Target: Analysis,” Security Week, January 20, 2014. http://​www.​securityweek.​com/​how-cybercriminals-attacked-target-analysis

Jim Sciutto (2015) OPM government data breach impacted 21.5 million,” CNN, July 10, 2015. http://​www.​cnn.​com/​2015/​07/​09/​politics/​office-of-personnel-management-data-breach-20-million/​ Jason Devaney (2015) “Report: Feds Hit by Record-High 70,000 Cyberattacks in 2014,” NewsMax, 04 Mar 2015. http://​www.​newsmax.​com/​Newsfront/​cyberattacks-Homeland-Security-Tom-Carper-OMB/​2015/​03/​04/​id/​628279/​

Advanced persistent threats (APTs) have been defined as “a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and/or nations for business or political motives. APT processes require a high degree of covertness over a long period of time. The “advanced” process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack.” https://​en.​wikipedia.​org/​wiki/​Advanced_​persistent_​threat A useful simple introduction and overview is Symantec, “Advanced Persistent Threats: A Symantec Perspective—Preparing the Right Defense for the New Threat Landscape,” no date. http://​www.​symantec.​com/​content/​en/​us/​enterprise/​white_​papers/​b-advanced_​persistent_​threats_​WP_​21215957.​en-us.​pdf A detailed description of an APT is Mandiant (2013) APT1: Exposing One of China’s Cyber Espionage Units, www.​mandiant.​com, 18 February 2013. http://​intelreport.​mandiant.​com/​Mandiant_​APT1_​Report.​pdf

The U.S. Department of Defense (DOD) defined active cyber defense (ACD) in 2011: “As malicious cyber activity continues to grow, DoD has employed active cyber defense to prevent intrusions and defeat adversary activities on DoD networks and systems. Active cyber defense is DoD’s synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities…. using sensors, software, and intelligence to detect and stop malicious activity before it can affect DoD networks and systems. As intrusions may not always be stopped at the network boundary, DoD will continue to operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on DoD networks.” Department of Defense (2011) Strategy for Operating in Cyberspace, July 2011, p. 7.

Cyber researcher Dorothy Denning differentiated active and passive cyber defense: “Active Cyber Defense is direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets. Passive Cyber Defense is all measures, other than active cyber defense, taken to minimize the effectiveness of cyber threats against friendly forces and assets. Whereas active defenses are direct actions taken against specific threats, passive defenses focus more on making cyber assets more resilient to attack.” Dorothy E. Denning (2014) “Framework and Principles for Active Cyber Defense,” Computers & Security, 40 (2014) 108–113. http://​www.​sciencedirect.​com/​science/​article/​pii/​S016740481300166​1/​pdfft?​md5=​68fecd71b93cc108​c015cac1ddb0d430​&​pid=​1-s2.​0-S016740481300166​1-main.​pdf

In both the DOD’s and Denning’s definitions, actions are defensive. Thus ACD is NOT the same as hacking back, offensive cyber operations, or preemption. However, ACD options are active and can involve actions outside of one’s own network or enterprise, for example, collecting information on attackers and sharing the information with other defenders.

''Tactics, techniques, and procedures (TTPs)'' is a common military expression and acronym for a standardized method or process to accomplish a function or task. We added `tools' because cyber adversaries use a variety of different tools in their tactics, techniques, and procedures. On the analysis of TTPs, see Richard Topolski, Bruce C. Leibrecht, Timothy Porter, Chris Green, and R. Bruce Haverty, Brian T. Crabb (2010) Soldiers' Toolbox for Developing Tactics, Techniques, and Procedures (TTP), U.S. Army Research Institute for the Behavioral and Social Sciences Research Report 1919, February 2010.http://​www.​dtic.​mil/​dtic/​tr/​fulltext/​u2/​a517635.​pdf

Jeffrey Rule quotes its creator, John R. Boyd, describing the OODA loop: “orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window. …the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.” Jeffrey N. Rule (2013) “A Symbiotic Relationship: The OODA Loop, Intuition, and Strategic Thought,” Carlisle PA: U.S. Army War College. http://​oai.​dtic.​mil/​oai/​oai?​verb=​getRecord&​metadataPrefix=​html&​identifier=​ADA590672 Rule and other exponents of the OODA loop concept see the utility of D&D to isolate the adversary inside their own OODA loop and thus separate the adversary from reality. Osinga sees Boyd’s OODA theory as affirming the use of deception against the adversary’s OODA loop: “Employ a variety of measures that interweave menace, uncertainty and mistrust with tangles of ambiguity, deception and novelty as the basis to sever an adversary’s moral ties and disorient or twist his mental images and thus mask, distort and magnify our presence and activities.” Frans P. B. Osinga (2007) Science, Strategy and War: The strategic theory of John Boyd, Oxford UK: Routledge, p. 173.

“Cyber threat intelligence” is still an evolving concept. See, for example, Cyber Intelligence Task Force (2013) Operational Levels of Cyber Intelligence, Intelligence and National Security Alliance, September 2013. http://​www.​insaonline.​org/​i/​d/​a/​Resources/​Cyber_​Intelligence.​aspx; Cyber Intelligence Task Force (2014) Operational Cyber Intelligence, Intelligence and National Security Alliance, October 2014. http://​www.​insaonline.​org/​i/​d/​a/​Resources/​OCI_​wp.​aspx; Cyber Intelligence Task Force (2014) Strategic Cyber Intelligence, March 2014. http://​www.​insaonline.​org/​CMDownload.​aspx?​ContentKey=​71a12684-6c6a-4b05-8df8-a5d864ac8c17&​ContentItemKey=​197cb61d-267c-4f23-9d6b-2e182bf7892e; David Chismon and Martyn Ruks (2015) Threat Intelligence: Collecting, Analysing, Evaluating. mwrinfosecurity.com, CPNI.gov.uk, cert.gov.uk. https://​www.​mwrinfosecurity.​com/​system/​assets/​909/​original/​Threat_​Intelligence_​Whitepaper.​pdf

The concept of “cyber operations security (OPSEC)” has had little systematic development or disciplined application in cyber security. One analyst wrote, “Social media, the internet, and the increased connectivity of modern life have transformed cyber space into an OPSEC nightmare.” Devin C. Streeter (2013) “The Effect of Human Error on Modern Security Breaches,” Strategic Informer: Student Publication of the Strategic Intelligence Society: Vol. 1: Iss. 3, Article 2. http://​digitalcommons.​liberty.​edu/​si/​vol1/​iss3/​2 See also Mark Fabro, Vincent Maio (2007) Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments, Version 1.0 Draft, Idaho Falls, Idaho: Idaho National Laboratory, INL Critical Infrastructure Protection Center, February 2007. http://​energy.​gov/​sites/​prod/​files/​oeprod/​DocumentsandMedi​a/​OpSec_​Recommended_​Practice.​pdf

E.M. Hutchins, M.J. Cloppert, and R.M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Cyber Kill Chains,” presented at the 6th Ann. Int’l Conf. Information Warfare and Security, 2011; www.​lockheedmartin.​com/​content/​dam/​lockheed/​data/​corporate/​documents/​LWhite-Paper-Intel-Driven-Defense.​pdf

See, for example, David Chismon and Martyn Ruks (2015) Threat Intelligence: Collecting, Analysing, Evaluating. mwrinfosecurity.com, CPNI.gov.uk, cert.gov.uk. https://​www.​mwrinfosecurity.​com/​system/​assets/​909/​original/​Threat_​Intelligence_​Whitepaper.​pdf

See https://​attack.​mitre.​org/​wiki/​Main_​Page for details on the ATT&CK model and framework.

Definitions of the D&D tactics shown in Fig. 2 are provided in Kristin E. Heckman, Frank J. Stech, Roshan K. Thomas, Ben Schmoker, and Alexander W. Tsow Cyber Denial, Deception& Counterdeception: A Framework for Supporting Active Cyber Defense. Switzerland: Springer, ch. 2.

E.M. Hutchins, M.J. Cloppert, and R.M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Cyber Kill Chains,” Op cit.

MITRE, Threat- Based Defense: A New Cyber Defense Playbook, 2012; www.​mitre.​org/​sites/​default/​files/​pdf/​cyber_​defense_​playbook.​pdf

Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, Technical Report ADA586960, 05 July 2013.

The tactics “mimic, invent, decoy” are all commonly used terms describing actions to mislead. The tactic “double play,” or “double bluff,” requires some explanation. A double play or a double bluff is a ruse to mislead an adversary (the deception “target”) in which “true plans are revealed to a target that has been conditioned to expect deception with the expectation that the target will reject the truth as another deception,” Michael Bennett and Edward Waltz (2007) Counterdeception: Principles and Applications for National Security. Boston: Artech House, p. 37. A poker player might bluff repeatedly (i.e., bet heavily on an obviously weak hand) to create a bluffing pattern, and then sustain the bluff-like betting pattern when dealt an extremely strong hand to mislead the other players into staying in the betting to call what they believe is a weak hand. The double play formed the basis of a famous Cold War espionage novel, John le Carré’s, The Spy Who Came in from the Cold. An intelligence service causes a defector to reveal to an adversary the real identity of a double agent mole spying on the adversary. The defector is then completely discredited as a plant to deceive the adversary, causing the adversary to doubt the truth, that the mole could actually be a spy. The Soviet Union may have used a version of the double play to manipulate perceptions of a defector (Yuriy Nosenko), i.e., “too good to be true,” to mislead the CIA to doubt the bona fides of Nosenko and other Soviet defectors (e.g., Anatoliy Golitsyn). See Richards J. Heuer, Jr. (1987) “Nosenko: Five Paths to Judgment,” Studies in Intelligence, vol. 31, no. 3 (Fall 1987), pp. 71–101. Declassified, originally classified “Secret.” http://​intellit.​muskingum.​edu/​alpha_​folder/​H_​folder/​Heuer_​on_​NosenkoV1.​pdf However, “blowing” an actual mole with a double play is atypical of what CIA counterintelligence agent, Tennent Bagley, called “Hiding a Mole, KGB-Style.” He quotes KGB colonel Victor Cherkashin as admitting the KGB dangled “Alexander Zhomov, an SCD [Second Chief Directorate] officer,” in an “elaborate double-agent operation in Moscow in the late 1980s to protect [not expose] Ames [the KGB’s mole in the CIA].” Tennent H. Bagley (2007) Spy Wars: Moles, Mysteries, and Deadly Games. New Haven: Yale University Press, p. 226. http://​cdn.​preterhuman.​net/​texts/​government_​information/​intelligence_​and_​espionage/​Spy.​Wars.​pdf

https://​attack.​mitre.​org/​wiki/​Legitimate_​Credentials