Suppression of Cyber-Defences Brett van Niekerk University of KwaZulu-Natal South Africa
Research Problem Deterrence is often used as a national cyberspace strategy A cyber-attacker may have overwhelming superiority In such instances, deterrence is not applicable An alternative model is needed The paper proposes A model based on Suppression of Enemy Air Defences Defensive considerations for such scenarios
Key Terms Deterrence Cold war / MAD Limited, mostly known adversaries High entry cost Needs to be enforceable, repeatable Suppression of Enemy Air Defences (SEAD) First attacks erode air defence capability Air superiority E.g. Kosovo, Libya, Iraq
Cyber-warfare & Cyber-attacks During 1990s concerns arose of cyber-space and vulnerabilities of critical infrastructures Attack type System penetration / cyber-espionage Distributed denialof-service (DDoS) Examples Moonlight Maze (1998) Titan Rain (2003-2004) Buckshot Yankee (2008) GhostNet, ShadowNet & ShadyRAT (2009-2011) RSA SecurID (2011) Olympic Games (Flame, Duqu, Gauss 2012) Shamoon (2012) Red October (2013) Estonia (2007) Georgia (2008) South Korea & US (2009) Myanmar/Burma (2010) US Banks (2014-2013) Spamhaus/Cyberbunker (2013) System damage Stuxnet (2010) Malware infections US Air Force drones (2011)
Cyber-attack Cycles Hacking Cycle Reconnaissance Scanning Gain access Maintain access and cover tracks N/A Cyber-warfare Attack Cycle 1. Identify target 2. Identify global & infrastructure interfaces 3. Research national systems and networks 4. Gather intelligence information 5. Identify vulnerabilities 6. Covertly probe and test for traps and responses 7. Enter system, locate and transmit sensitive information to a safe location 8. Probe for other systems and networks 9. Probe systems and networks for additional information 10. Set logic bombs and trap doors, then delete intrusion evidence and leave the system 11. Search for additional target systems and networks, and repeat 1-10 12. Attack systems and networks during conflict
Deterrence in Cyber-defence Deterrence in cyber-defence fails: Unknown threat numbers & strength Difficulty in attribution Low entry cost Attacker may not be reliant on IT Willingness of attacker to accept retaliation Low Deterrence No Attribution Cyber Attack Anonymity Deterrence will only work if: both adversaries are known to each other, both adversaries have strong cyber-attack capabilities that can overcome the other's defences, and both adversaries are similarly heavily reliant on information technologies, so that a cyber-attack will significantly impact on the nation's economy and society.
Suppression of Cyber-defences The attacker will have an asymmetric advantage over the defender which may include one or more of the following: The defender cannot sufficiently attribute the attack, and therefore cannot retaliate; The attacker has vastly superior cyber-attack capabilities, and the adversary's capabilities are not sufficient to retaliate; The attacker's society and/or economy is not dependent on the information technology, therefore retaliation in cyber-space will have little effect; The attacker is prepared to suffer the consequences; The attacker is an internal threat to the defender, where retaliation is not possible.
Suppression of Cyber-defences The steps for Suppression of Cyber-defences: 1. Identify connections and nodes with the global and national information infrastructures, with particular focus on national ISPs 2. Identify cyber-defense organizations and facilities 3. Identify vulnerabilities and security measures within the target and cyber-defense networks 4. Infiltrate target, cyber-defense and ISP systems (covertly) 5. Conduct obfuscation 6. Attack primary target 7. Should attack be discovered, launch aggressive attacks on cyberdefense networks and target's security measures 8. Attack secondary targets if/as required 9. Continue attack on primary and secondary targets to cause cascading effects 10. Exit and cover tracks
Scenario: Infrastructure Attack Target national chemical warfare plant, with specific industrial controllers Existing CSIRT, military cyber-command Limited offensive / forensics capability Initial reconnaissance & compromise of internal servers, ISP and power station DDoS CSIRT, cyber-command & government as distraction Power station disrupted to affect CSIRT power supply Chemical warfare factory targeted, equipment destroyed CSIRT ineffective due to lack of power & request overload Security logging of all compromised facilities targeted Security information cannot be trusted due to tampering
Scenario: Cyber-espionage Botnet / APT extracting information from target nations Compromised file servers both inside & outside target nation Prior to completing extraction, infection discovered on secondary target Cyber-defences targeted Non-essential servers DDoS CSIRT & Government CSIRT distracted, provides attackers extra time Non-essential servers diverts attention away from primary attack Additional high-value information extracted File servers shut down & wiped
Defensive Considerations To prevent targeting of cyber-defenses, redundant facilities can be used to support each other Expensive Lack of available expertise Primary Cybersecurity Facility Redundant Cybersecurity Facility Sector CSIRTs / security intelligence centers SA National Cyber Security Policy SA Cybercrimes and Cybersecurity Bill
Telecomms Defensive Considerations Telecomms & IT Sector Mining Sector Transport Sector Cyber Security Hub Cyber Command Manufacturing Sector Financial Sector Cyber Crime Centre ECS-CERT
Conclusion Deterrence has limited effectiveness High asymmetry in favour of attacker may prevent retaliation New model, based on SEAD Target & disrupt cyber-defence & decision making organisations Increase effectiveness of primary attack Defensive considerations Traditional redundant cyber-defence facilities expensive Ring structure of sector-based cyber-defence facilities
Thank you Questions? Brett van Niekerk University of KwaZulu-Natal South Africa vanniekerkb@ukzn.ac.za