A conceptual framework for cyber counterintelligence

Abstract :D.Com (Computer Science

Framework For Modeling Attacker Capabilities with Deception

In this research we built a custom experimental range using opensource emulated and custom pure honeypots designed to detect or capture attacker activity. The focus is to test the effectiveness of a deception in its ability to evade detection coupled with attacker skill levels. The range consists of three zones accessible via virtual private networking. The first zone houses varying configurations of opensource emulated honeypots, custom built pure honeypots, and real SSH servers. The second zone acts as a point of presence for attackers. The third zone is for administration and monitoring. Using the range, both a control and participant-based experiment were conducted. We conducted control experiments to baseline and empirically explore honeypot detectability amongst other systems through adversarial testing. We executed a series of tests such as network service sweep, enumeration scanning, and finally manual execution. We also selected participants to serve as cyber attackers against the experiment range of varying skills having unique tactics, techniques and procedures in attempting to detect the honeypots. We have concluded the experiments and performed data analysis. We measure the anticipated threat by presenting the Attacker Bias Perception Profile model. Using this model, each participant is ranked based on their overall threat classification and impact. This model is applied to the results of the participants which helps align the threat to likelihood and impact of a honeypot being detected. The results indicate the pure honeypots are significantly difficult to detect. Emulated honeypots are grouped in different categories based on the detection and skills of the attackers. We developed a framework abstracting the deceptive process, the interaction with system elements, the use of intelligence, and the relationship with attackers. The framework is illustrated by our experiment case studies and the attacker actions, the effects on the system, and impact to the success

DRONE DELIVERY OF CBNRECy – DEW WEAPONS Emerging Threats of Mini-Weapons of Mass Destruction and Disruption (WMDD)

Drone Delivery of CBNRECy – DEW Weapons: Emerging Threats of Mini-Weapons of Mass Destruction and Disruption (WMDD) is our sixth textbook in a series covering the world of UASs and UUVs. Our textbook takes on a whole new purview for UAS / CUAS/ UUV (drones) – how they can be used to deploy Weapons of Mass Destruction and Deception against CBRNE and civilian targets of opportunity. We are concerned with the future use of these inexpensive devices and their availability to maleficent actors. Our work suggests that UASs in air and underwater UUVs will be the future of military and civilian terrorist operations. UAS / UUVs can deliver a huge punch for a low investment and minimize human casualties.https://newprairiepress.org/ebooks/1046/thumbnail.jp

Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses

As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typical computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and drive-by-downloads are some prime examples. The work in this dissertation is structured to enhance the security of computer systems by using means of deception and deceit

Anti-war and the cyber triangle : strategic implications of cyber operations and cyber security for the state

[From the introduction:]The main driver for this choice of research was the growing influence of Internet-related issues in contemporary politics in various fields. 2009 saw an intensification of this link between information and communication technologies and international relations, particularly in the field of intelligence and military, with the revelation of notorious cyber operations such as AURORA, Ghostnet and Night Dragon (see chapter II). While those events started to attract the broader attention of academics, it was not until the discovery of the Stuxnet malware in 2010 (see chapter IV) that the issue gained momentum in other fields as well. A computer malware targeting a nuclear enrichment facility in a foreign country amidst a latent conflict certainly raised a lot of questions that demanded answers. Its sophisticated design and potential implications for international relations as well as strategic studies was one of the main inspirations for this research.While the emergence of literature on espionage and sabotage in conjunction with the Internet can be traced back to the 1990's, Kello recognises that even in 2013 it remains a weakly developed area, stating that '[t]he range of conceivable cyber conflict is poorly understood by scholars and decision-makers, and it is unclear how conventional security mechanisms, such as deterrence and collective defence apply to this phenomenon' (Kello, 2013: 7). Thus, the aim of this research is to contribute to the literature in this way '[…] in addition to elucidating empirical cyber events, scholars can guide the design of policies to affect them' (Kello, 2013: 38-39). Undertaking research in a field which is state-of-the-art and therefore, highly volatile, presents a particular academic challenge. It does also however enable a researcher to make a potentially crucial contribution, a dent, in the current debate. In areas of research in a vacuum exists, it is imperative for scholars to contribute to filling up that academic lacuna. The main outcome therefore is supposed to be a contribution to the academic debate on the strategic relevance and conduct of cyber operations and the state’s response to it. The intellectual tools developed as part of this research may be of future use for policy-makers. The underlying question for the research is: What are the strategic implications of cyber operations for the state?The Economist recently saw 'intensifying cyber threats' as one of the top challenges for 2014 (The Economist, 2014). The revelations of the past years, starting with Stuxnet, Operation AURORA, APT-1, Red October and activities derived from the NSA Documents revealed by whistleblower Edward Snowden indicate that this threat will not abate soon. More and more states are readying themselves for future conflicts by developing defensive as well offensive cyber operations capabilities (Lewis, 2013b: 9-55). The latest domain for conflict resolution is currently being explored and exploited too by a growing number of different stakeholders. Based on the increased number of stakeholders and the intensity and number of occurrences of said events (see section 3.5 and appendix), its contemporary relevance is high and has been increasing for several years and looks set to continue. Guiding principles in the field of strategy is an important part of this development. Though the debate on strategic implications of cyber operations started in the early 1990's, and promoted under the auspices of the RAND Corporation, '[i]ntellectually, we are in a position not unlike that faced 65 years ago as we began to develop our thinking about nuclear weapons' (Kramer, 2012: I). Nye agrees, stating that 'in comparison to the nuclear revolution in military affairs, strategic studies of the cyber domain are chronologically equivalent to 1960 but conceptually more equivalent to 1950. Analysts are still not clear about the lessons of offense, defense, deterrence, escalation, norms, arms control, or how they fit together into a national strategy' (Nye, 2011: 19). Thus, an intensive academic analysis of this field is pivotal, especially within the framework of strategic studies, in order to enable strategic adaptation and decision-making (Kello, 2013: 14). The timeliness of events, paired with the lack of a properly developed strategic framework, signify the increased contemporary relevance for research of the strategic implications of cyber operations for the state.Definitions are very important in political science, and only more so for research in the field of cyber operations. In the absence of commonly agreed upon definitions for cyber operations, and a multitude of other terms such as cyber warfare, digital warfare, information warfare, electronic warfare (see sub-sections 3.1 and 3.2 as well as section 4) which are at once related and disparate, mean that clarity in definitions is centrally important. While definitions might normally differ slightly, all elements included in the definition of cyber operations might vary. This includes the stakeholders (and their representation as entity in the cyber domain), the means to conduct cyber operations, the platform where it is conducted (for example all digital devices, Internet only, electromagnetic spectrum) and the operations through which it is conducted (for example, if cyber espionage is included or not).Therefore, the coherent and comprehensive definition is of vital importance for the understanding of the research and more so for its outcomes. The terminology of this research applies for the state in the cyber domain, cyber operations and cyber strategy. Thus, the three key definitions which are developed in this research can be found below.The state and its representation in the cyber domain is defined in chapter I: The state’s representation of the cyber domain is the Critical National Information Infrastructure (CNII). The CNII is composed of a particular part of the information infrastructure which is vital to the function of the state according to the state-teachings of Jellinek: territory, people and legitimate use of violence.The definition of cyber operations as developed in chapter II: A cyber operation is the targeted use and hack of digital code by any individual, group, organization or state using digital networks, systems and connected devices, which is directed against CNII in order to steal, alter, destroy information or disrupt and deny functionality with the ultimate aim to weaken and/ or harm a targeted political unit.Subsequently, the definition of a cyber strategy in chapter IV: The development and employment of cyber operations, potentially integrated and coordinated with other operational domains and forms of information operations, to achieve or support the achievement of political objectives

To Deceive or not Deceive: Unveiling The Adoption Determinants Of Defensive Cyber Deception in Norwegian Organizations

Due to the prevailing threat landscape in Norway, it is imperative for organizations to safe- guard their infrastructures against cyber threats. One of the technologies that is advan- tageous against these threats is defensive cyber deception, which is an approach in cyber security that aims to be proactive, to interact with the attackers, trick them, deceive them and use this to the defenders advantage. This type of technology can help organizations defend against sophisticated threat actors that are able to avoid more traditional defensive mechanisms, such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). In order to aid the adoption of defensive cyber deception in Norway, we asked the question: "What affects the adoption of defensive cyber deception in organizations in Nor- way?". To answer this question, we utilized the Technology, Organization, and Environment (TOE) Framework to identity what factors affect an organization’s adoption of defensive cyber deception. Through our use of the framework, we identified eighteen different factors which affect an organization’s adoption of defensive cyber deception. These factors are the product of the empirical data analysis from eight different semi-structured interview with individuals from six different organizations in Norway. The main theoretical implications of our research is the introduction of a TOE model for defensive cyber deception, focusing specifically on organizations in Norway as well as contributing with a maturity estimate model for defensive cyber deception. For the practical implications of our research, we have identified seven different benefits that defensive cyber deception provides. We are also con- tributing to raising the awareness of defensive cyber deception in Norwegian research and we hope that our TOE model can aid organizations that are considering adopting the tech- nology. We hope that these implications and contributions can act as a spark for both the adoption of defensive cyber deception in organizations as well as the start of a new wave for the cyber security researchers within Norway. Keywords: Cyber Security, Defensive Cyber Deception, TOE Framework, Adoptio

To Deceive or not Deceive: Unveiling The Adoption Determinants Of Defensive Cyber Deception in Norwegian Organizations

Due to the prevailing threat landscape in Norway, it is imperative for organizations to safeguard their infrastructures against cyber threats. One of the technologies that is advantageous against these threats is defensive cyber deception, which is an approach in cyber security that aims to be proactive, to interact with the attackers, trick them, deceive them and use this to the defenders advantage. This type of technology can help organizations defend against sophisticated threat actors that are able to avoid more traditional defensive mechanisms, such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). In order to aid the adoption of defensive cyber deception in Norway, we asked the question: "What affects the adoption of defensive cyber deception in organizations in Norway?". To answer this question, we utilized the Technology, Organization, and Environment (TOE) Framework to identity what factors affect an organization's adoption of defensive cyber deception. Through our use of the framework, we identified eighteen different factors which affect an organization's adoption of defensive cyber deception. These factors are the product of the empirical data analysis from eight different semi-structured interview with individuals from six different organizations in Norway. The main theoretical implications of our research is the introduction of a TOE model for defensive cyber deception, focusing specifically on organizations in Norway as well as contributing with a maturity estimate model for defensive cyber deception. For the practical implications of our research, we have identified seven different benefits that defensive cyber deception provides. We are also contributing to raising the awareness of defensive cyber deception in Norwegian research and we hope that our TOE model can aid organizations that are considering adopting the technology. We hope that these implications and contributions can act as a spark for both the adoption of defensive cyber deception in organizations as well as the start of a new wave for the cyber security researchers within Norway. Keywords: Cyber Security, Defensive Cyber Deception, TOE Framework, Adoptio

Modeling Deception for Cyber Security

In the era of software-intensive, smart and connected systems, the growing power and so- phistication of cyber attacks poses increasing challenges to software security. The reactive posture of traditional security mechanisms, such as anti-virus and intrusion detection systems, has not been sufficient to combat a wide range of advanced persistent threats that currently jeopardize systems operation. To mitigate these extant threats, more ac- tive defensive approaches are necessary. Such approaches rely on the concept of actively hindering and deceiving attackers. Deceptive techniques allow for additional defense by thwarting attackers’ advances through the manipulation of their perceptions. Manipu- lation is achieved through the use of deceitful responses, feints, misdirection, and other falsehoods in a system. Of course, such deception mechanisms may result in side-effects that must be handled. Current methods for planning deception chiefly portray attempts to bridge military deception to cyber deception, providing only high-level instructions that largely ignore deception as part of the software security development life cycle. Con- sequently, little practical guidance is provided on how to engineering deception-based techniques for defense. This PhD thesis contributes with a systematic approach to specify and design cyber deception requirements, tactics, and strategies. This deception approach consists of (i) a multi-paradigm modeling for representing deception requirements, tac- tics, and strategies, (ii) a reference architecture to support the integration of deception strategies into system operation, and (iii) a method to guide engineers in deception mod- eling. A tool prototype, a case study, and an experimental evaluation show encouraging results for the application of the approach in practice. Finally, a conceptual coverage map- ping was developed to assess the expressivity of the deception modeling language created.Na era digital o crescente poder e sofisticação dos ataques cibernéticos apresenta constan- tes desafios para a segurança do software. A postura reativa dos mecanismos tradicionais de segurança, como os sistemas antivírus e de detecção de intrusão, não têm sido suficien- tes para combater a ampla gama de ameaças que comprometem a operação dos sistemas de software actuais. Para mitigar estas ameaças são necessárias abordagens ativas de defesa. Tais abordagens baseiam-se na ideia de adicionar mecanismos para enganar os adversários (do inglês deception). As técnicas de enganação (em português, "ato ou efeito de enganar, de induzir em erro; artimanha usada para iludir") contribuem para a defesa frustrando o avanço dos atacantes por manipulação das suas perceções. A manipula- ção é conseguida através de respostas enganadoras, de "fintas", ou indicações erróneas e outras falsidades adicionadas intencionalmente num sistema. É claro que esses meca- nismos de enganação podem resultar em efeitos colaterais que devem ser tratados. Os métodos atuais usados para enganar um atacante inspiram-se fundamentalmente nas técnicas da área militar, fornecendo apenas instruções de alto nível que ignoram, em grande parte, a enganação como parte do ciclo de vida do desenvolvimento de software seguro. Consequentemente, há poucas referências práticas em como gerar técnicas de defesa baseadas em enganação. Esta tese de doutoramento contribui com uma aborda- gem sistemática para especificar e desenhar requisitos, táticas e estratégias de enganação cibernéticas. Esta abordagem é composta por (i) uma modelação multi-paradigma para re- presentar requisitos, táticas e estratégias de enganação, (ii) uma arquitetura de referência para apoiar a integração de estratégias de enganação na operação dum sistema, e (iii) um método para orientar os engenheiros na modelação de enganação. Uma ferramenta protó- tipo, um estudo de caso e uma avaliação experimental mostram resultados encorajadores para a aplicação da abordagem na prática. Finalmente, a expressividade da linguagem de modelação de enganação é avaliada por um mapeamento de cobertura de conceitos

The Army Role in Achieving Deterrence in Cyberspace

In 2015, the Department of Defense (DoD) released the DoD Cyber Strategy which explicitly calls for a comprehensive strategy to provide credible deterrence in cyberspace against threats from key state and nonstate actors. To be effective, such activities must be coordinated with ongoing deterrence efforts in the physical realm, especially those of near-peers impacting critical global regions such as China in the Asia-Pacific region and Russia in Europe. It is important for the U.S. Army to identify and plan for any unique roles that they may provide to these endeavors. This study explores the evolving concept of deterrence in cyberspace in three major areas: • First, the monograph addresses the question: What is the current U.S. deterrence posture for cyberspace? The discussion includes an assessment of relevant current national and DoD policies and concepts as well as an examination of key issues for cyber deterrence found in professional literature. • Second, it examines the question: What are the Army’s roles in cyberspace deterrence? This section provides background information on how Army cyber forces operate and examines the potential contributions of these forces to the deterrence efforts in cyberspace as well as in the broader context of strategic deterrence. The section also addresses how the priority of these contributions may change with escalating levels of conflict. • Third, the monograph provides recommendations for changing or adapting the DoD and Army responsibilities to better define and implement the evolving concepts and actions supporting deterrence in the dynamic domain of cyberspace.https://press.armywarcollege.edu/monographs/1379/thumbnail.jp