Cyber Warfare – Truth, Tactics, and Strategies
eBook - ePub

Cyber Warfare – Truth, Tactics, and Strategies

Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare

Dr. Chase Cunningham

Share book
  1. 330 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Cyber Warfare – Truth, Tactics, and Strategies

Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare

Dr. Chase Cunningham

Book details
Book preview
Table of contents
Citations

About This Book

Insights into the true history of cyber warfare, and the strategies, tactics, and cybersecurity tools that can be used to better defend yourself and your organization against cyber threat.

Key Features

  • Define and determine a cyber-defence strategy based on current and past real-life examples
  • Understand how future technologies will impact cyber warfare campaigns and society
  • Future-ready yourself and your business against any cyber threat

Book Description

The era of cyber warfare is now upon us. What we do now and how we determine what we will do in the future is the difference between whether our businesses live or die and whether our digital self survives the digital battlefield. Cyber Warfare – Truth, Tactics, and Strategies takes you on a journey through the myriad of cyber attacks and threats that are present in a world powered by AI, big data, autonomous vehicles, drones video, and social media.

Dr. Chase Cunningham uses his military background to provide you with a unique perspective on cyber security and warfare. Moving away from a reactive stance to one that is forward-looking, he aims to prepare people and organizations to better defend themselves in a world where there are no borders or perimeters. He demonstrates how the cyber landscape is growing infinitely more complex and is continuously evolving at the speed of light.

The book not only covers cyber warfare, but it also looks at the political, cultural, and geographical influences that pertain to these attack methods and helps you understand the motivation and impacts that are likely in each scenario.

Cyber Warfare – Truth, Tactics, and Strategies is as real-life and up-to-date as cyber can possibly be, with examples of actual attacks and defense techniques, tools. and strategies presented for you to learn how to think about defending your own systems and data.

What you will learn

  • Hacking at scale – how machine learning (ML) and artificial intelligence (AI) skew the battlefield
  • Defending a boundaryless enterprise
  • Using video and audio as weapons of influence
  • Uncovering DeepFakes and their associated attack vectors
  • Using voice augmentation for exploitation
  • Defending when there is no perimeter
  • Responding tactically to counter-campaign-based attacks

Who this book is for

This book is for any engineer, leader, or professional with either a responsibility for cyber security within their organizations, or an interest in working in this ever-growing field.

Frequently asked questions

How do I cancel my subscription?
Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Cyber Warfare – Truth, Tactics, and Strategies an online PDF/ePUB?
Yes, you can access Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Ciberseguridad. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2020
ISBN
9781839214486
Edition
1
Topic
Ciencia de la computación
Subtopic
Ciberseguridad

8

Cyber Warfare Strategic Innovations and Force Multipliers

"But magic is neither good nor evil. It is a tool, like a knife. Is a knife evil? Only if the wielder is evil."
Rick Riordan
Tools are just that: tools. There is no innately good or evil tool. The user is what determines what that tool is going to be used for and is ultimately responsible for the impact that the tool might have. A shovel can be used to dig an irrigation ditch and provide needed water for crops and homes. It can also be used to bash someone's skull in and bury them in a shallow grave. A visceral image and a violent one, but sometimes it is necessary to be a bit shocking to get a point across.
In cyber warfare this is just as true. While there certainly have been specifically developed weapons that have emerged from nation state actors and groups, the majority of what has been used as the tools to engage in cyber warfare actions were actually simply functional pieces of the infrastructure or tooling that could be used for innovations or securing systems. The tools that are in this space most often have a double edge. One can be used to help secure systems and improve the quality of an infrastructure, and the other edge is ever ready to be turned on the defenders and used to eviscerate those same systems and its users.
In this chapter, we will point out some of the more overly malicious tools that are either actively being used for malicious purposes or that are in the early stages of usability as potential tool sets. Additionally, we will delve into some similar tools that can be used to possibly defend an enterprise from a cyber warfare action. However, keep in mind that a tool is just that, a tool. It is only as good or as evil as the user behind it.
In this chapter, we will discuss some tools and techniques that can act as force multipliers for defenders if they are leveraged correctly:
  • We will detail ways to plan for real-world defense operations
  • We will talk about ways to address issues around passwords
  • We break down how the Software-Defined Perimeter can be part of a stronger infrastructure

Defensive tooling and strategic enablers

When it comes to defending an organization from future related attack vectors, there is a requirement that the defender changes their way of thinking in order to better prepare for what might be heading their way. The old paradigm of simply trying to predictively stay ahead of the threat by using anti-virus tooling, or having segmented VLANs that are bound by firewalls, is no longer sufficient.
Attack tooling and threat vectors have proven these outdated approaches to be ineffective, and to continue to try and defend anything with approaches and tools that have proven insufficient is tantamount to madness. Changing the way in which one plans for coming attacks, and using newer, more innovative solutions that operate in the way infrastructure, users, and the ever-changing workforce are evolving, is not optional: it is the only way to have any chance at survival.
In order to understand how best to defend something, one must first understand what types of attacks are most likely to succeed. In doing this, what happens is that the organization can better understand what priorities must be prescribed to address the most immediately impactful areas of concern. Just as in combat within the physical space, a defense is best when it is based on reality and when the defender aligns their strategy and technologies to defend where an attack is most likely to occur.

Meet the Monkey

In cyberspace and in cyber warfare exploitation, attacks succeed because they locate and leverage the weak points in systems and networks. They do this by looking for technical and human vulnerabilities and then slowly and carefully zeroing in on the fail points that are found.
In order to defend from this type of attack cycle, it is necessary to continually test the system for those likely weak points. But this can be difficult, especially when dealing with large infrastructures that are bridged between cloud, non-cloud, on premises, off premises, and a wide variety of other potential configurations. One of the most well-aligned tools that fits this need is available as an open source offering.
It is called Infection Monkey.
Image result for infection monkey white paper
Figure 1: The Infection Monkey logo
The Infection Monkey tool is designed to be an open source solution to help an organization test its infrastructure's and data center's ability to withstand a breach, and the follow-on lateral movement that usually results in more internal server or machine infections. The Infection Monkey system uses a variety of methods and tactics that allow it to automate the exploitation life cycle and autonomously self-propagate across an infrastructure. This system also includes a ready-built system that reports successful exploits and compromises to a centralized Monkey Island server.
This system has a wide offering of potential exploit tools and tactics that can be aimed at critical infrastructure components to help automate testing, which will allow the defenders to better focus their efforts on fixing what is most likely to be a fail point. A few of the more recent and often effective modules within the Infection Monkey tool are as follows:
  • Sambacry – A remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
  • ShellShock – Allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, also known as ShellShock.
  • ElasticGroovy – Allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. The Infection Monkey will look for machines with an open port 9200 and attempt to execute commands. If successful, the Infection Monkey will use scripts to collect machine intelligence and configuration data and to also download an executable to the machine to further propagate Infection Monkey tooling into the infrastructure.
  • Struts2 – Allows an attacker to perform a remote code execution (RCE) attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown, which is then used to display an error message to a user. The Infection Monkey will discover if the attacked machine is vulnerable and if so, will craft a specific payload to exploit the vulnerability. Following that the Infection Monkey uses this exploited machine to continue its propagation further into the network.
  • WebLogic – Oracle's WebLogic server has a blind RCE that can be attacked and exploited with a crafted packet. To do this, the Infection Monkey installs a server that listens for incoming traffic that is indicative of the vulnerable server communicating on the network. The Infection Monkey then sends crafted exploit packets to different components with intrinsic commands to each component of the WebLogic server. The server will respond due to the vulnerability, and the Infection Monkey system then uses scripted commands to launch an exploit against the WebLogic server.
  • Credential Harvesting – Because of the proliferation of administrator and overly empowered user accounts and their associated passwords being so prevalent on networked systems, the Infection Monkey tool also includes a module for credential harvesting. To do this, the Infection Monkey system targets Windows machines with a customized version of Mimikatz (a common exploit tool for harvesting password secrets from Windows machines). The Infection Monkey tool will also exploit Linux machines by scraping accessible SSH (Secure Shell) key pairs and attempting to use them to log in to other machines on the network.
Those are just a few of the capabilities this tool offers. While there are a variety of exploits built into the tool, usually most deeper infections result from the use of bad passwords and overly excessive shares and privileges that the Infection Monkey finds. It is not usually the power of any singular exploit that allows this system to dig so deep into the infrastructure.
Figure 2: A singular instance of an Infection Monkey appears when testing begins
We'll get more into specific capabilities of the Infection Monkey in the following section.

More offerings from the Infection Monkey

The Infection Monkey also can help defenders decipher where there are avenues within their infrastructure for lateral movement, which is often when an exploit goes from problematic to a WannaCry-level event. The Infection Monkey tool does this by using a variety of detection capabilities that defenders can use to help automate their analysis of potential infection and exploitation avenues. The system does this by using an installed analytics tool that looks at machines that are in the same domain or work group and may have the same users and passwords present on them. This is done via a "pass-the-hash" attack that is a common penetration testing approach for gaining access to systems with shared credentials.
In a pass-the-hash attack, the attacker works to basically "become" a user and is authenticated without having access to the user's actual password. In a pass-the-hash attack, the goal of the attacker is to use the hash directly without cracking it. Doing that makes time-consuming password cracking less necessary. Because passwords are often stored in plaintext or use weak encryption and are also usually stored in a hash form, this attack is often successful. If an attacker obtains a valid password hash, they can use it to gain access to a system.
A hashing function is designed to take an input and convert it into an output that cannot be reversed. This method bypasses standard authentication on many systems and is a favorite for lateral movement. Using this technique, valid password hashes for the targeted user account are captured using a credential access technique. Once the attacker is successfully authenticated as a valid user, the attacker can further leverage the culled hashes to perform authenticated actions on local or remote systems.
Pass-the-hash attacks are most often noted in attacks on Windows systems. However, they are possible on other systems. Vulnerable web applications are also possible targets of pass-the-hash attacks. In Windows, this attack depends on using Single Sign-On (SSO) functionality in authentication protocols. With SSO, users enter their passwords once and are then able to access resources they have been given rights to without requiring re-authentication on the system. SSO requires the system to have the users' credentials stored temporarily within the cache. The Windows system then replaces that credential with a password hash (usually a ticket). Any follow-on authentication is then done by using that value instead of the actual credential. In Windows, those hashes are loaded into Local Security Authority Subsystem (LSASS). That component is responsible for user authentication, among other things. Using hash dumping tools, an attacker will seek to dump the passwords' hashes for further use.
Additionally, the Infection Monkey system possesses the capability to test for proper micro-segmentation policies and controls via firewalls. The Infection Monkey system accepts a list of network segments that the administrator or tester thinks are segmented and "untouchable" for testing purposes. The monkey then attempts to gain access to those assets using common cross-domain exploitation tooling. If any of those exploits or login attempts work, the results are propagated to the Infection Monkey report server.
Finally, the Infection Monkey can act as if it were crafted malware and will even trigger malware alerts if the affected system has those tools in place. It can also work to act as more nation state related malware and attempt to tunnel out of the network. It does this by using its custom-built tooling to automatically attempt using common internal network protocols and ports to tunnel traffic out of the internals of the infrastructure.
The tunneling capability of the Infection Monkey system operates in a very similar manner...

Table of contents