The key events as they relate to and impact the military occurred in the mid-to late-1990s when Time magazine had a cover on “Cyber War.” The 1998 Solar Sunrise incident hit the news as the Pentagon got hacked while America was at war with Iraq, but the instigators were two kids from California. Moonlight Maze, where the Department of Defense (DoD) found intrusions from systems in the Soviet Union (though the source of the attacks was never proven) and Russia denied any involvement (hackers will often route their attacks through countries that will not cooperate with an investigation). By the early 2000s, a series of attacks, generally accepted as being from China, were identified and code named Titan Rain. The name was changed to Byzantine Hades after the Titan Rain code name was disclosed in the media and changed again when the Byzantine Hades code name was posted to WikiLeaks. The term “Advance Persistent Threat (APT)” has become the common reference term for this state-sponsored systematic electronic reconnaissance/digital espionage. By late 2000s there was a physical aspect added to the entropic attacks which the DoD code named Operation Buckshot Yankee. Thumb drives used by US Military were found to have malcode embedded which caused DoD to ban thumb drive usage on all military networks and systems.

In addition to attacks on the US Military, some international incidents occurred in the 2000s. In 2007, hackers believed to be linked to the Russian government brought down the Web sites of Estonia’s parliament, banks, ministries, newspapers, and broadcasters. Estonia called on the NATO treaty for protection and troops to help recover. A year later cyber attackers hijacked government and commercial Web sites in Georgia during a military conflict with Russia, creating a new form of digital signal jamming over the Web. Finally in 2010, the Stuxnet worm attacked the systems that control Iran’s nuclear material development causing damage to these systems.

There are some other key events that parallel the military’s pains. In 2009, reports revealed that hackers downloaded data from the DoDs multibillion-dollar F-35 Joint Strike Fighter program, showing that the cyber attackers were going after defense contractors as well as the military itself. Then in 2010, Operation Aurora broke into the news when Google publicly revealed itself as being one of many commercial companies hacked by the APT showing that the cyber attackers were also going after commercial intellectual property. There were two troubling attacks in 2011. The first was a series of hacks exposed in the global energy report “Night Dragon” which showed how China was trying to gain a competitive edge in the energy market through espionage. The second was the RSA attack where stolen information would allow a hacker to replicate the number that showed up on the password token many organizations used to secure their networks, showing that the enemy was willing to attack the infrastructure used to protect the US.

For 30 years, there has been a continuous battle between defenders and attackers from networks around the globe. In many cases it does not matter to the attacker if the target is military, government, or commercial, they are just after as many systems as they can acquire. As new solutions are invented, new attacks are developed, and the cycle continues.

The threatscape map in Figure 1.1 was designed to assist everyone in understanding this complex environment. Some will see the map of Mordor from J.R. Tolkien’s fictional Middle-Earth while others see the Ponderosa, but the map is really designed to show the methodology (upper left) and resources (lower left) the attackers (second column) will use to attempt to beat the defenses built into the mountain range (center) to get to the valuable data they want on the far side (far right side).

The major difference between Kinetic (real world) and Non-Kinetic (virtual world) warfare methodology is the weapons vs. software programs they use. So we will walk through the steps and define a few of the tools used. The tools will be covered in more detail in later chapters so this will just be to gain an initial understanding.

Attack methodology is the process or general steps used to attack a target and potential tools/techniques that can be used to conduct the attack. The major steps are recon, attack, and exploit. These steps can be a variety of activities, from launching machine to machine attacks to using social engineering. (Think of social engineering as scamming or conning someone out of information that allows the hacker to compromise a network.) Each of these steps or phases have a number of substeps to accomplish them and in many cases different hackers will both modify and automate them to suit their style.

To begin the recon phase a target is required. The target can be the specific systems that will be attacked or the personnel that use them. To attack the machines the unique Internet Protocol (IP) address for the machine or Uniform Resource Locator (URL) for the Web page must be known. To attack via the users, a phone number is generally all that is needed. IP addresses and phone numbers can be found with a quick Google search or with services like American Registry for Internet Numbers (ARIN) searches. Much of what is needed for a social engineering attack can be found on a business card.

Once the target is identified the recon begins to find the weak point or vulnerability. The attack can be against the operating system or one of the applications on it (i.e. Adobe Flash, Microsoft Office, Games, Web browsers, or an instant messenger). A scanner is run against the system to determine and list many of the vulnerabilities. Some of the more popular scanners are Nmap, Nessus, eEye Retina, and Saintscanner. Attack framework tools are available that both scan and then have the exploits to launch the attack matching vulnerabilities found built into the application. Some popular framework tools are Metasploit, Canvas, and Core Impact. Finally there is a tool that transforms a machine into a Linux system by booting off of a Linux live CD. The most popular live CD attack tool is BackTrack.

Another tool that is useful during recon is a sniffer. This is a tool that has the attacker’s system mimic every computer on the network so it gets a copy of all the traffic. It will allow the attacker to read all unencrypted emails and documents as well as see the Web pages being accessed by everyone on the network. Popular sniffers are Wireshark, Ettercap, and Tcpdump. On the wireless side tools include Aircrack-ng and Kismet.

While there are a lot of recon tools that are very powerful and easy to use, the one set of tools that show how the threat environment has evolved is packet crafters. Someone with no programming skills can now craft unique attacks. Popular tools include NetCat and Hping. There are a host of other tools for recon but these represent the baseline tools used to discover the vulnerabilities that allow movement to the attack phase.

When attacking a system there are many types of malcode that can be used. At the code level there are worms or viruses that can use attack vectors like cross-site scripting (XSS) or buffer overflows to install rootkits or a Trojan horse which acts as a backdoor into a system, and is use to spread the attack. A worm spreads without any help. It infects a system and use it to find more systems to spread to, while a virus needs some user interaction like opening any type of file (email, document, presentation) or starting a program (game, video, new app). Worms and viruses use techniques like cross-site scripting or buffer overflows which attack mistakes in the code in order to compromise it. Cross-site scripting is a Web-based attack that allows unauthorized code to be executed on the viewer’s computer that could result in information being stolen or the system’s identification certificates being stolen. An overly simplified example of a buffer overflow is when a program asks for a phone number rather than give it the 10 digits needed the software sends 1000 digits then a command to install the malcode. Because the program does not have good error handling, it executes the malcode.

A rootkit is a program that takes over control of the operating system and tells lies about what is happening on the system. Once a rootkit is installed, it can hide the hacker’s folders (i.e. hacker tools, illegal movies, stolen credit card numbers), misdirect applications (i.e. show the antivirus updating daily but don’t allow it to update), or misrepresent the system status (i.e. leave port 666 open so the hacker can remotely access the system but show it as closed).

The first generation of rootkits was much like my daughter when she was four (called the fibbing 4s because that is when most kids learn to lie). Like a 4 year old, the rootkits of the first generation did not lie very well. The generation we are on now is more like when she was 21 (she was MUCH better at telling a coherent story that is not easy to detect as a lie). The current generation of rootkits does a much better job of hiding themselves from detection. The next generation will be like someone with a masters in social engineering, almost undetectable. A Trojan horse backdoor is a program that masquerades as a legitimate file (often a system file: i.e. files ending in .sys on a Windows box or the system library on a Mac). These files are actually fakes and have replaced the actual system file. The new file both runs the system and opens a backdoor to the system allowing the hacker remote control of the system.

One use for worms and viruses is to build botnet armies. A bot (also called a zombie) is a computer that is a slave to a controller. Once someone builds an army of millions of bots they can cause a distributed denial of service (DDoS) by having all of the bots try to connect to the same site or system simultaneously. This can be done to blackmail a Website (pay or be blocked so no customers can get access), disrupt command and control systems, click fraud (if Acme.org gets paid one cent for every customer that clicks on link taking them to Selling.com a botnet could be used to do that millions of times a day) or compile complex problems (much like a distributed supercomputer).

There are a number of ways to launch attacks targeted at a specific system rather than the broad net a worm or virus would catch. The attack framework tools mentioned earlier are the most common. The key is to correlate the exploit to the vulnerability. Much like there has never been a bank built that cannot be robbed, there is not a computer or network that cannot be broken into given enough resources and persistence. If no vulnerability can be found then the attacker can go after the authentication via password or credential attacks.

Cracking passwords can be done with brute force by having a program try every possible password iteration. This can be time consuming and is easy to detect but, depending on the strength of the password, is very effective. If the hacker can get access to the password file then tools like Cain & Able or Jack the Ripper can be utilized to crack them. Another technique that is available is called rainbow tables. These are databases where popular password encryption protocols have been run on every possible key combination on a standard keyboard. This precompiled list allows a simple lookup when the hacker gets access to the list of encrypted passwords. Many of these tables have done every combination for 8–20 characters and the length grows as hackers continue to use botnet to build the tables.

The exploit phase is where the attacker takes advantage of gaining control. There are generally three factors that the hacker can compromise: Confidentiality, Integrity, or Availability (CIA). When attacking confidentiality they are simply stealing secrets. Integrity attacks are when they change the data on the system. In a commercial setting this could be changing prices or customer data. On a military network it might be to change the equations used to calculate command and control guidance. Availability attacks are normally time based and can be accomplished by taking the system down or overwhelming the bandwidth. The type of exploit is based on the motivations of the attacker. They can use the system to attack more systems on the network, misrepresent the user (send fake emails), or load a rootkit with a backdoor to maintain long-term access. They will often try to avoid detection and might even use anti-forensic techniques like log wiping and time stomping. Some will patch the system so others will not be able to break in and take it away from them. Finally they may load digital tripwire alarms to tell them if they have been detected.

Another vector of attack is social engineering. This can be done in person but is normally done over the phone. It can include research via an organization’s Web site, social media, and meeting people at places like a conference to exchange business cards. The most common attack today is via email. This kind of social engineering attack is called phishing (sending general email to multiple people), spear phishing (targeted at a specific person), or whaling (targeting a specific senior member of the organization). There are also technical tools like the “Social Engineer Toolkit” that are designed to assist attacking the workforce.