Inside Cyber Warfare Part 17

Sophisticated, targeted attacks begin with research. A tremendous amount of time, money, and human brain power is dedicated to finding new vulnerabilities in widely used software such as Microsoft Word, Internet Explorer, Mozilla FireFox, and even the most widely used operating system in the world, Microsoft Windows. When a new vulnerability is discovered, the discovering organization gains an advantage: it has a weapon that that doesn't have a specific defense, and the defender has zero knowledge that the exploit exists. These vulnerabilities are known as "0day" (p.r.o.nounced "zero day" or sometimes "oh-day") vulnerabilities. These 0day vulnerabilities are the "tip of the spear" in the offensive cyber world. These attacks result in a tremendous amount of damage, and the victim seldom realizes they've been compromised. DDoS attacks gain a lot of media attention because they are noisy and easy to detect, but targeted 0day attacks with custom attack payloads are silent, almost impossible to detect reliably, and represent the most powerful attack available to offensive cyber units. It is these types of attacks that represent the true capability of an offensive cyber unit.

In this example, the attacking organization has found vulnerability in the word-processing software Microsoft Word. Word is popular widely used the US government, and the attacker knows that. For the sake of clarity, the specific technical details of the exploit will not be covered; instead, this section will cover the major points of the vulnerability.

First, it is important to understand that prior to Microsoft Office 2007, all Office doc.u.ments were served as a binary file format.

Note.

More information about binary file formats can be found on Wikipedia at http://en.wikipedia.org/wiki/Binary_file.

Programs like Microsoft Word that consume binary file formats have a reputation of being difficult to secure and have been known to be affected by vulnerabilities that can corrupt the memory of the computer system attempting to pa.r.s.e the binary file format. If an attacker can corrupt the system's memory in a controlled manner (through the use of what is known as "sh.e.l.lcode"), then the attacker will be able to gain access to the target system.

The exploit, along with the attacker's sh.e.l.lcode, is hidden deep inside the raw binary contents of the malicious Word doc.u.ment. The binary structure of the Word doc.u.ment makes it impossible for the average user to determine whether the it contains malicious code. For example, Figure 10-2 shows a typical Word doc.u.ment as displayed by Microsoft Word.

Figure 10-2. Microsoft Word doc.u.ment as viewed in Microsoft Word Opening the same doc.u.ment in a hex editor shows the raw contents of the file, which are quite different than what the user sees within Microsoft Word. The average user will not be able to comprehend or detect whether malicious content exists within the binary structure of the Word file. It is within this raw binary data where the attacker will place his exploit and sh.e.l.lcode. A portion of the raw binary contents are shown in Figure 10-3. Would you be able to spot an exploit in the binary data?

Figure 10-3. Raw data content from a Microsoft Word doc.u.ment Sophisticated organizations with robust offensive cyber capabilities will stockpile these 0day vulnerabilities, ensuring they have the cyber firepower to take advantage of targets of opportunity.

Delivery of targeted attacks

Once the attacking organization has discovered and developed a suitable exploit for a 0day vulnerability, the attacking organization moves onto the target-selection phase. Many times, target selection is given two primary considerations: the value of the information that will be obtained from a particular target and the difficulty of successful exploitation (to include likelihood of detection). 0day exploits often are deployed against personnel who have security clearance, are directly responsible for handling sensitive data, or can provide a stepping stone into a targeted organization. This makes high-ranking officials an attractive target for attacks. The costs of developing a reliable exploit in popular software is reasonably high, and sophisticated organizations will deploy 0day exploits only against those targets that will yield a solid return on vulnerability investment. Organizations deploying 0day exploits are careful to avoid detection because once the 0day is detected, it quickly loses value, as patches are developed and specific countermeasures are put in place. The technical sophistication and technical reliability of the exploit will greatly affect the likelihood of detection (or lack thereof).

Once the exploit to be used is chosen and the target selected, the attacker must deliver the exploit to the target. One of the most popular delivery methods for 0day exploits is email. Email is the lifeblood for many organizations, allowing for the exchange of information in an effective and convenient manner. Virtually every email server blocks dangerous file types such as executable (.exe) files, batch files (.bat), and scripts (.vbs), but almost every email server allows Word doc.u.ments (.doc) or other Office doc.u.ments to be delivered. In this case, the attacker delivers the exploit hidden deep inside a Word doc.u.ment, allowing it to travel unabated through the victim organization's networks to the intended target.

Sophisticated attackers do not simply identify the email address of the target and send away; extensive reconnaissance is done before the actual exploit is sent. Collection of upcoming travel agendas, known a.s.sociates, naming conventions for doc.u.ments, and other details help build creditability and increase the likelihood of a successful exploit. Much of this information can be gleaned from public sources such as Google or public websites. Figures 10-4 and 10-5 show some of the types of information that can be retrieved about high-profile targets with open source intelligence (OSINT).

Figure 10-4. Sensitive information found via OSINT Figure 10-5. Contact information for military units found through OSINT Sophisticated organizations use OSINT and traditional intelligence-gathering methods to collect a good operational "picture" of the target. For example, if an attacker has identified a commanding officer (CO) of a unit within one of the US military branches as the target, he would spend time to enumerate several a.s.sociates that work closely with the CO. If the attacker has obtained a list of contacts (like the one shown in Figure 10-5), he could contact various members of the CO's staff, collecting bits of intelligence to paint the operational picture surrounding around him. Pieces of information that would be valuable to an attacker include upcoming events, email addresses of a.s.sociates, names and nicknames for a.s.sociates, and other contact information related to the target and a.s.sociates.

Once the attacker has collected intelligence on the target and the target's a.s.sociates, he can build a convincing scenario for attack. For example, after the attacker enumerates the email addresses a.s.sociated with the various a.s.sociates of the CO, he can forge an email that appears to come from an a.s.sociate related to an upcoming event. An example email is shown in Figure 10-6.

Figure 10-6. Forged email that appears to have originated from a trusted source Simple email forgery is easily done through the use of custom SMTP servers. Several programming languages provide simple APIs that can be used to forge emails, making them appear to come from any source the attacker chooses.

Once the email is sent, it becomes a weapon. The Word doc.u.ment attached to the mail carries a payload to infect anyone who opens the doc.u.ment. Signature-based intrusion-detection systems and anti-virus software will be unable to detect this attack; only the attacker has knowledge of its structure and the heuristics, since it is a 0day exploit.

Once the unsuspecting victim opens the Word doc.u.ment, he will be silently infected, compromising all the data on his system. The attacker then installs a rootkit on the infected system, allowing for unfettered future access. The rootkits are sophisticated and can hide from even the most discerning detection mechanisms. As detection routines improve, so does the rootkit evasion logic, creating a dangerous game of cat and mouse, with the victim's data as the price.

Command, control, and exfiltration of data

Ten years ago, detecting an infected system was somewhat simple. The majority of infected systems simply connected back to an attacker requesting commands to be executed. Many times, unencrypted communications channels were used to control infected systems, and exfiltration of sensitive data was easily spotted by intrusion-detection teams. Connection back to IRC channels in foreign countries was a telltale sign that a system was compromised, and monitoring of clear-text communications from infected systems was even used in intelligence/counterintelligence efforts. Figure 10-7 shows a small portion of captured IRC communications from antiquated malware.

Figure 10-7. Clear-text command and control communication from malware Today's malware is more sophisticated and more covert. Generally speaking, today's malware is never written to disk and is stored only in the system's memory. This makes the forensics effort extremely difficult. Researchers from Core Security Technologies and researcher John Heasman from NGSSoftware Insight Security Research have demonstrated practical examples of how memory and PCI-based rootkits can be deployed against targets.

Additionally, gone are the days when compromised systems transmitted stolen data in the clear, directly back to the attackers' systems. Today's sophisticated malware takes excruciating steps to hide its communication and intentions. Encrypted commands, communications over HTTP and decentralized command and control, and exfiltration of data through covert means are the norm. For example, take the advanced versions of the Nugache malware. Researchers Dave Dittrich from the University of Was.h.i.+ngton and Sven Dietrich from the Stevens Inst.i.tute of Technology studied the Nugache malware and demonstrated how it used 256-bit Rijndael to encrypt P2P command and control communication. Due to the implementation of proper crypto algorithms, even after the researchers had full access to runtime in memory data structures, the researchers were able to decrypt data flow in only one direction.

Why client-side 0day vulnerabilities can be so devastating

Client-side exploits target software installed on a victim's system. Web browsers, web browser plug-ins (Java, Flash, Silverlight, etc.), word-processing software, PDF readers, and even the operating system itself are all considered client-side software. On the other hand, server-side software includes web and email servers.

Client-side 0day exploits have gained popularity with organizations employing offensive operations. Discovering vulnerabilities in a popular client-side component affects millions of users, and the research required to discover them can be done covertly, with no external indication that it is being conducted. Once a client-side vulnerability is discovered and an exploit is developed, the attacker has a weapon, ready to be deployed at a moment's notice.

Client-side exploitation carries with it several advantages for the attacker. First, once the exploit is developed, the attacker typically has a mult.i.tude of delivery mechanisms available (web pages, Word doc.u.ments, PDFs, Flash files, etc.), many of which are allowed through the firewall. For example, virtually all corporate firewalls allow their users to browse web pages and receive emails. This gives attackers the ability to circ.u.mvent perimeter security measures such as firewalls and virtual private networks (VPNs). As mentioned in previous sections, anti-virus technology simply cannot keep up with known threats, much less 0day exploits of which they have no knowledge.

Once attackers successfully exploit a client-side vulnerability, they not only gain access to all the data and information located on the compromised system, they also gain access to all the resources available to it. For example, if the compromised system is part of a larger network, the attacker gains access to that larger network. In this sense, the attacker uses the compromised machine as a stepping-stone for further attacks in the internal network. Often internal resources are not as well protected as Internet-facing resources, making them easy targets for attackers who have gained access to internal networks.

Protecting against 0day exploits

There is simply no specific defense against 0day exploits. Each 0day exploit is unique, and only the attacker knows the full details of the 0day vulnerability. However, there are some steps that an organization can take to minimize the damage done by 0day vulnerabilities.

Defense in Depth

There is simply no subst.i.tute for defense in-depth for organizations. Defenses are layered, protecting sensitive data and critical systems through many different types of defense mechanisms. This forces the attacker to increase the intelligence-gathering effort needed for successful exploitation, as he will have to understand each defensive layer protecting the desired information. A solid defense in Depth strategy also dramatically increases the sophistication and effort required for a successful exploit, as the attacker must now bypa.s.s many defenses and not just one. Defense in Depth cannot guarantee safety from exploitation attempts by sophisticated attackers, but it does increase the footprint and increase the likelihood of early detection.

Using technologies such as MOICE and virtualization

Office doc.u.ments are becoming increasingly popular attack surfaces. Until Microsoft transitioned to an XML format for their Office doc.u.ments, files such as Microsoft Word (.doc), PowerPoint (.ppt), and Excel (.xls) doc.u.ments were binary formats. Binary formats are tremendously challenging to pa.r.s.e and consume, opening up a large attack surface. There has been a surge in Microsoft Office-related exploits in the past few years due to its popularity in large corporations and governments. To combat this rise, Microsoft has developed the Microsoft Office Isolated Conversion Environment (MOICE) to help "reduce the security risk" of opening these doc.u.ments. MOICE converts the traditional Office binary file format into the new Office Open XML format, helping to remove potential threats that may be hidden inside the binary contents of the Word doc.u.ment. Technologies such as virtualization allow for the execution of malicious code within controlled and constrained environments, so when 0day exploits are discovered, examination of the characteristics and the "signature" of the exploit can be examined in a safe manner.

Note.

Additional information related to the MOICE can be found on Microsoft's support site at http://support.microsoft.com/kb/935865.

Physical separation between data of varying sensitivity

A common operational security measure within government and military networks is the physical separation of networks according to cla.s.sification of data. Uncla.s.sified information is physically separated from data marked SECRET, which is in turn separated from data marked TOP SECRET. The physical separation of data represents one of the most effective means of reducing the attack surface for extremely sensitive data. The physical separation of networks also carries with it significant operational overhead. The amount of effort required for users of that data to traverse between cla.s.sified and uncla.s.sified networks can be high, especially in time-critical situations. Additionally, although separation of data networks allows for more stringent controls to be placed on those networks containing cla.s.sified information, it also requires additional resources.

Resources are finite in every organization, which means building a robust set of defenses for cla.s.sified networks will often come at a cost for the defenses for uncla.s.sified networks. Normally, the decision to allocate resources to cla.s.sified networks as opposed to uncla.s.sified networks is clear cut, but in this day of OSINT and ubiquitous social media, a savvy collection of uncla.s.sified pieces can give an adversary a clear picture of cla.s.sified operations.

Chapter 11. The Role of Cyber in Military Doctrine.

We are detecting, with increasing frequency, the appearance of doctrine and dedicated offensive cyber warfare programs in other countries. We have identified several, based on all-source intelligence information, that are pursuing government-sponsored offensive cyber programs. Foreign nations have begun to include information warfare in their military doctrine, as well as their war college curricula, with respect to both defensive and offensive applications. They are developing strategies and tools to conduct information attacks.

-John A. Serabian, Jr., Information Operations Issue Manager, Central Intelligence Agency, before the Joint Economic Committee on Cyber Threats and the US Economy, February 23, 2000 This chapter examines the military doctrines for cyber warfare being developed by the Russian Federation (RF), the People's Republic of China, and the United States. Over 120 nations are engaged in developing this capability, and so a complete survey of each is beyond the scope of this book. Source material contained in this chapter includes published papers and speeches, as well as entries from official military journals. Readers are highly encouraged to look at all sources rather than cherry-picking only the "official" ones.

The Russian Federation

Of China, Russia, and the United States, it is Russia that has been the most active in the implementation of cyber attacks against its adversaries, which include Chechnya, Kyrgyzstan, Estonia, Lithuania, Georgia, and Ingushetia. Whether or not you accept that some, all, or none of these events occurred with the sanction of the Kremlin, each event has been instrumental in furthering RF policy, and the Kremlin has never acted to stop them. Hence the RF benefits.

Like China, Russian military interest in developing an information warfare (IW) strategy goes back to at least the mid-1990s, when the Duma Subcommittee for Information Security expressed suspicion that the recent purchase of telecommunications boards made in the United States contained a secret switch that, when tripped, would shut down Russia's telephone system. This fear isn't unique to Russia. For example, the United States has refused to purchase electronic boards from Chinese defense manufacturer Huawei for essentially the same reason. In Russia's case, fear progressed to action, and a few years later, new faculty with advanced degrees in computer networks and information security were hired to teach at the FSB academy.

A report by the Inst.i.tute for Security Technology Studies at Dartmouth College provides a detailed history of the buildup of RF cyber warfare doctrine, starting with their Revolution in Military Affairs (RMA) in the 1980s. Ever since then, Russia has been researching a wide variety of computer network attack (CNA) options, including logic bombs, viruses, microchipping, and other forms of weaponized malware.

Also like China, Russia considers the United States to be the leader and the instigator in a cyber arms race, and it has reportedly engaged in cyber espionage activities in an operation that the FBI dubbed Moonlight Maze.

Bob Drogin of the Los Angeles Times reported that the FBI was investigating cyber break-ins at a wide range of sensitive government facilities, including several US national laboratories, NASA, some unnamed defense contractors, and various universities conducting sensitive research. The FBI was able to trace the penetrations back to Russian servers within 20 miles of Moscow. Senator Robert Bennett took it one step further and placed the blame squarely on the doorstep of the Russian Academy of Sciences.

A few years later it was China's turn with the ma.s.sive-and some say still ongoing-cyber espionage effort code-named t.i.tan Rain.

Russia soon moved from what contemporary cyber warfare theory terms computer network exploitation (CNE) to computer network attack during the latter days of the second Chechen war of 19972001 in an effort to control information flow. Chechen targets included kavkaz.org and chechinpress.com (now defunct) and were of sufficient size to knock both sites off the air.

Following Chechnya were joint cyber-kinetic attacks in Estonia and Georgia, and cyber-only attacks in Kyrgyzstan and Lithuania. In July and August 2009, escalating violence in Ingushetia was accompanied by denial of service (Dos) attacks against the main voice of protest against the Kremlin-controlled ruling government: http://www.ingushetia.org. The owner of the original site, Ingushetia.ru, was killed by Ingush police while in custody in August 2008.

What follows is an examination of Russian military doctrine and influences in information warfare, of which cyber is a component.

The Foundation for Effective Politics (FEP)