The art of cyber war: tools and techniques
The complexity of what military pundits call cyber space consists of a mixture of a large number of technologies and tools at different levels as well as their dynamic interaction and progress. A basic distinction is made between offensive and defensive techniques, with both types being dependent on one another. On the one hand, the ability to take offensive actions is a direct function of the weaknesses of an attacked system, which is why one of the primary tasks of a hacker is to identify vulnerabilities. On the other hand, cyber defenses must also put themselves in the role of an attacker in order to ensure the best possible defense against attacks.
In the following blog post, I will present common offensive and defensive tools and techniques used in cyber warfare and provide a basic overview of their general principles.
Offensive Strategies
In addition to the security architecture consisting of hardware and software components and their configurations, factors such as the costs and benefits of an attack, efficiency, motives, goals and skills of the attacker determine which strategies, techniques and tools are ultimately used. Andress and Winterfeld distinguish between four different types of offensive cyber techniques, which are also used individually but mostly in combination: reconnaissance, attack, exploit and social engineering.
The term reconnaissance, which originally comes from the military and describes spying of a military enemy, is a strategy that is mostly used in connection with other techniques and represents the first step of an attack. As the term suggests, this involves spying out weak points in a network, operating system or a specific application such as Adobe Flash, Microsoft Office or messenger services. Various tools such as so-called scanners, sniffers or packet crafters can be used to identify the weak points of a system.
Scanners are often integrated into attack tools and can identify and list the vulnerabilities of a system. Popular scanners include Nmap, Nessus, Saintscanner and eEye Retina. Sniffers, on the other hand, enable the attacker to create a copy of all network traffic so that the attacker can read unencrypted emails, documents or website access.
The best-known sniffer tools include Wireshark, Tcpdump and Ettercap. Another reconnaissance technique is the so-called packet crafting, which is mainly used to analyze firewall rule sets. To analyze the rule sets, artificial packets are generated instead of examining the existing network traffic. Among other things, programs such as NetCat or Hping are known.
As soon as a system’s weak points have been identified, various attack tools can be used, which either endanger certain applications on the computer or crack passwords. Malcodes are usually applied such as worms or viruses. A worm does not require a host program and spreads without any help, whereas a virus is attached to a file and requires interaction with the user. Interaction with the user can be done by opening a file, such as emails and documents, or by running a program such as a computer game or software program. Worms infect a specific system and then use that system to spread to other systems.
Worms or viruses are usually spread via so-called attack vectors, such as e-mail attachments, websites, pop-up windows, chat rooms or messenger services. With the help of these attack vectors, a computer can also be infected with so-called rootkits or Trojans. A Trojan opens a back door in the system, which gives the attacker unauthorized access to the affected computer via a controller.
At the same time, the Trojan obscures the true intention of the malware. Usually, a legitimate system file such as a sys file on the Windows computer is replaced with a fake file. This fake file performs two functions: on the one hand, it keeps the system running and, on the other hand, it opens a backdoor through which an attacker can take control of the system.
Worms and viruses use the technique of cross-site scripting or buffer overflows, which attack bugs or errors in the source code and thus damage the program. Cross-site scripting is a technique developed for web-based applications. Unauthorized code is implemented in web scripts, which is then executed by the computer when a specific URL is accessed. This form of attack is based on the same-origin policy, which states that a URL can be granted access to cookies, for example, if another URL on the same website has previously been granted authorized access.
Rootkits are malcodes that take control of an operating system while feeding it false information about what is happening on the system. This tool can hide an attacker’s activities, mislead applications, or spoof a system’s status. For example, a rootkit could prevent anti-virus software from performing updates and at the same time manipulate it in such a way that daily updates are simulated to the user. Another example would be that a rootkit leaves port 666 open to access the system, but at the same time indicates to the user that this port is closed.
Another strategy would be to use worms and viruses to create so-called botnet or zombie armies. An infected computer becomes an attacker’s slave, which can be used together with millions of other botnets for distributed denial of services attacks (DDoS). DDoS describes a technique in which countless bots simultaneously either overload a system itself or attack a system’s bandwidth.
The former requires reconnaissance measures to identify vulnerabilities, while an attack on bandwidth merely requires a large enough army of botnets to overload the communication channel. It becomes more difficult for the attacker when he is confronted with a decentralized and redundant system, for example in an organization. This would require additional malcode to attack multiple components of the system simultaneously.
If an attacker cannot identify any weak points in the system, he can attack the security system himself or defeat a protected system by cracking passwords. One possibility would be to break into the password file and use tools such as Cain & Cable or Jack the Ripper to crack the password. A second possibility would be that so-called rainbow tables are used, which run through all possible password combinations using widespread encryption protocols. The probability of cracking a password can be increased by using rainbow tables controlled by botnets.
If these technical possibilities do not work, the strategy of social engineering can help. As the name suggests, it is about influencing the weakest point of a system, namely the human being. There are also different options here. For example, an insider can disclose sensitive information by building trust, extortion or bribery. Another possibility of social engineering would be via e-mail communication (phishing), in which a user is tricked into disclosing sensitive information without the user suspecting an attack behind it.
The third phase is the strategy of exploitation, in which an attacker takes advantage of his attack phase. This strategy should not to be confused with the term exploitation defined in the Pentagon’s Joint Publication. There are basically three different types of exploitation that an attacker can influence: the confidentiality of information (confidentiality), integrity (integrity) and availability (availability).
An attack on confidentiality steals data, while an attack on integrity alters a system’s data. An attack on integrity can mean that unauthorized persons gain access to a system or processes are altered or damaged, such as the manipulation of command and control guidance. An attack on the availability, on the other hand, aims to limit the availability of a system or data.
Defensive Strategies
There are also a number of strategies, techniques and tools in the area of defensive measures. In most cases, the so-called defense in depth – also known as multiple layers of protection – represents the basis of defensive measures. One of the challenges in this regard is the increasing use of mobile end devices such as laptops, smartphones or tablets and the use of removable storage devices such as USB sticks, making it increasingly difficult to contain the devices within the defense perimeter.
The most important tools for protecting computers and networks include so-called appliances, which include firewalls to ward off attacks, intrusion detection systems to detect attacks, anti-virus software to neutralize attacks or data encryption. The so-called security metrics also play an important role, quantifying the effect of an attack and serving as a basis for decision-making.
Although the defense in depth measures form the basis of a security system, unrestricted security cannot be guaranteed. An example of this would be the action and reaction cycle regarding detection systems or firewalls. Detection systems or firewalls usually rely on rule-based or signature-based controls to identify illegitimate access to systems or networks. However, attackers can circumvent these rules or change the signature of a malware, so that traditional firewalls can have difficulties identifying a malware as such.
In response to this, detection systems and firewalls are now being developed that implement deep learning algorithms and are intended to enable the security system to detect even so-called zero-day or polymorphic malware. However, the deep learning algorithms usually only work in a laboratory environment, since the attackers have the opportunity to circumvent detection systems or firewalls by training the deep learning algorithms in such a way that the algorithm classifies an attack as legitimate access.
In addition to the multiple layers of protection, there is a need for cyber cells that administer the networks and are then switched on after an attacker has overcome a system’s weak points. Often referred to as Security Operations Centers or Computer Emergency Response Teams, these cells are mostly responsible for the response cycle (Protect, Detect, React and Recover), vulnerability assessment testing (VA), penetration testing and cyber forensics.
Sandboxing is a common tool used by emergency response teams and vulnerability assessment tests. With sandboxing, suspicious files and software codes or uncertified third-party software are tested in a controlled, secure environment (virtual machine), which on the one hand prevents the malware from spreading to the actual system and core network and on the other hand observes the behavior of a software code and can be analyzed. In particular, previously unknown malcodes can be detected using this technique.
While vulnerability assessment tests are carried out to identify and close network vulnerabilities, penetration tests are simulations in which the skills of the response team are tested. In most cases, an attack team competes against a response team, of which the former carries out an attack and the latter has to find out how the attack was carried out.
Cyber forensic scientists, on the other hand, have the task of precisely analyzing an attack and looking for traces that provide information about the origin and type of attack. A tool used by cyber forensic scientists and vulnerability assessments is the so-called reverse engineering, which systematically reconstructs malcodes and can fulfill several functions. For example, reverse engineering can provide information about the origin or design of a painting code, on the basis of which security gaps can subsequently be closed.
Another element of cyber defense is what is known as configuration management, which is primarily about connecting and configuring the different hardware and software components of a network correctly. The components of a network are often subject to a maintenance cycle in which changes in the security architecture are no longer coordinated with certain hardware or software components. The basis of the configuration management is the so-called patching, which is used to eradicate certain software bugs or security vulnerabilities.
In addition to configuration management, identity management plays an important role too, since only a functioning identity management system enables information to be shared securely within a network. Basically, identity management consists of three functions: authentication, authorization and verification. Authentication is about determining who or what a specific person who wants to access a system or network is. This can be done using user names and passwords, electronic tokens or biometric data such as a fingerprint.
During authorization, different categories are usually formed to which users are assigned and which define what a user has access to or which rights this user has in the network. After all, the test is about monitoring the activities of the users for possible misconduct.
Today, defensive measures are embedded into a broader cyber security strategy with multi layer protection systems, detection systems, firewalls, response teams and testing teams, or configuration management, identity management or data encryption.
While in this post I provided an overview of cyber warfare tools and techniques, one of my next posts will outline how individuals can secure their everyday devices and reduce the probability to become a victim of cyber attacks or identify theft.