Cyber is in a state of conflict – an ongoing contest of wills to compete over scarce resources. Fought across technological means, the cyber conflict ultimately pits human against human in a drama that encompasses chance, risk, and policy.
While cyber may seem a daunting domain dominated by experts, experienced officers are surprisingly well equipped to join the fray. The military is a jurisdiction where information constraints imposed on decision making are real and pressing. A high-risk environment coupled with imperfect information has developed an approach that fills in the gaps with rigorous analysis. The 7 Questions Estimate format ultimately derives the ‘So What’ statement from a series of possibly unrelated observations to form a coherent plan.
Conceptual tools of the military trade can be modified and applied to cyber. For example, the Geographic Framework can readily be applied to cyber if you replace physical distance, which is largely irrelevant to IT systems, with degree of control. With this mind-set, the Deep is synonymous with the deep web and darknet, while the Close is the internet and common interactions with general cyberspace. Notably, there is an interplay in the Close between cyber and physical assets. Finally, the Rear is analogous to an organization’s own networks and databases.
Defenders have a high degree of control in the Rear, while limited to no control over the Deep.
Figure 1 maps out key features of information technology in relation to the degree of control a defender holds over them.
Cyber Terrain analysis
Instead of hills, rivers or roads, cyber has prominent features like networks, databases and applications. There is no real constraint on what constitutes a cyber terrain feature provided that the it is:
- Representative of an element relevant to cyber, and;
- Is something an attacker or defender would be interested in.
Some prominent examples of cyber terrain would be:
These broad terms can be further split based on additional criteria. As long as some analysis has gone into the planning it is a valid observation of the cyber terrain. Once the initial list of cyber terrain is assembled it can be mapped onto the framework. Recalling that the framework provides a top to bottom axis based on low to high degrees of control, each aspect of cyber terrain is overlaid, as in the example below in Figure 2:
In this example the networks, applications, and people have been divided into distinct terrain features based on their externality. This allows for greater granulation of risk and to identify which aspects are further forward in the cyber conflict and thus less controlled. With an understanding of the cyber terrain, the next step is to understand how an attacker may move through the terrain in order to achieve their objectives.
To demonstrate how an attacker can move through the cyber terrain, consider the recent WannaCry attacks. Technical details of the attack are taken from Microsoft’s response to the attack found here.
Britain’s National Cyber Security Centre (NCSC) and their American counterpart the National Security Agency (NSA) have both linked the origin of attack to North Korea. While the attack was indeed likely launched by a state sponsored group, its objective is deemed to be financial. Threat intelligence company Recorded Future suggests that the use of ransomware to raise funds for the state falls under North Korea’s self-financing asymmetric military strategy. In this sense, it most closely aligned with the Cyber Criminal [see CC in Fig 3] threat group.
WannaCry was a variation on the typical ransomware mechanism; instead of the more traditional social engineering/phishing approach, the attack used a technical breach point to install the virus. To reflect the two attack types on our cyber terrain graphic, we show the primary breach via a vulnerability in the External Network [see Fig 3] as a thick red line, while a thinner red line represents a possible secondary attack against Externally Facing People [see External Facing Person in Fig 3].
The initial breach came through a known vulnerability in the External Network [see (1) in Fig 3] which used a virus with wormlike functionality to spread through the Internal Networks [see (2) in Fig 3] and then moved to Hardware to exploit unpatched Windows 7 systems [see (3) in Fig 3].
At this point, the attack deployed the WannaCrypt virus on a local machine [see (4) in Fig 3] and looked through the internal directory [see Internal Facing Person in Fig 3] to find other machines with unpatched Windows 7 systems – exponentially increasing the scale of the attack.
To exfiltrate, the WannaCry virus connected the local machine back to an external domain [see (5) in Fig 3] and victims were directed to pay bitcoin to a specific address.
By no means is this summary put forth as the definitive history of the WannaCry attack, however, by applying the Geographic Framework to the WannaCry attack a tactical scenario suitable for analysis emerges. As military professionals, we need to be conversant in the threats that face our nation. Cyber is a domain of conflict we are a conceptually familiar with – connected, contested, congested, cluttered, constrained, and increasingly coalition. The nature of conflict rarely changes, and cyber is simply the newest iteration of an ancient struggle. Tried and tested tools backed up by robust analysis is an essential, and arguably absent, aspect in cyber conflict. Here the military has something to offer. We just need to adapt to it and understand it, recognise that it is not rocket science and determine the military’s role in cyber security.
The views expressed within individual posts and media are those of the author and do not reflect any official position or that of the author’s employees or employer. Concerns regarding content should be addressed to the wavellroom through the contact form