Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways?

Computer Network Exploitation

CNE is best described as the attack on the confidentiality of the targeted computer system. CNE is the theft of data, with no other functions affected. With CNE, there is specifically no intent to cause damage to the targeted systems. Ironically, the integrity (with the exception of the compromise of system integrity required to gain and maintain illicit access) and availability of systems are critical to a successful CNE. After all, if you cannot gain and maintain access to the desired information, you cannot maintain your espionage efforts.

CNE is essentially computer espionage. The goal is to spy in one form or another. The attacker is basically attempting to gather information. To accomplish this goal, the attacker needs to gain access to the network, perform reconnaissance, identify and gain access to the relevant systems to compromise, and find and compromise the targeted information. There is typically a need to maintain access to continue to collect the information. You also want the information you compromise to be accurate.

In many ways, CNE is more complicated than CNA, because more effort is required for the attacks to be surreptitious. With CNA, although the attackers might want to maintain their anonymity, the attack itself would become obvious. With CNE, the value of the attack is frequently dependent on nobody knowing information was compromised. For example, with the Snowden leaks, it was apparent that the NSA had reliable access to terrorist communications channels. When that information was divulged, further access was denied.

In the 2012 Target hack, during which 110,000,000 credit card numbers and related information were compromised, the attackers first had to gain access to the Target network, which they did through a vendor network. They then performed reconnaissance to understand the network and determine which systems needed to be compromised to accomplish their goals. When the point-of-sale (POS) systems were finally compromised, it was to the attackers' benefit for the attack to remain unknown for as long as possible, so that they could gather as many credit card numbers as possible.

In short, the difference between CNA and CNE is that there is no damage to the underlying systems with CNE; however, when there is damage, it could be much more critical and long lasting. You may consider that you can quickly recover from a computer outage, but if your competitor knows all your data, you can lose a great deal of value over an extended period.

Abstract

Computer Network Exploitation refers to the ability to exploit data or information a person has gathered on a target for his or her own purposes, and it is the phase of cyber warfare being experienced globally today. This chapter discusses Computer Network Exploitation basics and begins by explaining how to identify targets by gleaning information from them and identifying those to be surveilled. Potential sources for attacks, along with agencies that might be behind attacks, are highlighted. Also discussed is the issue of reconnaissance—how to use it to conduct planning operations for future attacks, and the differences between the three reconnaissance types known as Open Source Intelligence, passive reconnaissance, and Advanced Persistent Threat. The topic of surveillance is also explored, including the difference between reconnaissance and surveillance, justifications for conducting surveillance, details regarding voice and data surveillance, large-scale implementations of surveillance, and uses of data collected through surveillance methods.

Publisher Summary

The term Computer Network Exploitation (CNE) is a cyber warfare term of military origin, and one that may be slightly confusing to those who are not on the inside of the environment. Officially defined, CNE is “Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.” Such operations are the cyber equivalent of good old-fashioned spying. Although such intelligence gathering activities are a standard part of warfare and of the normal conduct of government, in the cyber world, the mechanisms that allow such activities to be conducted can be a bit easier to carry out than they are in the physical world. When one stores the darkest secrets on computer systems that are connected, however indirectly, to the global Internet, one leaves a pathway open for skilled attackers to access this information. Attack sources can be a bit of a vague notion in the world of logical attacks. Direct attacks, as they sound, are attacks conducted directly from the system that is directly controlled by the attacker; i.e., the attacker is not attached to the system remotely from another system. Although direct attacks certainly have the benefit of not spreading the route that the attacker is taking out over a series of potentially unstable connections, they do nothing to disguise the origin of the attacks.

Chapter 5: Offensive Tactics and Procedures

In Chapter 5 we discuss the basics of Computer Network Exploitation (CNE) and Computer Network Attack (CNA). We explain that exploitation in this context means reconnaissance or espionage, and then discuss how it is conducted. We cover identifying our targets in the sense of both gleaning information from targets of attacks and in the sense of identifying targets to be surveilled. We talk about the different factors involved in cyber warfare, including the physical, logical, and electronic elements of warfare. We also discussed the different phases of the attack process: reconnaissance, scanning, accessing systems, escalating privileges, exfiltrating data, assaulting the system, sustaining our access, and obfuscating any traces that might be left behind. We compare how this parallels and differs from typical hacker attacks.

Summary

In this chapter, we discussed the basics of Computer Network Exploitation (CNE). As we covered, CNE is a military term that does not use the term exploit in the way that it is typically used in the information security community, but instead uses it in the sense of exploiting data that we have gained through reconnaissance or surveillance to our own good.

We also discussed Computer Network Attack (CNA). We covered the different factors involved in cyber warfare, including the physical, logical, and electronic elements of warfare. We also covered reactive and proactive actions in warfare, and how these prompt a rather different set of actions in cyber warfare. These processes and the tools that we have discussed outline some of the major strategies and tactics that are used to conduct CNE and CNA. These tools are not unique, nor are many of them difficult to access, and the process can be simple, but to carry out cyber operations at the level of warfare for a nation-state requires a great deal of more resources, effort, and knowledge.

Chapter 9: Computer Network Exploitation

In this chapter, we discuss the basics of Computer Network Exploitation (CNE). We explain that exploitation in this context means reconnaissance or espionage, and then discuss how it is conducted. We cover identifying our targets, in the sense of both gleaning information from targets of attacks and identifying targets to be surveilled. We talk about reconnaissance and how it might be used to conduct planning operations for future attacks, including Computer Network Attack (CNA) and Computer Network Defense (CND). We cover the three major divisions of reconnaissance, Open Source Intelligence (OSINT), passive, and Advanced Persistent Threat (APT), and the differences between them. In addition, we go over surveillance tactics and techniques, and how they differ from reconnaissance.

From Cyber Nationalism to Cyber Espionage

These catalyzing events forever changed the landscape of China’s cyber network operations posture and ideology. The years that followed revealed offensive weaponization of this powerful intelligence and information warfare tradecraft believed to be initiated through the Third Department of the PLA General Staff (3/PLA), China’s signals intelligence agency, and the Fourth Department of the PLA General Staff (4/PLA), responsible for information and electronic warfare (Krekel et al., 2012; Lindsay, Cheung, & Reveron, 2015; Mattis, 2015; Reveron, 2012).

In 2004, it was publicly disclosed that China had engaged in computer network exploitation operations against (code named “Titan Rain”) the Department of Defense and NASA systems; this was the first time that China had been publicly accused of cyber espionage (Stiennon, 2015).9 Only a few years later, between 2006 and 2007, news reports globally revealed that numerous Western government networks had been similarly breached, with China as the surmised culprit (Krekel et al., 2009; Reveron, 2012).

In 2009, a group of very sophisticated Chinese hackers compromised multiple high-level targets including Google, Adobe, Juniper Networks, Yahoo, Symantec, Northrop Grumman, and Dow Chemical (Schmugar, 2010; Zetter, 2010). In what was dubbed Operation Aurora by the security vendor McAfee, attackers were able to gain access to these institutions through the use of a website hosting malware, which would exploit a zero-day vulnerability in the Internet Explorer web browser. From there, the attackers appeared to use these infected systems as launch points to identify and compromise source code repositories within these companies (Markoff & Barboza, 2010; Zetter, 2010). While it is possible that these attacks were driven by individual hackers without state support, the complexity of the attacks and the sophistication of the actors would have required a high degree of cooperation in order to be successful. Additionally, the targets of the attacks appear to be more in line with the interests of a corporate entity or government in order to achieve a competitive advantage in the market, without the need for research and development. Finally, the source of these attacks appears to come from two Chinese universities with links to both the Chinese search engine company Baidu and the Chinese government (Markoff & Barboza, 2010; Schmugar, 2010). All of these points provided circumstantial evidence that the attacks were the result of state-sponsored actors working on behalf of the Chinese government (Fritz, 2008).

Later that year, researchers from the Information Warfare Monitor of the Citizen Lab at the University of Toronto’s Monk School uncovered a massive cyber-spying operation, dubbed “GhostNet” (Lindsay et al., 2015).10 The investigation revealed that thousands of computers, on networks related to ministries of foreign affairs, embassies, and systems associated with the Dali Lama, had been breached and implanted with malicious code with monitoring capabilities. Similarly, in 2011, information security researchers at McAfee published their findings of Operation Shady Rat: a massive, protracted, computer intrusion campaign against government agencies, private corporations, and international organizations (Krekel et al., 2012).11

Despite these revelations, China’s typical response to the allegations was denial.12 The lack of concrete evidence that the Chinese government conducted, ordered, or sanctioned these activities made it difficult to wield a “smoking gun”; it also made it challenging to identify a clear response to the intrusions.

In 2013, the information security firm Mandiant released the technical report, APT1: Exposing One of China’s Cyber Espionage Units, a groundbreaking exposé into Chinese cyber network operations.13 The report detailed the attacks conducted by members of 3/PLA, Second Bureau, Unit 61398, against 141 different victims across 20 different industries. A little over a year later, five members of Unit 61398 were federally indicted by the United States Department of Justice in the Western District of Pennsylvania for criminal activities relating to their computer intrusions, marking the first time that criminal charges had been brought against nation state actors for hacking.14

Collection Management

Collection management is a formal process and a key function in all major CNE and potentially CNA efforts. Collection management is the tasking and coordination of intelligence efforts. The collection management team receives requirements from some authority. The assumption is that the authority has some strategic goal that has been passed on to them.

If we are talking about the US intelligence efforts, the director of National Intelligence sets the collection tasking requirements. These requirements do not necessarily say, “Hack this country,” but they are to the effect, we need to know information on a specific subject. These requirements are then delegated to the intelligence agencies that are most likely to be able to satisfy the need for the information. Assuming it involves some level of hacking, it is passed to the collection management team that then initiates the process. You can assume that the previous description of the tasking process applies to all APTs.

Once the collection manager has the requirements, he/she passes the targeting information to the breach team. The breach team establishes a foothold on the system and ideally hacks enough systems within the targeted organization to provide a firm foundation for collection efforts. It has to pass on the information to the collection team and/or back to the collection manager.

The collection manager then ensures that the collection team is aware of the collection requirements. The collection team then gets whatever data it can and passes it back to the collection manager. The collection manager then has to evaluate whether the requirements have been satisfied. Ideally the collection manager also determines if there has been any information discovered that was not expected, but valuable. If so, the collection manager passes that information back to the tasking elements, along with the information requested.

The collection management team will then be informed as to whether or not the requirements were actually satisfied.

France, Germany, Israel, the United Kingdom, and Other First-World Countries

France, Germany, Israel, the United Kingdom, and many other countries have substantial CNE and CNA ability. Israel and the United Kingdom clearly have even more ability than the other countries. These countries are also more active with regard to their CNE and CNA for national security efforts.

Israel has a tremendous intelligence collection effort, and also is more likely to execute attacks against countries and other entities that are hostile to Israeli national security. It also has been reported to be engaged in economic espionage to support Israeli companies. It is a sign that Israel has some of the most robust and innovative cybersecurity companies in the world, as the companies are frequently founded by people who worked with Israeli military Computer Network Operations (CNO) units.

The UK CNE and CNA efforts were also prominent in the documents leaked by Snowden. It has very robust capabilities. It has not been well reported as to whether or not the UK CNE efforts have commercial espionage as a primary goal, but it clearly has a robust national security effort. There is a great deal of cooperation with the US CNE and CNA groups. Therefore, its methods are likely to be similar as well, if not as well-resourced and as effective.

Countries such as France and Germany likewise have robust CNE and CNA capabilities. However, they do not devote the resources to these efforts that the previously mentioned countries do. There are significant efforts to assist national security efforts; however, they also invest significant resources to carry on commercial CNE, with the goal of helping their domestic companies. To a large extent, these countries rely on the information from the United States and have extensive efforts to share information to mutual benefit.

What is notable is that in the words of Pierre Marion, the former director of the French Direction Générale de la Sécurité Extérieure (DGSE), the French foreign intelligence agency, “Everybody spies on everybody.” He is essentially implying that we are all adversaries.

The implication is that if you are involved with a foreign country, or might be competing against a foreign-owned company, you may be targeted by that organization. Once the author, Ira Winkler, was supporting a US company that had its intellectual property targeted by a French company. Specifically, the US company was informed by a European subcontractor that representatives of the French company approached them and offered to pay for all the intellectual property of the American company in their possession. During that assignment, Ira took a weekend vacation to Paris and found himself to be under surveillance during that trip. It is also likely that the European companies will be targeted by CNE, if they refused the offer.

All first-world countries have a CNE effort in place. These efforts are clearly more economical and fruitful than the traditional espionage efforts. These efforts are all likely to pursue in identifying zero-day vulnerabilities. The Snowden leaks confirmed that just about every first-world country has domestic surveillance efforts, as well as significant CNE efforts. These are not only appropriate for satisfying national interests, but also extremely cost-effective.