Inside Cyber Warfare - Jeffrey Carr [107]
More importantly, this framework should allow defenders to predict rather than react to the occurrence of politically motivated attacks. The current cyber early warning systems that track scans and probes cannot provide the same predictive capability as the proposed model. The current cyber early warning system does not sort signals from noise and instead reports on all perceived malicious scans and probes. The model discussed in the following section will allow defenders to predict when a cyber attack will occur and which actors are likely to initiate the attack.
Building an Analytical Framework for Cyber Early Warning
A careful review of numerous politically motivated cyber attacks reveals a consistent pattern in how they are organized and executed. Previous attacks, whether executed by nonstate or state actors, appear to be grounded in latent political tensions between adversaries. As these latent tensions heat up, cyber aggressors tend to carry out cyber reconnaissance probes in an apparent effort to prepare for future attacks. Latent tensions require some type of initiating event that can be used to mobilize cyber patriots into a cyber militia. The cyber militia can be used to carry out brute-force attacks, while more elite hackers can use the intelligence gathered from prior cyber reconnaissance probes to execute more sophisticated attacks (Figure 12-1).
Figure 12-1. Stages of a politically motivated cyber attack
Latent tensions
Although still dominated by nation-states, today’s international political system features a number of players. Nonstate actors—such as terrorist groups, international organizations, and in some cases ideologically affiliated flash mobs—have exercised some measure of geopolitical influence.
It is therefore important to test the proposed model of the stages of politically motivated cyber attacks against both state and nonstate actors. The model must be equally useful in predicting a cyber attack originating from either a state or nonstate actor against either a state or a nonstate actor.
Latent tensions exist in the background between any number of actors in the international political system. For example, historical animosity between Muslims and the state of Israel have resulted in a steady state of politically motivated attacks—both in the physical world and in cyberspace. Under the right conditions, these latent tensions can explode into full-fledged warfare.
Cyber reconnaissance
Against this simmering backdrop, tensions can at times boil over. However, prior to the initiation of hostilities in cyberspace, adversaries are likely to conduct probes of each other’s infrastructure. The rationale for conducting cyber reconnaissance is no different than the rationale for conducting reconnaissance in the physical world. Adversaries conduct cyber reconnaissance in an effort to discover vulnerabilities in their rival’s infrastructure that can be exploited if and when tensions erupt into hostilities. Cyber reconnaissance also allows adversaries to develop effective tools specifically designed to attack an enemy’s infrastructure.
During the August 2008 war between Russia and Georgia in the disputed region of South Ossetia, a parallel conflict occurred in cyberspace. Investigations by Project Grey Goose researchers found that pro-Russian hackers conducted in-depth cyber reconnaissance prior to the initiation of hostilities on August 8, 2008. Specifically, Georgian websites were probed for vulnerabilities. The US Cyber Consequence Unit (USCCU) later confirmed these findings. In a report on the cyber conflict in Georgia, the USCCU wrote:
[W]hen the cyber attacks began, they did not involve any reconnaissance or mapping stage, but jumped directly to the sort of packets that were best suited to jamming the websites under attack. This indicates that the necessary reconnaissance and the writing of attack scripts had to have been done in advance. Many of the actions the