With the target determined and the desired end effect decided, the cyber-attack mission is considered scoped. Deciding on the target is only the strategic half of a cyber-attack mission. On the tactical side, there needs to be a determination on how to deliver the desired effect against the target and in most cases that requires the establishment of some level of access to the enemy system. Access in the cyber domain is the placing of an attack effect in such a place that it can adequately execute its mission against the target. In some cases, the target may have an address on the open internet in which case access may simply be any other internet-connected device. In others, access may be having privileged access to a device in the same organization as the target. Access can also be more stringent; some attack tools may require almost no latency between the device where it is executed and the target and require an access adjacent to the target on the same network segment. There is also the possibility that the attack effect needs to be placed on the actual system it will affect, in such cases operations to gain access to an attack position take the mission right to the intended target.
These situations requiring local target access also bring in additional risk to an attack mission. Battlefield preparation by gaining access to attack positions can happen far ahead of the intended attack date, and in those cases, the access operation requires extreme care as if discovered gaining access to the system it may tip the hand of the attacker to their intention and level of compromise within the enemy network. This is true of any access; however, the specificity of being on that actual intended target may allow the enemy to attribute not only an actor but potentially identity and motivation. Imagine attack operations that targeted Indian counterintelligence units who focused on Pakistani organizations. If an access operation were caught before the attack delivered, it is at least highly likely that the perpetrator was from Pakistan and the intention was potentially more than intelligence gathering.
The enemy target may be telecommunication control servers located in an enemy government building. Ensuring the ability to engage that target with cyber-attack effects however may require access in a much more tangential way than seen in conventional warfare. If we were going to destroy those systems with a missile, for instance, the only access required to launch that attack is to get the launcher within the flight range of the intended target and hit fire. In the cyber domain access to an attack position can be much more complicated. This is especially true of systems that are not internet facing, and even more complex, or even impossible, when considering systems that are closed off from another network connectivity. Gaining access to a system which can deliver our intended cyber-attack against the target could involve exploit operations across many seemingly unrelated networks in an effort to get closer to accessing the target network.
Access Tools
Access tools are those which, once installed on a cyber domain system, enable access to that system sufficient to conduct the intended attack effect against the enemy target. They are code, commands, or scripts which are tools by which those carrying out the cyber-attack can leverage the necessary attack position. Commonly referred to as backdoors or trojans, malware, and rootkits, these access tools enable delivery and execution of cyber-attack effects during cyber missions. Cyber access tools are as diverse as physical counterparts such as having a copied legitimate key to access a building without authorization a tunnel dug under a prison perimeter to break out a convict. In all cases access tools require varied levels and types of access to successfully deploy the follow-on attack effect.
Levels of Access
Access level is determined by the context the access tool has with regard to the amount of systems it applies to and the privilege it holds on those systems.
Local Unprivileged
Local access means that the access tool only needs access to a specific system. This may be due to the fact that the attack is either going to affect the local system itself or that it needs to be executed on that system but targets another. Unprivileged local access means that the tool need only provide access to the machine it is installed on and that it requires no special system level or super user context to deploy the attack effect.
Local Privileged
The only difference with this level of access is that the access tool requires privilege on the local machine to successfully execute the attack effect. Unprivileged local access is probably more common in situations where the attack tool is executed on that local machine but targets another. Unprivileged users on systems perform actions and run software all the time, and so long as there is no specific need to escalate privilege, the access tool can use that same normal user context. In cases where the attack effect will target the local system the access tool is installed on, it would likely require privileged access. With privileged local access to a system an attack tool can essentially do whatever is needed. Privileged access can allow for security software to be turned off, system configurations changed, and so on.
Non-local Unprivileged
As access to more than singular machines is required, it becomes non-local in nature but does not always require privileges to be effective. An access tool that facilitates non-local unprivileged access may not seem like it is appropriate for deploying attack effects at enemy targets; however, if those attacks involve actions like sending malformed traffic in hopes of impacting the non-local targets, then there is a possibility no privilege would be required on the non-local systems.
Non-local Privileged
Systems being attacked across a Windows domain might require non-local and privileged access such as the domain administrator account would provide, allowing the attack effect to have unfettered access to all systems within the domain. Where local access is singular to a system, non-local access continues to escalate in levels of access as the non-locality expands. That is, access with a domain administrator privilege allows an attack to impact that domain, but if the domain was one of many in an enterprise and there were administrator accounts with wider authority across multiple domains, that would be an escalation of access levels from the singular domain administrator access.
Types of Access
There are many types of access involved in cyber operations. Some cyber activities require the development of no specific access, while others require interactive access deep into target networks.
None
There are certainly plenty of opportunities for attacks between states where no access to enemy systems is required to deliver an attack effect via the cyber domain. As the world continues its push toward the internet of things and greater internetworking between states, organizations, and individuals, attacks requiring no access will increase in prevalence.
Non-interactive
Non-interactive access is a type of access to remote systems where there exists an ability for the access tool to perform actions on the host system it is installed on but not for a remote operator to do the same. This type of access is used to execute an action on the remote host, such as an attack tool being told to begin its mission, but not leverage the remote system itself. Non-interactive access tools may rely on event-driven triggers to dictate automated behavior, whereas others may wait for a command from a remote source, and others still may ask for commands at set intervals.
Event-driven non-interactive cyber access tools may wait for a certain system event to happen before executing their follow-on cyber-attack or could even be tripped due to the geolocation of the system changing a specified amount. A good non-cyber example of this type of scenario would be a sea mine. Once deployed the sea mine just sits there until a ship (hopefully an enemy one) bumps into it, depressing its trigger mechanism and initiating the attack on the ship.
Access tools that wait for commands might simply sniff local network traffic for certain types of traffic, and upon seeing that traffic, read it and operate on the commands contained within. There has even been malware that constantly checks a specific Twitter account set up for it where operators are able to send command and control to it via social media. Here the access tool is waiting for a certain Twitter message from the attacking organization to then launch its follow-on attack. This scenario is closer to that of a remote-controlled explosive device, placed and armed but not detonated until receiving a command from the troop with the controller.
Lastly, those access tools ask for commands, reaching out to a listening post at certain intervals to see if there is any new tasking such as to uninstall or execute attack effects. This type of access tool is often referred to as a beacon and is widely used in security operations and for malicious intent alike as it can be easily disguised and difficult to detect.
Interactive
Access tools that are interactive allow for more varied interaction with the system they are on. Where the non-interactive tool allowed or interaction with itself, interactive access tools allow a remote operator to perform actions specific to the machine it is installed on. These types of access tools allow the remote operator to do things like leverage system commands or run software installed on the system in essentially the same way a user sitting at that device’s keyboard would. These types of access tools are more likely to require a privileged level of access to afford the remote operator as much access to the system environment as possible. This is not always necessary for attack effects; however, if detailed information must be surveilled from the system or more dynamic interactions are required for the execution of an attack effect, interactive access tools may be necessary.
Imagine a cyber-attack was to be launched on a system, but only once the identification of that system’s user was confirmed and that the window for execution was extremely small. An interactive tool would allow a remote attacker to do things like take a picture with the web camera, view the documents opened by the user, and see what web sites, like social media, that user was using. All of these attributes would allow the remote attacker to immediately determine if the accessed machine belonged to the intended user and was thus the desired target. Using other access tools which wait or ask for commands may still allow for the picture to be taken and commands to be queried with result in the names of documents or sites visited, but if they happen across several ask or wait periods, they may not be agile enough to identify the target and deploy the attack effect in the desired time window.
Access and Target Relationship
There are categorical facets to the required level of access and the resulting attack operations they pre-position for. In some cases, no access into enemy cyberspace is required to facilitate the attack effect. Many times, access is likely needed in some fashion, and that access must not be discovered or the attack effect will ultimately fail. Less likely are accesses which, even when discovered, still enable successful attacks. There must be a predetermined point during access operations where a certain level of detection or attribution requires that the attack be aborted or ceased.
No Access Required
The non-cyber example of an attack that does not require any access other than a point to launch from are intercontinental ballistic missiles (ICBMs) . ICBM launchers are kept within the boundaries of the attacking state and can essentially strike anywhere in the world upon execution of an attack. Though there have been developed countermeasures capable of intercepting some ICBMs, they are still an attack effect in the physical domain which requires no additional access to deliver adequate effects against chosen targets.
The cyber example of an attack effect which requires no additional access for appropriate launch points are denial-of-service (DoS) attacks against internet-facing assets of the enemy state. DoS attacks disrupt communications and computing capabilities typically by sending immense amounts of traffic (sometimes malformed) to devices in order to alter or deny their ability to function as intended. These are common on the internet as they are relatively unsophisticated in nature and can be directed from an internet point of presence into a state’s cyberspace against that of an enemy state. Though this would require access to the internet, there is no need for an access operation to exploit to an attack position in preparation of the attack as the internet can be connected to from nearly anywhere. This does not mean that all DoS attacks occur across the open internet or even always between states, but they do represent the type of cyber domain warfighting attack activity that would need no proceeding access operations facilitated by exploitation within the cyber domain.
Access Noticed, Attack Prevented
The worst thing that can happen to an attacking state in cyber warfare is for their battlefield preparation to be noticed by the intended enemy victim or other entities. Being noticed during battlefield preparation in cyberspace and other domains can result in the attack effect being prevented due to enemy responses or called off due to political or safety concerns.
As a non-cyber example, I think the Bay of Pigs represents a highly illustrative scenario for how attempts at access were noticed and the attack was prevented. In this case many phases of the attack were too far along to be aborted and the attackers were disastrously defeated. In planning and aiding a rebel assault in the Cuban Bay of Pigs, the US CIA had done much work to prepare local rebel forces to engage in an attack against the Soviet-backed Cuban government and military. The plans had been discovered, including the locations from which the attacking rebels would land and attack, and instead of catching the Cuban government and military by surprise, the rebels were killed or captured and the entire operation was a huge embarrassment for the CIA and the US government. There were many errors that led to the totality with which the operation failed, including assumptions that the US President at the time, Robert Kennedy, would allow the United States to be drawn into the conflict once it started and back the rebels, which also did not happen. The crux of the mission failure though was that the intention and method were discovered ahead of time which allowed the enemy to lay a trap for the aggressors instead of being the victim.
For an access operation to be noticed is actually much more likely than in the case of a highly planned covert operation by the CIA. It at least does not rely on counterintelligence and spies. A simple antivirus or logging mechanism can detect exploitation attempts required to gain access in preparation of cyber-attacks, and that alone could spell failure to the entire operation. Imagine an exploitation attempt aimed at deploying an access tool in an enemy power plant was discovered on extremely sensitive devices due to the exploit causing parts of the system to crash and a security pop up alerting the operators of those devices to the issue at hand. Both manual and automated responses to this security system alert are going to not only end the ability of the cyber access operation to preempt an attack but have the possibility of incurring other impacts on cyber operations against that state as well. There is even the potential that security alerts caused by false positives or even other actors lead to reactionary responses by the defensive mechanisms of the target which could make executing the attack effect impossible.
Access Noticed, Attack Carried Out
Though an access attempt that is noticed often ends an attack operation in one way or another, there are still times where access is noticed yet the attack is still carried out. There are several reasons why this could be. Sometimes mission success and cost may still be deemed acceptable despite being noticed. There is also the potential that there is no other choice but to continue carrying out the mission due to its importance. There are other reasons as well, some specific to the domain in which the attack occurs and some agnostic of the warfighting domain.
The raid that led to the death of Osama bin Laden is a great example for this type of scenario in recent history. Access was required to conduct the raid on the compound bin Laden was hiding in. That access was enabled in this case by stealthy special forces helicopters which flew deep into Pakistani airspace in the dead of night to drop the SEAL team responsible for the raid on and in the compound. As the helicopters landed to deploy the raiding party, one of them crashed due to unforeseen consequences of hovering over the high-walled courtyard and resulting quick loss of altitude. Local residents around the compound noticed the helicopter crash, as too did the individuals within the compound. Despite this, and an ability to abort the raid then and get the SEALs out, the mission continued. Obviously, this mission was extremely important, and the result of the raid ended up being a great success. Despite being detected during the access portion of this attack operation, it was carried out and the intended target received intended effects of being neutralized and identified.
Examples within the cyber domain will never live up to the heroics perpetrated during the bin Laden raid, but there are certainly instances where access activity on enemy systems might be noticed but not completely compromise mission success. Imagine the same scenario as before, where the alert caused a reaction by the enemy which thwarted the attack. This time though, the access tool was deployed with persistence in the actual firmware of the system, below the operating system. As such, the enemy state wipes the device and thinks it has rid itself of the threat but upon being turned back on the system reinstalled the access tool configured with a cautiously long call home delay. As long as the intended target and attack effect were suitable to the delay required by this type of stealthy persistence than the mission could still be considered a success since an attack effect can still be executed against the intended target. This example is a little different in the iteration of the detection and attack process than the physical example of a special forces raid. Where the attack was noticed and that same activity simply continued in the raid, the cyber-attack was able to survive detection in another way by going quiet and returning to access and attack activity when safe. The timelines in these missions is what drove the reaction to being noticed, but in both cases, the attack effect was successfully executed due to the resilience of the access and the mission itself.
Access Unnoticed, Attack Aborted
Being noticed by the enemy is not the only reason some access operations or their subsequent attack effects were called off. Sometimes it is observation by the attacking party that leads to something being noticed which leads to the operation being aborted. It is a very valuable asset to operations in all domains of warfighting to know when it is appropriate to cease access or attack actions despite the effort remaining unknown to the enemy or target.
Operation Eagle Claw was a rescue mission to be carried out by special forces on helicopters. The helicopters had to be moved undetected within their fuel range of the target so that the raid could be successful once executed. The helicopters successfully made it to the access point from which the mission would launch known as Desert One. However, unforeseen environmental issues led to breakdowns and operational issues with the helicopters. Though eight were sent and the mission had been planned to go ahead as long as at least five were available on that day, the mission was cancelled even though six helicopters still operational. The decision was made that despite earlier assessment that six helicopters would be enough for the mission to be a success, the rate of failure in the helicopters at the staging area led the mission commanders to decide there was too great a risk of breakdowns that would happen mid-mission and called it off. The enemy never noticed the helicopters or special forces staged within flight range of the target, but the conducting forces determined from what they themselves had noticed that the mission would potentially fail, and lives would be lost so it was aborted despite successfully going unnoticed to the access point.
In cyber operations, environmental and situational conditions noticed by those carrying out the mission can also lead to it being called off despite stealthy access being accomplished. One reason of many may be the time window. If the operation successfully gained access to a launch point for the cyber-attack but the process took too long and target fidelity had been lost or confidence in the attack effect otherwise lost, the execution of the attack could be called off. Additionally, with the deep penetration of multiple networks needed for some cyber operations, there are always concerns with reliability. Despite having access tools deployed and talking deep into enemy networks across multiple organizations to get to a target, if they are too finnicky or connections too unreliable, the mission may be aborted. The most appropriate access position available is no good if the timing of the attack is thrown off by unknown deltas due to the access unreliability. Timing plays a huge part in strategic decisions to conduct attacks in the cyber domain and others, and as such any attack effect whose ability to fall within mission specified time Windows might responsibly be aborted.
Access Unnoticed, Attack Carried Out
Lastly, we have those operations whose access efforts go unnoticed and their attack effects are executed against the target as intended. Sometimes access operations rely on other efforts to keep from going noticed, and this is equally the case in all warfighting activities. History is full of deception and distractions which enabled access to be gained and attack effects launched from that gained position.
The D-Day landings at the beaches of Normandy are probably the largest unknown example of this in warfighting. Ignoring the fact that the forces were certainly noticed once they landed on the beach, the landing fleet making it across the English Channel and beginning to land troops and equipment without being destroyed at sea certainly constitute adequate access for the mission without it being noticed ahead of time. Further, efforts by the allies actually led to enemy forces being redirected away from the intended point of attack, saving countless lives and likely leading to the success of that mission. In fact, there was an entire effort known as Fortitude South where the allies made it seem they were going to land at a completely different part of the French coast. A fake army with fake equipment made of wood and balloons was stood up across the English Channel from this farcical landing spot, and the feared General Patton was even made commander of the landing force to lead credence to the charade. It was successful, and the mission on D-Day was not discovered ahead of time and turned the entire war.
A successful cyber engagement involves similarly gaining access without detection prior to launching an attack effect and maintaining that access until the attack is intended to happen. There are countless examples of compromises, some likely state committed and others by non-nation actors where the compromise of a network and resulting access was never identified until after the attack effect of that operation was launched. Probably though, the best of them are those where the attack effects and the access that led to it were never attributed to the cyber domain of warfighting to begin with. Such success in cyber warfare would mean attack effects could be delivered without far-reaching consequences or implications beyond the cyber domain and represent the tip of the spear in cyber war. After all, if the enemy doesn’t even realize its networks were used to enact some attack on them, they won’t be looking to address security within their networks and already established accessed within the cyber domain can facilitate further warfighting or intelligence collection operations if necessary.
Attack Surface
The totality of enemy assets that have a potential to enable appropriate access for cyber-attack effects to execute against the intended target makes up that organization’s attack surface. Typically, this attack surface consists of other systems in the cyber domain, which upon exploitation can get the attacker closer and closer to the target. This is not all that makes up the attack surface however, as the physical domains of warfighting often facilitate enabling efforts for cyber operations. This could be in the form of physical access aided exploitation operations where a human introduces exploitation or access tools to an enemy network where cyber domain-based exploitation had been unsuccessful. It can also be the case when range of communication protocols such as Wi-Fi or Bluetooth require closer physical access than internetworked attacks.
A good analogy for attack surface is road systems. Imagine the only way to get to the enemy target was via the road systems of the enemy state and all you had was the address of the target and a rough location. Your vehicle has a missile launcher capable of striking this enemy target from a thousand feet away, so you have to get relatively close as well. Without a map or GPS or overhead imagery of the enemy road ways, it might take quite a while to reach the target. The road you initially enter the enemy state on probably doesn’t take you straight to the target so you will have to make many changes to other highways and take different roads to finally get close enough to launch the missile at the target. You may even go down several roads and take highways which end up being dead ends and don’t get you any closer to the target.
Exploitation across networks is very much like this. You may have several network accesses into the enemy attack surface; however, you may spend hours, days, or longer going from network to network across the enemy attack surface looking for suitable access to the target. Just as the roadway scenario had dead ends, it is possible you exploit into systems and networks that end up not furthering the cyber operation toward target access and an attack point at all. Also, just as no one road took the vehicle to the target, it is likely that a cyber domain exploit operation will have to go from seemingly unrelated network to unrelated network in attempts to get to a position capable of seeing the target address. The enemy system may not connect to the internet. Maybe the target system is a power plant control device with no ability to connect out to the internet. Being a power plant control device though it lives on a network with other devices, some of which analyze power meter readings passed to them by systems in an adjacent network. Those power meter data aggregation devices also don’t talk to the internet but they do talk to power meters across the military installation they are installed on, and some of those meters may be attached to the barracks on the installation where troops do have laptops with internet access and use the building ethernet to play games against each other which also uses the same switching device as the power meter for the building.
In this scenario an attacker could essentially exploit and install backdoors across each of these segments ultimately giving access, from an internet-based pivot point into the barracks, on to the power meter network, exploit the aggregation machine, and ultimately provide access to the non-internet accessible power plant control system. This example is fairly rudimentary, but it illustrates that just because a target within the cyber domain does not have an ability to access the internet itself, it can be accessed. In many cases that machine likely talks on a network with some other machine that talks to another network and on and on until finally something can reach the internet or is otherwise accessible to the attacker.
Scoping Access Operations
This does make cyber access operations and their required exploitation somewhat unpalatable to most warfighting doctrine. The attack surface required to engage the target may consist of devices, systems, and users so disparate from the military cyber system that Title 10 battlefield preparations against them seem unethical and perhaps without authority. Worse yet access operations may often lead to dead ends, meaning that the Title 10 battlefield preparation sections were all for naught against certain portions of the attack surface. The perception of cyber-attack operations can be a bit troubling when cyber exploits were conducted against schools, non-combatants, and church’s or non-profit charities in attempts to find networks that may lead to the intended target, but which yielded no results.
What if the target shared a backbone network connection with a hospital and the hospital was easily exploitable but the target network not so? In warfare medical targets are off limits according to international convention, and battlefield preparation falls within Title 10 of the US Code pertaining to warfighting actions and authorities. Does this mean that the hospital networks are off limits? I don’t think this rabbit hole has been fully considered or explored by warfighters regarding cyber domain warfighting activity and it probably needs to be. It may seem innocuous and not worth the Geneva Convention scrutiny that an attack leverages access gained in a hospital network to move into a neighboring network containing the target to pre-position attack tools. After all, it isn’t like the attack itself was launched against the hospital.
On the other hand, what if one of the exploits used against a hospital system to further access toward the target network crashed the machine as exploits are apt to do? What if that system controlled life support to several individuals and they ended up dying? Now this scenario looks a lot more like a violation of the Geneva Convention and an international war crime. Now it seems like the hospital network perhaps should have been considered out of scope for Title 10 operations despite the convenience. I would point back to the hunt for Osama bin Laden; in many occasions, his location was known with some decant fidelity to be within certain cities or locations; however, the United States and its allies didn’t go dropping nuclear bombs on those cities in hopes of killing Osama bin Laden. This may seem extreme, but it highlights the simple point that just because an attack could be enabled from a certain position in the enemy attack surface doesn’t mean that position should be within the scope of Title 10 operational authorities.
ROE for Access Operations
Just as attack effects require strict rules of engagement to ensure that the attack activity falls within the strategic intent as well as ethical and legal bounds of acceptability, so too do access operations. It is important that the end justify the means and that no unnecessary exploitation operations occur if at all possible in the placing of access as attack positions. Similar to the ROE we discussed in the previous chapter, before the onset of access operations, there needs to be established determinations for success and failure of access operations so that they may be monitored and halted as necessary. As we covered earlier in this chapter, preparation of the battlefield within the cyber domain must follow international convention and the authorities that cover the law of war. Access operation ROEs should outline how to approach the enemy attack surface in furtherance of an attack on a Title 10 target so that it is just and appropriate. Using non-combatant pivot or attack positions to place and execute an attack effect against enemy forces is potentially a war crime just as it would be to bomb a hospital and a school to open up lines of fire for machine gun nests.
Summary
In this chapter we covered the concept of access as a facilitator for attack effects against chosen targets. We outlined the different levels of access and types of access required for different types of attack scenarios. Additionally, the risks associated with detection of access operations and the resulting impact on the ability to conduct cyber-attacks was explored. Lastly, the concept of attack surface was detailed, as was the need for appropriate scoping and ROEs regarding exploitation operations against such attack surface.