6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Identifying Cyber Espionage: Towards a Synthesis<br />
Approach<br />
David Merritt and Barry Mullins<br />
Air Force Institute of Technology, Wright Patterson Air Force Base, Ohio, USA<br />
david.merritt@afit.edu<br />
barry.mullins@afit.edu<br />
Abstract: Espionage has existed in many forms for as long as humans have kept secrets. With the skyrocketing<br />
growth of digital data storage, cyber espionage has quickly become the tool of choice for corporate and<br />
government spies. Cyber espionage typically occurs over the Internet with a consistent methodology: 1) infiltrate<br />
a targeted network, 2) install malware on the targeted victim(s), and 3) exfiltrate data at will. Detection methods<br />
exist and are well-researched for these three realms: network attack, malware, and data exfiltration. However,<br />
formal methodology does not exist for identifying cyber espionage as its own classification of cyber attack. This<br />
paper proposes a synthesis approach for identifying targeted espionage by fusing the intelligence gathered from<br />
current detection techniques. This synthesis of detection methods establishes a formal decision-making<br />
framework for determining the likelihood of cyber espionage.<br />
Keywords: covert channel, cyber espionage, data exfiltration, intrusion detection, malware analysis<br />
1. Introduction and background<br />
The cyber espionage threat is real. Because of the low cost of entry into and the anonymity afforded<br />
by the Internet realm, any curious or incentivized person can steal secret information off private<br />
computer networks (US-China, 2008). If a spy steals proprietary knowledge of a private company's<br />
innovative product research and development, then this data holds a high monetary value, reportedly<br />
billions of dollars, to an industry competitor (Epstein, 2008). If that stolen information is sensitive to<br />
national defense or national strategy decision-making, then the value is arguably immeasurable.<br />
A consistently effective defense against cyber espionage requires a consistently effective way to<br />
identify it. While there are methodologies to detect facets of cyber espionage, there is no formal<br />
approach for identifying cyber espionage as a stand-alone network event classification in its own right.<br />
This paper proposes a new approach that uses the synthesis of current cyber warfare detection and<br />
analysis techniques in a framework to holistically identify malicious or suspicious network events as<br />
cyber espionage.<br />
Due to the myriad of network attack methods and traditional espionage techniques, this paper cannot<br />
comprehensively address all techniques that a cyber spy would employ to achieve his mission (e.g.,<br />
insider threat or physical access). Instead, the paper focuses on the most common method of<br />
performing cyber espionage from a remote location outside the victims’ local network. Historically, the<br />
most common method for infiltrating a network for this purpose is through targeted spear phishing<br />
emails with malicious file attachments (SANS Institute, 2008). Both the emails and attachments are<br />
products of effective social engineering methods that tailor the content to the recipients of the emails.<br />
When an unsuspecting, targeted user opens the attachment, the malware, and therefore the cyber<br />
spy, establish a foothold on the computer and affected network. The spy can then use his specialized<br />
malware to search for interesting data on the victim computer and network and exfiltrate this<br />
potentially sensitive data from the victim network to a place of his choosing.<br />
The synthesis approach and decision-making framework proposed in this paper allows a network<br />
defender to correctly identify this kind of targeted cyber espionage event. If this methodology is to<br />
catch cyber spies targeting specific victims, then this detection approach must look at each malicious<br />
activity (i.e., network infiltration, malware installation, and data exfiltration) within the context of the<br />
whole espionage event. This approach does not attempt to introduce new ways to detect network<br />
attacks, malware infections, or data exfiltration beyond the bounds of the current field of research.<br />
Rather, the current detection methods are integrated in a new way that yields a synthesis approach to<br />
categorize cyber espionage events. The paper first discusses techniques to detect each of the spy's<br />
three steps to espionage success, and then the synthesis approach and resulting framework are<br />
explained. Section 2 reviews network infiltration detection methods. Section 3 looks at detecting<br />
malware on a computer. Section 4 discusses the detection of data exfiltration. Section 5 poses the<br />
synthesis detection approach, followed by a conclusion and discussion of future work in Section 6.<br />
180