6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
David Merritt and Barry Mullins<br />
outbound from a network, the task of identifying a “bad” stream of data leaving the network amidst a<br />
flood of “good” data is daunting.<br />
Many convenient overt channels exist with the Internet. With a significant bulk of network traffic on<br />
any given local network being Internet-related, any web-based protocol offers a readily available overt<br />
channel within which a spy can easily exfiltrate stolen data. The sheer amount of web traffic makes it<br />
easy to hide the communication channel—the data is just one animal in a herd at that point.<br />
Fortunately, custom signatures can be generated for specific, sensitive data that would trigger a NIDS<br />
alert if this data were detected on its way out of a network (Liu, 2008).<br />
Thanks to several innovative research efforts, it is possible to detect many kinds of covert channels.<br />
Gianvecchio and Wang (2007) use a corrected conditional entropy (CCE) approach to accurately<br />
detect covert timing channels in HTTP (hypertext transfer protocol) traffic. Similarly, Cabuk, Brodley,<br />
and Shields (2009) use a measure of compressibility to distinguish covert timing channel traffic from<br />
conventional web-based traffic. While there are a multitude of other types of covert channels, like<br />
those using packet header fields or timestamps, there are approaches to eliminate, reduce, or at least<br />
detect these (Zander, Armitage, and Branch, 2007: 44-57).<br />
5. Synthesis detection approach<br />
From the perspective of preventing the compromise of sensitive information, it is crucial to determine<br />
if anomalous, suspicious, or malicious occurrences are part of a cyber espionage attempt or not. In<br />
other words, to prevent cyber espionage, one must first be able to identify it reliably. However, there is<br />
a surprising lack of research focused on identifying or labeling network events as cyber espionage.<br />
The Defense Personnel Security Research Center (PERSEREC) produced a technical report in 2002<br />
on 150 cases of espionage against the United States by American citizens (Herbig and Wiskoff,<br />
2002). The Defense Intelligence Agency's (DIA) Counterintelligence and Security Activity (DAC) used<br />
the results of PERSEREC's report to produce a guide to aid its employees in reporting potential<br />
espionage-related behaviors in their colleagues (Office 2007). Essentially, the DIA relies on a<br />
synthesis of indicators to aid in its detection of spies.<br />
This paper adopts the same synthesis approach to detecting cyber espionage. Operating under the<br />
premise that cyber espionage emits telltale signs, the search for these indicators begins by looking at<br />
a series of questions with, hopefully, intuitive and obvious answers that lead to a framework of<br />
measurement.<br />
5.1 How would a spy infiltrate a network?<br />
If an attacker were only concerned with gaining access into a network, he would justifiably launch as<br />
many attacks against as many victims as possible. This increases his likelihood of success. But this<br />
torrent of binary madness will also draw much attention. A cyber spy who intends to steal sensitive<br />
information from a network will typically take a more streamlined avenue into the network, one that is<br />
less noisy and has a higher probability of success. This mentality and intention will drive the spy to<br />
use more strategy in choosing his attack tools and methods. Also, based on the spy’s knowledge of<br />
his victims and his desire to evade detection, he will target a relatively small number of victim<br />
systems. Spear phishing emails sent to a handful of selected victims is indicative of espionage. In<br />
addition, if the content of the email is tailored to be very specific and relevant to the industry, then this<br />
would be a telltale sign of cyber espionage. This thought process reveals a couple indicators we can<br />
use to distinguish network intrusions that are highly probable espionage events from those that are<br />
not: targeted and tailored.<br />
5.2 What kind of malware would a spy use?<br />
If an attacker just wanted to infect as many machines as possible to expand his ever-growing botnet,<br />
this attacker's malware of choice would eventually run rampant and widespread across the Internet, or<br />
else it would not accomplish its master's goal. Looking at the other end of the spectrum, assuming a<br />
spy would want to evade detection and maintain persistent, reliable access to data, the spy would<br />
probably choose malware that is not easily detectable. Malware that is very well known is likely not<br />
the strategically-chosen tool of a cyber spy. In addition, since the name of the espionage game is to<br />
obtain information, it would make sense for espionage-related malware to have some sort of datagathering<br />
functionality. Furthermore, if the malware is sophisticated enough to change tactics or focus<br />
182