Into the Gray Zone
2f1BbTW
2f1BbTW
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4 | The Cyber Threat and Active Defense<br />
not enough to keep out hackers, and <strong>the</strong> inherent advantage<br />
rests with <strong>the</strong> attacker. A sophisticated adversary<br />
can easily disrupt a service, steal assets, or even<br />
destroy data held on private servers. Even non-state<br />
malicious actors have increased <strong>the</strong>ir sophistication in<br />
recent years, at times nearing a level of sophistication<br />
previously thought only achievable by <strong>the</strong> most capable<br />
of state actors.<br />
Despite <strong>the</strong> limitations of defensive measures, it is<br />
important to note that private sector companies that<br />
implement basic practices of cyber hygiene can prevent<br />
<strong>the</strong> vast majority of malicious cyber activity.<br />
Companies are increasingly adopting security controls<br />
that will allow <strong>the</strong>m and government partners<br />
to focus more resources on countering advanced<br />
threats—ones where active defense capabilities come<br />
into consideration.<br />
The Anatomy of Exploitation and Attack<br />
Although security policy experts have put much<br />
thought into how to preserve and protect U.S. national<br />
security, economic security, human rights,<br />
and privacy from cyber threats, <strong>the</strong> nature of evolving<br />
technologies make this an ongoing and challenging<br />
task. In order to understand why malicious<br />
actors have such an advantage in cyberspace, and<br />
why defending against <strong>the</strong>m remains so problematic<br />
for both <strong>the</strong> government and <strong>the</strong> private sector, it is<br />
helpful to have a basic understanding of how computer<br />
network exploitations and computer network<br />
attacks occur.<br />
The Cyber Kill Chain, originally developed by <strong>the</strong><br />
Department of Defense, can serve as a strong starting<br />
point for this type of analysis. 25 The model divides<br />
<strong>the</strong> life cycle of a hack into three major steps:<br />
preparation, intrusion, and active breach; and was<br />
developed as a guide for ga<strong>the</strong>ring intelligence on<br />
cyber attacks that would help defenders secure <strong>the</strong>ir<br />
systems throughout <strong>the</strong> life-cycle of a hack. This report’s<br />
“anatomy of exploitation and attack” outlined<br />
in Figure 1, is a slightly modified model that incorporates<br />
details included in o<strong>the</strong>r analyses of hacker<br />
behavior, such as <strong>the</strong> InfoSec Institute’s Cyber Exploitation<br />
Cycle. 26 Critics of <strong>the</strong> cyber kill chain argue<br />
that it relies too heavily on perimeter-based defense<br />
techniques and is <strong>the</strong>refore less helpful when it<br />
comes to describing socially engineered attacks, <strong>the</strong><br />
insider threat, and o<strong>the</strong>r modern methods of cyber<br />
exploitation. 27 While it was never intended to be<br />
operationalized against all types of cyber exploitation,<br />
<strong>the</strong> true weakness in applying <strong>the</strong> kill chain to<br />
cybersecurity is not that <strong>the</strong> model overemphasizes<br />
intrusions at <strong>the</strong> perimeter, but ra<strong>the</strong>r that those<br />
who use <strong>the</strong> model limit <strong>the</strong>mselves to cybersecurity<br />
tools that are almost exclusively geared towards perimeter<br />
security. This report will frame <strong>the</strong> anatomy<br />
of exploitation and attack in such a way that is<br />
directly relevant to <strong>the</strong> private sector and can begin<br />
to guide cybersecurity practitioners away from limiting<br />
notions of network defense.<br />
A modified version of <strong>the</strong> kill chain concept is a useful<br />
tool to analyze <strong>the</strong> stages of a cyber threat at which<br />
certain defensive tactics become relevant. Thus, <strong>the</strong><br />
anatomy of exploitation and attack will serve as a reference<br />
point, as this report continues, to demonstrate<br />
where emerging cybersecurity practices can disrupt<br />
and defeat cyber threat actors. Fur<strong>the</strong>rmore, it will<br />
help to visually demonstrate how new cybersecurity<br />
practices can fill <strong>the</strong> gaps that intrusion-based cyber<br />
defenses currently leave exposed.<br />
Key U.S. Interests In Cyberspace<br />
Although <strong>the</strong> number and sophistication of cyber<br />
threats continues to grow, <strong>the</strong> United States has thus<br />
far escaped a significant cyber attack that has seriously<br />
damaged its critical infrastructure or way of life.<br />
How long this relative sense of security can last is<br />
unclear. Over <strong>the</strong> past decade, <strong>the</strong> arsenal of offensive<br />
cyber measures has grown unbounded; botnets,<br />
DDoS attacks, ransomware, remote access tools, encryption-based<br />
exploitation tools, social engineering,<br />
and zero-day exploits are <strong>the</strong> standards of <strong>the</strong> day. 28 It<br />
will only be a matter of time before an adversary successfully<br />
capitalizes on <strong>the</strong>se advantages and carries<br />
out an attack that damages and disrupts critical infrastructure.<br />
This type of asymmetric threat environment<br />
requires a carefully calibrated strategic response<br />
and calls for a broader cyber deterrence strategy. Not<br />
all threats are deterred in <strong>the</strong> same manner, however,