CYBER MAVEN: Using Honey Pots to Lure and Attack Cyber Enemies

How does the Command defend networks that it doesn’t own from threats that aren’t military in origin

Rustici Previously Served as a Technical Lead, Intrusion Analyst and East Asia Cyber Lead at the Department of Defense

Frontier Wars Redux: U.S. Cyber Command’s Contested Domain

By Ross Rustici

There is an old strategist adage that states, “no plan survives first contact with the enemy, that is why they are called the enemy.” This remains true for any military planner today. However, not since the mid 1800s have U.S. military planners fought in a domain that was contested with similar capabilities not only by other nations, but also criminals, zealots, and activists. How Cyber Command overcomes this simple truth will shape how effective it can be in executing both its offensive and defensive missions.

Recently, Cybereason research out of Cybereason illustrated how contested the cyber domain really is. After setting up a honey pot to look like a power substation, it took just seven days for it to be hacked -- not by a nation state looking to prepare the battlefield, but by criminals looking to gain access to the ICS network. While this research has flagged the much greater breadth of threat actors specifically targeting these systems. The discussion of what it means for the attackers has not been a topic of conversation.

The ability of the hackers in the honey pot to move laterally without the use of any customized tools and conduct multi- point reconnaissance to look for the few systems that would allow for the transfer between the IT network and the OT systems, showed a level of sophistication that rivals some nation states. Tier 1 actors are always going to have more capability in overcoming obstacles, staying undetected, and operating in a more precise nature. These are all attributes that make them significantly more capable in the execution of an operation than a cyber criminal group looking for a payday. Unfortunately, those capabilities have proven time and again to be meaningless when operating on a target that also draws the attention of criminal actors.

The different nature of the motivations for these hackers to both be going against an ICS system puts the tier- 1 nation state actor at greater risk in every phase of the operation. In general, criminals are noisy, fast, and dirty. They are looking for the highest payout with the least amount of work possible. Nation states on the other hand, especially when prepositioning, operate slowly, methodically, and as undetectable as possible. It would be counter productive to expend so many resources prepositioning military capabilities in enemy networks only to have those capabilities found and purged before they were needed. Unfortunately, for the nation states the criminal actors are causing this to happen. By being noisy and targeting the same systems, network owners are conducting remediation actions that negatively impact the upper tier’s operations and capabilities. Only in the cyber domain do you see military capabilities become the collateral damage of criminal groups.

The defensive mandate of Cyber Command is even more complicated when discussing these issues. How does the Command defend networks that it doesn’t own from threats that aren’t military in origin, even though those threats could pose the same or even greater risks for military operations? Should USCC be defending the networks of private rail companies from criminals intent on ransoming the control of rail switches? IOn the face of it, it seems preposterous that the U.S. military would operate in this manner, . butBut, given the U.S. military’s reliance on rail to maintain force readiness between the coasts coupled with active engagements in Syria, Afghanistan, and Special Operations deployments throughout Africa and the Middle East combating terrorism, what is the potential loss of life of the wrong train switch getting turned off at the wrong time?

Cyber, as a domain, presents significant problems that the current policy and laws are ill equipped to deal with. The line between military and civilian jurisdiction, intent and the minimization of collateral damage are all blending together. As more cyber criminals see the ability to monetize what were previously seen as nation state targets, the harder it will be for the militaries of the world to operate in a clear and clean manner. The findings of this honey pot should be a clear signal to those who operate this infrastructure that more needs to be done to safeguard it. It should also serve as a reminder to those in the Pentagon that the newest domain that they must plan for is far messier than anything anyone has seen before. Without understanding the constraints that imposes, they will have a large problem building a workable operations structure.

-- Stay Tuned for more CYBER MAVEN Columns --

Ross Rustici - A Warrior Maven Columnist and Senior Contributor -

He Currently Serves as Senior Director, Intelligence Services, Cybereason. Cybereason

Ross previously served as Technical Lead - DoD, East Asia Cyber Lead - DoD, and Intrusion Analyst - DoD.

Comments

Stories