Abstract
In the modern era that is characterised by ease of accessing cheap computers that have high processing capabilities, network systems of organisations face incredible threats. Some of these threats include malicious attacks through malwares and unauthenticated access of a firm’s network systems. Operating in such an environment calls for the deployment of subtle strategies for mitigation of the risk of attacks. Mitigation of threats is largely possible only when an organisation is fully aware of the possible risky situations so that the strategies deployed match the risks. Therefore, subtle knowledge of SA (situational awareness) becomes of great paramount during the design phase of network attack defense systems. This would aid an organisation to come up with plausible information of the eminent attacks through carrying out a superfluous investigation of the likely effects of the threats. In this sense, SA aids in fostering understanding of network system security threats. On implementing the requisite SA models, organisations are now well placed to come up with mechanisms of determining the necessary assets (information systems) for protection. Nevertheless, in the case of computer enterprise network systems, determining the level of protection of the network systems is incredibly challenging since such networks operate within large WANS. The systems also support services that are enormously distributed. However, it is possible to induce the understanding of SA among the operators of the network systems by deploying network technologies that are situation ware. Unfortunately, as argued in this paper, in case of computer network defense (CND), designing network defense systems that are situation aware is one of the hardest endeavours that an organisation has to commit its resources particularly where situation awareness is to be deployed through offensive hacking.
Introduction
Given the magnitudes of the reported cases of breach of the rights of organisations’ to have their network systems secure, dealing with computer networks systems attacks may be considered warfare. Only people who have the capacity to access and know the intents of the attackers would register incredible success in a warfare battle. Unfortunately, the existing CND approaches such as antiviruses, firewalls, IPS, and IDS among other interventions are largely passive. They only focus on blocking the attackers without determining their true intents while acerbating their attacks for an organisations network system in the manner they do. Apparently, some of the current CND approaches essentially concentrate on self-awareness to realise their situational awareness (Dutt & Gonzalez 2011, p.57: Dutt, Cassenti & Gonzalez 2010, p.13). This implies that they hardly extend beyond their fields. The main tasks entail blocking attackers as a mechanism of inducing security for the network system. This introduces a major drawback since the enemy is given opportunities to design new approaches of breaking into an organisations network and computer systems through a strategy that would go through the screening network defense systems. Consequently, such a strategy would not be blocked. Firewall, IPS, and IDS are all CND components, which feed directly into SA. While this may be a good mechanism of arriving at a decision for enhancing security of network system, it is not sufficient (Jajodia et al. 2010, p.89).) This follows because CND and SA work in only a single field. The CND and SA model applied to enhance threats mitigations own this particular area.
An important aspect of the current network defense systems is that they hardly interact with the attackers in an attempt to determine their intents. Rather they block the attackers. Alternatively, the challenge of dealing with network work attacks may be realised through deployment of Endsley’s self-awareness model. The model is composed of three main phases for creating situational awareness. They are perception, comprehension and projections. This model has its delimitation (such as being passive) especially when it is applied in the modern computer and network environments. Consequently, this paper emphasises that an effective model that would help deal within the new challenges in network systems defense strategies needs to proactively interact with the attackers via servers that are deceptive. This may incredibly aid the administrators of networks to determine the actual intents of the attackers coupled with their overall goals when acerbating network attacks, which often truncate to negative impacts on organisations information systems. In this dissertation paper, determination of goals and intents of attackers is found vital since without the knowledge of the attackers’ systems, it becomes hard to derive strategies for the prevention of similar future attacks. One way of accessing information of the enemy is through putting in place a CND system that operates based on offensive hacking approaches. This is the major concern of this dissertation paper.
Background
Cyber security is not only an issue that worries an individual organisation but also government departments and agencies. For example, the government of the United States established a myriad of policies that aid in engineering various network defense mechanisms coupled with mitigating cyber attacks, threats, and vulnerabilities through enhancement of SA (James 2001, p.124: Cordesman 2002, p.29). These policies are ideally concerned with putting in place strategies for helping in sharing the cognitions of various cyber security risks amplifying situations from within the local governments, states governments, and even among various collaborators in private sectors. Such strategies are found as being crucial in the process of enacting numerous mechanisms for responding at high pace when situations involving cyber attacks arise. A quick response is incredible since “the U.S. government pays credible attention to cyber security to help in “defending against the full spectrum of threats by enhancing the U.S. counterintelligence capabilities besides increasing the security of the supply chain for key information technologies” (Rid 2011, p.333). Additionally, policies enacted to guide in designing strategies for enhancing cyber security are essential in the process of putting in place means of strengthening various efforts for enhancing cyber security in the future. This happens following the expansion of education efforts on cyber security, re-energising research efforts in the cyber security, and in the definition of strategies for coordination of development endeavours subtle for dealing with malicious and hostile misconducts within the cyberspace. The immense concerns given by nations such as the US on cyber security clearly depict that cyber security poses an immense threat to not only information systems of a nation but also on the economy of the nation. This challenge is enormously amplified especially where a nation is not completely set to mitigate the challenge.
Experience exemplifies the extent to which concerns of cyber threats may afflict the relations between nations. For instance, “in the 2006 war against Hezbollah, Israel alleged that cyber warfare was part of the conflict where the Israel defense force intelligence estimates that several countries in the Middle East used Russian hackers and scientists to operate on their behalf” (Andress & Winterfeld 2011, p. 17). These concerns for malicious attacks through hacking negatively affected Israeli to the extent that it declared an intensive war against Hezbollah. This holds because Israel developed the cognition of the fact that Hezbollah had the ability to interfere with communication systems of the military as part of the warfare. In another scenario in the US and South Korea in July 2009, instances of repeated attacks through denial of service directed towards financial websites and news media were experienced (Andress & Winterfeld 2011, p.21). Both governments accused North Korea for the attacks. However, later, experts were able to track the attacks as having originated form the United Kingdom. Whether the response is in terms of military interventions like in the case of war against Hezbollah or through posing the cyber systems of the enemy to attacks, cyber security is an expensive endeavour. This holds because, in the quest to mitigate cyber attacks, an investment in cyber security surveillance systems is critical. These surveillance systems also need to be constantly updated to keep them at pace with the innovations in methodologies of enhancing cyber attacks by enemies. This is perhaps incredible upon bearing in mind the fact, “security breaches have already gone beyond the stolen credit card numbers, and that the potential targets can also include the electric power grid, trains, or the stock market” (Brenner 2009, p.57). An example of an attack involving targeting of non-information system includes infiltration of Stuxnet virus into the industries’ comptrollers. This virus had the ability of being transmitted across many industries so that it could have colonised all the comptrollers across the world at any one instance. Indeed, according to Richmond (2010), the virus was largely considered by industrial experts as ““the first attack on critical industrial infrastructure that sits at the foundation of modern economies” (p.17). Thus, it is arguable that Stuxnet was a cyber weapon that was deemed suitable for enhancing attempts of affecting the economic wellbeing of nations through cyber war. With cognition of the experience in malicious cyber attacks, it is intriguing whether the targets need to put in place mechanisms of blocking the attacks or by inculcating attempts to counterattack the enemy. Amid this dilemma, it is argued in the paper that current CND needs to deploy measures such as counter attacking of the enemy through strategies such as offensive hacking.
Previous Studies
Cyber warfare
Cyber warfare can cause an incredible physical havoc to a nation’s infrastructure. This may take place when cyber space attackers target the physical instruments and infrastructure (Lam, Beekey & Cayo 2003, p.84). While kinetic warfare involves combats engaging the enemy in a battlefield while armed with tanks, guns, and explosives among other weapons of destruction, cyber war takes place in an environment where the tools of executing it are available even to the public. Even a personal computer can be used to execute it provided a means of interconnection of the personal computer with the rest of the pool of computer across the globe is availed (Lewis 2010, p.212). With the cost of personal computer decreasing substantively coupled with the immense decrease in the cost of internet connections, it implies that the tools for executing cyber war are becoming much accessible. The magnitudes of cyber threats to network systems of organisation are particularly amplified with the increasing technical knowhow on cheap means of production of personal computers with a high speed processing ability (Lewis 2010, p.211). Increase in the number of people having accessibility to the internet means increased risks of cyber attacks. Hence, any organisation needs also to engineer new mechanisms of mitigating the risks.
Warring fields for cyber war are predominantly shrouded within in the internet and computers. This war is executed through the interference of network systems. Consequently, cyber war is electronic in nature (Amoroso 1999, p.11). By noting these characteristics of cyber war, Denning (1999) defines cyber war as a “politically motivated hacking to conduct sabotage and espionage” (p.13). During kinetic wars, the adversary endeavours to destroy the myriad of political, economic, and military intelligences of the target. However, this happens through the deployment of military forces. On the other hand, to help in successfully countering the enemy with multiple chances of success during cyber war attacks incidences, it stands imperative that a parallel deceptive counter attack strategy is deployed through a deceptive service. This aids in garnering the intelligences of the enemy. Running parallel deception services that precisely take after real services will enhance the probabilities that the enemy intentions are identified. This provides a room for a counter attack to run while making sure that the enemy does not notice the intents of the surveillance systems of the counter attacker.
Cyber war is much analogous to military war. This similarity makes it possible to apply concepts of SA, which were first applied in military interventions to situations involving cyber security threats with immense success. The whole idea of the application of SA to help in the identification of intention, aims, and goals of the enemy rests squarely on the platforms of developing subtle knowledge of both the organization and the enemy’s capabilities. In effecting defense strategies, this is enormously vital since, “if you know neither the enemy nor yourself, you will succumb in every battle” (Luzwick 2000, p. 15).
Kinetic wars between nations involve a direct confrontation on a battlefield in which either side is armed with the knowledge of the weaknesses of the opponent. This makes one nation develop the belief in its abilities to defeat the enemy (Saydjari 2004, p.54: Skoudis 2006, p.102). On the other hand, with the ever-increasing technological sophistications, a modest way of achieving similar result is through electronic war. It is through the realisation of this argument that many nations run a cyber war drill coupled with games on a regular basis. This helps them to be ardently prepared for genuine electronic attacks from their foes. In this line of view, Cordesman (2002), laments, “with an increasing global reliance on technology for everything from managing national electrical grids to ordering supplies for troops, cyber war is a method of attack to which many nations are vulnerable” (p.17). Cyber war attacks normally take convectional forms of attacks. For instance, computers are employed to spread propaganda, vandalism, and espionage among other things that impair the image of another nation or an organisation. Additionally, as Brenner notes, “denial of service attacks can be used to shut down websites, silencing the enemy, and potentially disrupting their government and industry by creating a distraction” (2009, p.98). This means that cyber war can be deployed as a mechanism of attacking infrastructure and equipments. Arguably, this is a mega concern of the magnificently industrialised countries, which enormously depend on electronic system to execute control over their production processes.
The environment within which modern computer networking systems operate is inherently challenging. This follows because, according to The White House (2006), “contested cyber environment” involves circumstances in which one or more adversaries attempt to change the outcome of a mission by denying, degrading, disrupting, or destroying cyber capabilities, or by altering the usage, product, or confidence in that capabilities” (p.11). These challenges are related to the nature of cyberspace operation, which is characterised by constant interactions. Unfortunately, the current CND approaches only function to block these interactions in case vulnerabilities to threats are detected. Essentially, it is impossible to detect the intents and the nature of the attackers. This makes cyberspace operations subjects to the enormous levels of risks, which require the deployment of an ample time in the mitigation of the risks (Shapley 2006, p.1099). Arguably, cyber attacks have their own distinctive sets of risks. Tadda et al. (2006) agrees with this line of view by further asserting, “Cyberspace is a domain with its own set of risks” (p.34). This implies that, due to the interconnectivity of cyber systems, a risk faced by one system is assumed by the related interacting systems in the network. In this sense, risk mitigation may constitute a magnificent success in decreasing risk levels to magnitudes that may be taken as suitable for continued operations. Operation of firewalls, IPS, IDS, education, and training programs are good examples of this approach of cyberspace risk prevention and mitigation. However, by mitigating risks this way, it does not imply that the attackers would not cease innovating strategies for re-attacking organisations’ systems in a manner that would pass through the screening systems deployed by the targeted organisation (Lunt 1993, p.12). This holds because, through such systems of reduction of vulnerabilities of an organisation to attacks, no effort is made to understand the attacker. The main concern is to block the attacks. With the increasing incidents of malicious attacks of networks by persons or group of persons located anywhere within the globe, it is necessary that a next level of defending an organisation’s network systems is considered. Such a mechanism needs not to be passive- it needs to be reactive. However, SA is necessary in any system since it is through it that threats are determined, and appropriate strategies, whether through passive or reactive approach, are engineered.
Role of SA in Perception of Risks in the Cyber Space
Apart from the potential of applications of SA in CND, SA has been applied widely in air traffic control. Military operations constitute an additional field where situational awareness is critical so that every move deployed by military measures up to the eminent threats that are posed by the enemy (Salter et al. 1998, p.5). The success of SA in helping to garner information on the tactics of the enemies is critical in the sense that such a success may act as an indication of a likely success of SA in the CND. This holds because military operations are analogous to the risks anticipated in the CND environment in terms of threats that organisations are made susceptible to by attackers. Amid the likelihood of SA in aiding to mitigate risks in network systems of organisations, Ou, Boyer and McQueen (2006) reckon that applications of SA in computer defense systems have not made magnificent strides since research on its applicability is still at its youngest stages (p.336). This argument is perhaps subtle by considering that the current attempts to enhance CND rely principally on mechanisms of blocking enemies. This differs with military operations since military does not only concentrate on preventing attacks from the enemies but also considers retaliating and responding actively in the case of attacks. This requires the possession of an ample knowledge on the enemy’s information systems and modes of communication. Arguably, therefore, intercepting the communication process of the enemy and getting the means of decoding information of the enemy can incredibly aid in successfully defeating the enemy. With the similarity between CND and military operations, it is critical to note here that, when similar concepts are applied through offensive hacking, it might be incredibly possible to counter all the enemy tactics of attacks. Apparently, when the goal of network defense entails blocking the enemy, CND does not attain its purpose precisely. According to Computer Economics Malicious Code Attack Economic Impact Update (2008), the purpose of SA in CND is to aid in ensuring that networks of organisations are secure and free form likely attacks (Para.9). To achieve this purpose, SA needs to enable an organisation to detect, conduct an analysis of the cyber attacks, control, and monitor without negating responding to the attacks. Facilitating these noble roles of CND calls for a collective responsibility of network engineers, administrators of networks, and analysts of network systems (Borchgrave et al. 2000, p.56: Cordesman 2002, p.12: Erbschloe 2001, p.83).
A critical role of SA entails scrutinising the environment to revel threats that may impair the network systems of an organisation including cyber attacks (Paxson 1998, p.39). It also encompasses creating an understating of security threats in the present time followed by their projection into the future (Endsley 2004, p.39: Gonzalez et al. 2010, p.413). From this perspective, concepts of SA can be applied in a CND environment to enhance awareness of cyber threats in the dynamic interactive environment accompanied by forecasting alternative ways of enhancing cyber attacks. On successful forecasting of the likely methodologies of effecting cyber attacks, it implies that an organisation becomes capable of deriving strategies that would enable it design defense strategies that are consistent with innovations of attackers. This can proactively enable an organisation to develop full capacity of remaining protected at all times (Gonzalez & Dutt 2010, p.412: Busemeyer & Diederich 2009, p.103: Schneier 2008, p.71). Application of SA in IT governance needs to produce substantive results in mitigating cyber attacks from the approach of fostering interaction with the enemy to develop subtle knowledge of the enemy’s systems. Arguably, such a strategy is essential in helping to deal with innovative hacking strategies adopted by the enemies such as the threats that were experienced by Wikileaks coupled with databases of many nations including the U.S. In fact, with the onset of the computer age, many government agencies have resulted in relying on online systems to deliver their services (Sideman, 2011, p.5). This magnifies the impacts of cyber attacks in case enemies target such agencies since it would lead to complete halting of the service delivery. Consequently, it is paramount that all cyber security personnel remain fully vigilant in the attempt to have a fast track of incidences of threats before they have actually affected an organisation (Lute & McConnell 2011, p.1). This noble task of cyber security personnel calls for the deployment of SA approaches from three contexts. These are recognition of threats and comprehension of threats followed by projections of the threats (Endsley 1995, p.35: Tadda et al. 2006, p.625).
Influencing enemy and affecting their SA or DM process in cyber security
Apart from interacting with the enemy, it is crucial that an enemy posing threats to cyber security of an organisation is influenced so that when offensive hacking is deployed, information can be garnered about the enemy’s networks coupled with the strategies that are deployed by the enemy to effect their SA and DM processes. Cyber war is conducted over a set of interconnected computers (Fulghum, Wall & Butler 2007, p.29: Geers & Eisen 2010, p. 8: Geers 2011, p.26). Consequently, internet is also an important tool to influence the enemy to initiate an interaction process, which, while executed through false server, may prompt learning about SA and DM process of the enemy. In this perspective, Geers and Temmingh (2009) reckons, “humans have grown dependent on “cyberspace” – the flow of information and ideas that they receive from the Internet on a continual basis and immediately incorporate into their lives” (p.67). This implies that hackers consider internet as the most subtle surface to acerbate their evil deeds. Thus, it is likely that they always look for loopholes in systems of organisations before striking. Arguablly, therefore, creating intentional loopholes, which hackers might perceive as subtle grounds for striking, may aid in acting as influence parameters for understanding their SA and DM processes.
The preference of internet as a subtle tool for influencing the enemy is because cyber attacks make use of its power for them to be successful. Since the early development days of the web, internet facilitated propaganda has been recorded (Geers 2010, p. 549: Gray & Head 2009, p.397). Through internet, a cyber attack was conducted on Israeli air force when Israeli attempted to demolish a nuclear reactor belonging to Syria (Geers 2009, p.8). Arguably, if the internet can be such a resourceful tool in conducting cyber attacks, it implies that it can also be used to garner information about the enemy. Repeated attempts to access the information of organisations through some suspicious approaches may perhaps give the signal for initiating attempts to influence the enemy by creating enough loopholes through false databases. This may help to win the confidence of the enemy. This means that the enemy would deploy more efforts to have access of organisations’ information systems. On the other hand, this creates an opportunity for the organisation seeking to mitigate itself from the threats of cyber security to have better opportunities of analysing the enemy’s SA and DM processes. When enough information is garnered about the foe’s SA and DM processes, an organisation becomes well prepared to counter attack through offensive hacking to disable the enemy’s SA processes coupled with their networks.
Effecting CND through offensive hacking approaches
In the spheres of cyberspace security, two groups of people pose threats to organisation’s network systems: crackers and hackers. “Hackers have an immense interest in computers and networks and actually enjoy the game of discovering vulnerabilities and loop holes in systems” (Mattord 2008, p.41). The main objective may be to expose any private information of an organisation to the public without necessarily damaging the data. On the other hand, crackers’ intentions are principally criminal, for instance, stealing of credit card numbers and passwords. The motivation for hacking is inspired by a number of reasons ranging from curiosity to revenge. In the context of seeking to realise individual and group curiosity, Mattord (2008) reckons, “attacking and outsmarting large corporations can create a huge ego boost” (p.53). On the other hand, hacking for revenge is growing a trend in cyber security for organisations. Apparently, hard economic times due to financial crisis prompted organisations to lay off many employees. These people are dissatisfied besides focusing on revenging through attacks of the organisations networks. This argument is reinforced by McCumber (2004) who claims that the person who is well-positioned to attack an organisation’s system is the one who has a prior knowledge on the operation of the information system” (p.101). With the evident increase of processing speeds of personal computers and that of internet accessibility, it is anticipated that many organisations will continue to experience increased risks of their systems being hacked. Consequently, offensive hacking of the systems of an organisation is critical in the creation of a false alarm that may help an organisation to identify the loopholes on its networks. After all, external hackers target these loopholes, something that exposes the organisation to the risks losing data once it is successful. This strategy may perhaps be of great benefit to an organisation seeking to develop a continuous assurance of the security state of its information system.
Intentional hacking of an organisation’s system is one way of developing the capacity to deal with people having the knowledge of operation of the organisation network information systems who acerbate the risks of attacks. The other alternative is through the deployment of deceptive servers. Through the deployment of SA approaches to determine potentially dangerous interactions, the attackers can be redirected to the deceptive server from where the interactions are enhanced further. Via this interaction, the network security staff can learn more about the attackers. This information can make the security staff to derive mechanisms of offensively accessing the networks of the enemies so that the malwares can be accessed. This way, it becomes possible to increase the efficiency of the malware identification by software such as antivirus because the redesign of the software will be made with precise information on the characteristics of the dangerous enemy’s codes.
Using offensive hacking approaches to make both the current CND and SA approaches affective via offensive hacking requires the use of a number of strategies. These strategies include profiling, scanning, and enumerating coupled with exploiting of potential attackers. Profiling involves garnering vital information about the potential attackers. This can be realised through deceiving the mind of the attackers to gain the profile of the attacker’s systems during the interaction process via the deceptive server. Where the organisations pose the attacks, accessing information on the FAX, Email addresses, and phone numbers can be instrumental in providing a means for accessing the log in details into the target domains (Li, Ou & Rajagopalan 2009, Para. 5). Another critical aspect that is necessary to profile an organisation that is likely to pose threats to organisation’s network systems is the capacity to know the IP addresses and the versions of the target operating systems and or web servers. Interaction with the attackers can also help in fostering mechanisms of identifying the improperly configured DNS. This is credible in helping to identify the IP addresses of the attackers.
Upon successfully profiling the enemy’s network systems, it becomes necessary to garner additional information by scanning the necessary data “to create a list of networks devices active on the network” (Thomas 2010, p.90). In this end, a number of strategies may be deployed. One of the strategies is to employ the use of PING sweeps to aid in the identification of active systems in the network posing threats to an organisation’s networks and then responding to the identified networks. Although, scanners such as NAI cybercorp, web trends security analysers, and ISS internet scanners among other commercially available scanners are used to execute legitimate scanning procedures (Granville 2003, p.105: Apro & Graeme 2005, p.65 ), they can also be used in scanning the identified and deceived enemy’s networks. In addition to the open source scanning tools such as nessus, all these scanners can incredibly aid in revealing the enemy’s applications of the operating systems coupled with the likely loopholes, which an organisation can utilise to deny the enemies any service by exposing them out and or even corrupt their systems.
Enumeration encompasses an intuitive approach of determining various valid users of network accounts. Through the aid of a deceptive server, interaction with the enemy can help a network security professional to guess passwords for the determined valid account users of the enemy’s network so that access into the network can be obtained. According to Moore, “identifying and accessing various resources of network system can allow a way into confidential documents or even databases” (2005, p.258). This means that the process of enumeration requires an active interaction with the enemy’s server through a continuous establishment of connections with any threatening sources. Since it is undesirable for an organisation to possess its genuine information at risk, deceptive servers and deceptive databases becomes necessary to execute the enumeration process. Other mechanisms of enumerating the attacker may embrace approaches such as establishing an active connection of FTP and or web applications of the enemy via the deceptive server. Upon doing this with the help of password grinders, which deploy common password dictionaries, guessable passwords can be used to access the attackers’ accounts. Indeed, “applications such as SNMP- simple network management protocol-may help in leaking public community strings, which can be used for the system and version identification” (Tim & Taylor 2004, p.134). Apart from the help of the aforementioned scanners to carry out enumeration, other ways such as social engineering, eavesdropping, and observation can be used to enumerate the enemy’s networks. Lastly, exploiting is the process through which an offensive hacking approach yields success in gaining control of the attacker. This can be achieved by capitalising on the identified weaknesses and vulnerabilities of the network systems after having successfully profiled, scanned, and enumerated the enemy network system. Some of the essential exploits whose contribution are essential in enhancing the capacity of an organisation to access the machines of the enemies include buffer overflows, unexpected inputs, denial of service, defacements, privileged escalation, and launch pad attacks among others.
Research Problem
In the past, cyber attacks have generally been one-dimensional. The approach through which it has been executed is through service denial, unauthenticated intrusions, and through worms and virus among other approaches. The attacks had been predominantly channeled to mail severs, websites, and even computers of the clients. However, new trends have emerged in which cyber attacks have become diversified to incorporate multi-dimensional coupled with multi-stage attacks, which target network systems, technologies, and even a variety of information flow control tools. The evolution of cyber attacks makes use of the one-dimensional approach such as IPS, IDS, and firewalls among others for mitigating the resulting risks, which are highly ineffective to mitigate the new cyber security threats. This makes alternative ways of dealing with the evolved mechanisms of acerbated threats to organisations’ networks worthwhile for consideration.
Aims and objectives
The principle aim of this desertion paper is:
- To propose offensive hacking as a strategy of enhancing cyber security
- To propose offensive hacking as a strategy that can help reduce the degree of susceptibility of organisations’ information systems to malicious cyber attacks
Problem Statement
The main problem whose solution is sought for in this research is whether new approaches that focus on interacting with the enemy can be found, as opposed to the traditional approaches(IDS, IPS, and firewalls) of handling threats posed to the network systems within an organisation.
Research Hypothesis
In this dissertation paper, it is hypothesised that Cyber SA will be enhanced by enriching information by using Active (offensive hacking). Consequently, running a parallel deception services that copy real service will enhance the probabilities of realising attackers’ intentions. In this sense, defense with Trojan infection capabilities can act actively in the enemy’s domain, which will enhance SA. Hence, hacking capabilities can enhance SA by giving defender a more chance to gather information from the enemy’s domain.
Research questions
In this dissertation, three important research questions are worth seeking response to. These are:
- Can offensive hacking facilitate an organisation’s capacity to access information on a potential enemy posing threat to its network systems?
- What are the implications for this strategy on an organisation seeking to enhance security for its network system through an SA model inspired by offensive hacking techniques?
- If offensive hacking can help in enhancing SA in the realm of CND, what legal limitations exist pertaining to cyberspace security that may discourage an organisation seeking to hack the suspected enemy’s network system to unveil its goals, aims, and missions?
Significance of the Study (Motivation)
CND and SA is just a one-domain focus. All its activities fall in the domain they own. Additionally, current defense mechanisms hardly interact with attackers. They rather only focus on defending. Another approach of dealing with attackers’ threats is through the employment of ‘Endsley’ model of self-awareness. This model is appropriate for cyber security. However, inherent to this model is the challenge of being passive and relaying only information garnered from its domain. With these raised challenges of the existing CND and SA approaches, it is necessary that organisations consider influencing and interacting with enemies in the attempt to learn about their intents rather than just blocking them. This is critical in aiding to garner information about the enemy’s domain. The whole idea is about using deception to redirect the enemies to a remote deception server so that it becomes possible to know their intentions and abilities. This helps in updating an organisation’s system defenses. To achieve these concerns, an active SA is required to help in the identification of who is attacking, why the attacks are done, and the ultimate goal of the attacker. In this context, the main motivation of this research is that making use of an active SA implies that blocking is insufficient since it leads to the loss of important information about the enemy. The implication of this motivation is that, an active SA accords organisation the abilities to attack the enemy’s domain coupled with enriching the capability of an organisation’s SA.
Research Contribution
Hacking is associated with the determination of any weakness in a network system and making use of the vulnerabilities to acerbate attacks on the system. Apart from hacking, an increasing body of literature has emerged evaluating the effectiveness of the existing options for realising cyber security. Some of these approaches include making use of IDS and IPS among others. Nevertheless, these options are one-dimensional and passive in nature. Thus, the contribution of this research is in development of additional approaches of dealing with network enemies in an active way so that the focus of enhancing security of an organisation’s information system shifts from blocking to attacking the enemy’s systems. In this sense, the research contribution is in highlighting the importance of Sun Tzu’s eastern world conceptualisation of war approaches, which focus on the criticality of intelligence, deception to defeat the mind of the enemy, and knowing the relationships between the things that matter most in the strategy of war. A Cyber attack, a warfare executed electronically, has an immense impact on both individual organisation and a nation’s information systems. Hence, it is important to bomb the enemy. This is achievable by disabling and rendering the system of the enemy ineffective. Most paramount to note is that this cannot be achieved through blocking the enemy from getting into the territories of the target. Arguably the way out is to take time to study the enemy’s tactics of war to identify his or her weakness besides capitalising on the way towards destroying him or her. In the cyber war settings, this is achievable by interacting with the enemy and then offensively hacking his or her network systems.
Conclusion
Current computer defense and situational awareness approaches dwell centrally on self-awareness. This trait makes them not to extend beyond their own fields. This paper proposed the techniques of offensive hacking as subtle strategies of dealing with both the present and the future anticipated network threats through interaction with the enemies via deceptive servers. The paper has held that it is crucial for organisations to focus on the introspection of various approaches to enhance organisational security systems. This is crucial while deploying measures to prevent and control the enemies’ attempts to cyber-attack an organisation’s network systems through malwares and denial of services besides accessing an organisation’s information without authority. However, proactive strategies to deal with cyber security threats do not need to focus on blocking the attackers. Rather, the paper argues that such strategies need to be multidimensional so that interaction with the attackers can be enhanced. This makes it possible to learn about the intents of the attackers and hence respond by shutting off their networks so that their malicious codes are ineffective. The paper proposes that this can be achieved through offensive hacking. The approach can help in forcefully having access of the network systems of the enemies to unveil their actual intents, aims, and goals in acerbating their cyber attacks. Measures can then be employed to ensure that the enemy fails in executing his or her missions successfully. This reduces chances of exposing an organisation’s network systems to threats in the future. For this reason, the paper maintained that the best SA strategy is the one that proactively interacts with the cyber attacker through servers that are deceptive. This is necessary to mitigate the risks associated with the interaction process since, in such a process; the genuine information of an organisation may be prejudiced. Upon the establishment of proactive interaction with the enemy, offensive hacking strategies can be deployed to establish connections with the enemy. This helps in accessing the enemies’ log in details into the databases. Consequently, appropriate attacks can be conducted into the enemy’s system often denying accessibility to any service and or destroying it. This way, offensive hacking serves like an active methodology of mitigation of risks posed to an organisation’s system, as opposed to the traditional passive approaches, which principally focus on blocking the enemy. Certainly, the enemy would not enjoy attempting to interfere with the network territories of an organisation. He/she will also regret since he or she will not leave the cyberspace scot-free.
References
Amoroso, E 1999, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, Intrusion.Net Books, New Jersey.
Andress, J & Winterfeld, S 2011, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, Syngress, New Jersey, NJ.
Apro, B & Graeme, H 2005, Hackers: The Hunt for Australia’s Most Infamous Computer Cracker, Five Mile Press, London.
Borchgrave, A et al. 2000, Cyber Threats and Information Security: Meeting the 21st Century Challenge. Washington, D.C., The Center for Strategic and International Studies (CSIS), New York.
Brenner, S 2009, Cyber Threats: The Emerging Fault Lines of the Nation State, Oxford University Press, Oxford.
Busemeyer, R & Diederich, A 2009, Cognitive modeling, Sage, New York, NY.
Computer Economics Malicious Code Attack Economic Impact Update 2008, On- line. Internet, Web.
Cordesman, A 2002, Cyber-Threats, Information Warfare, and Critical Infrastructure, Patience Hall, New Jersey.
Denning, E, 1999, An Intrusion Detection Model, Lunt, Teresa F., “IDES: An Intelligent System for Detecting Intruders, Proceedings of the Symposium on Computer Security; Threats, and Countermeasures, Rome, Italy.
Dutt, V & Gonzalez, C 2011, Cyber situation awareness: Modeling the security analyst in a cyber attack scenario through instance-based learning, Proceedings of the 20th Behaviour Representation in Modeling & Simulation (BRIMS) Conference, Utah, Sundance.
Dutt, V, Cassenti, N, & Gonzalez, C 2010, Modeling a robotics operator manager in a tactical battlefield, Proceedings of the IEEE Conference on Cognitive Methods in Situation Awareness and Decision Support, Miami Beach, FL., Miami.
Endsley, M 1995, ‘Toward a theory of situation awareness in dynamic systems’, Human Factors Journal, vol. 37 no. 1, pp. 32–64.
Endsley, M 2004, Situation awareness: Progress and directions. In Banbury, S., & Tremblay, A cognitive approach to situation awareness: Theory, measurement and application, Ashgate Publishing, Aldershot, UK.
Erbschloe, M 2001, Information Warfare: How to Survive Cyber Attacks, McGraw-Hill, Osborne.
Fulghum, D, Wall, R, & Butler, A 2007, ‘Cyber-Combat’s First Shot’, Aviation Week & Space Technology, vol.167 no.21, pp. 28-51.
Geers K & Eisen, A 2010, ‘Live Fire Exercise: Preparing for Cyber War’, Journal of Homeland Security and Emergency Management, vol. 7 no.1, pp. 1-16.
Geers K 2011, ‘From Cambridge to Lisbon: the quest for strategic cyber defense’, Journal of Homeland Security and Emergency Management, vol.3 no.2, pp. 21-26.
Geers, K & Eisen, A 2007, ‘IPv6: World Update’, ICIW 2007: Proceedings of the 2nd International Conference on Information Warfare and Security, vol. 1 no. 1, pp 85-94.
Geers, K & Temmingh, R 2009, Virtual Plots, Real Revolution; the Virtual Battlefield: Perspectives on Cyber Warfare, Prentice Hall, New Jersey.
Geers, K 2009, ‘The Cyber Threat to National Critical Infrastructures: Beyond Theory’, The Information Security Journal: A Global Perspective, vol. 18, no.1, pp. 1-7.
Geers, K 2010, ‘Cyber Weapons Convention’, Computer Law and Security Review, vol. 26 no. 5, pp. 547-551.
Gonzalez, C & Dutt, V 2010, ‘Instance-based learning: Integrating decisions from experience in sampling and repeated choice paradigms’, Psychological Review, vol. 118 no.4, pp. 412- 417.
Granville, J 2003, ‘Dot con: the dangers of cyber crime and a cal fro proactive solutions’, Australian Journal of Politics and History, vol. 49 no. 1, pp. 102–109.
Gray, H & Head, A 2009, ‘The importance of the internet to the post-modern terrorist and its role as a form of safe haven’, European Journal of Scientific Research, vol. 25 no.3, pp. 396-404.
Jajodia, S, Liu, P, Swarup, V, & Wang, C 2010, Cyber situational awareness, Springer, New York, NY.
James, A 2001, ‘Aggressive cyber war programs’, Foreign Affairs, vol.2 no.1, pp. 121-137.
Lam, F, Beekey, M, & Cayo, K 2003, ‘Can you hack it?’, Security Management, vol.47 no.2, pp. 83-109.
Lewis, A 2010, ‘The Cyber War Has Not Begun’, Center for Strategic and International Studies, vol. 4 no, 1, pp. 211- 219.
Li, J, Ou, X, & Rajagopalan, R 2009, Uncertainty and risk management in cyber situational awareness, Web.
Lunt, F 1993, Detecting Intruders in Computer Systems, 1993 Conference on Auditing and Computer Technology, SRI International.
Lute, H & McConnell, B 2011, A civil perspective on cyber security, Web.
Luzwick, P 2000, ‘Situational Awareness and OODA Loops – Coherent Knowledge Based Operations Applied’, Computer Fraud & Security, vol. 3 no.2, pp. 15-17.
Mattord, V 2008, Principles of Information Security, Oxford University Press, Course Technology, Oxford.
McCumber, J 2004, Assessing and managing security risk in IT systems: A structured methodology, Auerbach Publications, Boca Raton, FL.
Moore, R 2005, Cybercrime: Investigating High Technology Computer Crime, Bender & Company, New York.
Ou, X, Boyer, F, & McQueen, A 2006, A scalable approach to attack graph generation. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Vancouver, British Columbia, Canada.
Paxson, V 1998, Bro: A System for Detecting Network Intruders in Real-Time, Proceedings of The 7th USENIX Security Symposium, San Antonio, TX.
Richmond, R 2010, Malware hits computerised industrial equipment, New York Times, New York.
Rid, T 2011, ‘Will cyber war take place?’ Journal of Strategic Studies, vol.3 no.1, pp. 332-355.
Salter, C, Saydjari, O, Schneier, B, & Wallner, J 1998, Towards a secure system engineering methodology, Proceedings of New Security Paradigms Workshop, Charlottesville, VA, ACM.
Saydjari, S 2004, ‘Cyber Defense: Art to Science’, Communications of the ACM, vol. 47 no.3, pp. 53-57.
Schneier, B 2008, Secrets and Lies: Digital Security in a Networked World, Wiley Computer Publishing, New York City, N.Y.
Shapley, L 2006, ‘Stochastic games’, Proceedings of the National Academy of Sciences of the United States of America, vol. 39 no.3, pp. 1095-1100.
Sideman, A 2011, Agencies must determine computer security teams in face of potential federal shutdown, Web.
Skoudis, E 2006, Counter Hack Reloaded: a Step-By-Step Guide to Computer Attacks and Effective Defenses, Prentice Hall, New Jersey.
Tadda, G, Salerno, J, Boulware, D, Hinman, M, & Gorton, S 2006, Realising Situation Awareness within a Cyber Environment, Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications , Bellingham, WA.
Tadda, G, Salerno, J, Boulware, D, Hinman, M, & Gorton, S 2006, ‘Realising situation awareness within a cyber environment’, Proceedings of SPIE, vol. 62 no.42, pp. 624-204.
The White House 2006, National Military Strategy for Cyberspace Operations, White House, New York.
Thomas, D 2010, Hacker Culture, University of Minnesota Press, Minnesota.
Tim, P & Taylor, A 2004, Hacktivism and Cyberwars, Routledge, London.