By Richard Stiennon, Chief Research Analyst, IT-Harvest

Dec 15 2009 - A recent spate of news reports and scholarly publications have discussed the policy aspects of cyber war: offensive versus defensive, military buildup, and appropriate reactions.

There have been no reports dealing with the technology of engaging in cyber war.

This excerpt from my chapter The Four Pillars of Cyber War, which will appear in the soon to be published Surviving Cyber War (Government Institutes, 2010), may serve as a basis for considering the weaponization of digital technologies for engaging in cyber war:

Every new form of war drives changes in technology. Conversely the technology causes the change in the methods and outcomes of wars. Effective cyber war is driven by the cyber equivalent of an arms race. The attacker discovers and devises new attack methodologies while the defender shores up his defenses by blocking ports, patching systems and deploying technology. There are eleven areas of development in offensive technology to be brought to bear on the problems of cyber war.

1. Vulnerability discovery and exploitation. Every application on every server has what are called attack surfaces. These are program inputs and outputs that may be vulnerable to exploitation. T

he exploit could take advantage of a bug in the code that exposes its internal workings and accepts arbitrary commands that are passed through to the operating system, which in turn could give the attacker complete control of the target computer.

The input vectors could come from network ports the application is listening on or user input from a web form or communication with another application.

The attacker studies each application by looking at source code if it is available (as it is in all open source programs such as Firefox, Apache or Joomla) or assembly code which they access through a process called reverse engineering.

An attacker can also pummel the application with randomly "fuzzed" input and watch for responses that indicate a previously undiscovered vulnerability has been exposed.

An effective cyber war operation would include a team whose sole purpose would be discovering such vulnerabilities and developing attack methodologies.

Those attack methodologies should be designed to be easy to execute quickly and should be engineered so that the exploitation is hard to detect by the defender.

In addition to new vulnerabilities most systems are replete with previously discovered vulnerabilities because they have not been patched or protected. A cyber war operation would devise new ways to attack those systems by exploiting known vulnerabilities.

2. Automation is the best way to multiply the effectiveness of cyber attacks. Once a specific IT asset has been identified an automated attack can open it up, search for and steal information and then clean up its tracks.

The defender may never know of the event. Completely automated attack solutions could scan for targets, identify them, exploit them, and retrieve data for later analysis.

3. Management of cyber warfare operations is in its infancy. Most attacks are still orchestrated by one individual sitting at a computer.

Managing the simultaneous attack against multiple targets using diverse tools, by many cyber operatives, and collecting the data or managing the control programs left behind after the attack is a capability that, when addressed by cyber warfare operations, will yield valuable results.

Cyber criminals have already made progress in managing their operations. Phishing attacks involve copying the look of a target system, usually a bank but potentially any application that has user access controls, spamming millions of email accounts, and finally recording user access credentials and breaking into accounts and transferring funds out of them.

Today there are management consoles that can be installed on a compromised machine that provide a web interface to the entire phishing operation, including storing the identities of compromised accounts.

That level of automation and central management will soon be practiced by cyber warriors.

4. Malware. Some discovered exploits lend themselves to the writing of software packages that can take advantage of vulnerabilities to install themselves on the target system. This is the realm of viruses, worms, and Trojan horses. A cyber warfare operation would employ teams whose responsibility it was to create such malware. The purposes would be multi-fold. Viruses and worms can be used to recruit vulnerable machines into a bot-net. This is no more than a collection of compromised computers that listen and respond to commands. Those commands could be instructions to download new components which could in turn launch denial of service attacks, sniff and report network traffic, or eavesdrop on email, IM, and web conversations. The spread of malware can also have the effect of a widely cast net.

The attacker hopes that by sifting through the results of reports from thousands, even millions, of infected machines he may identify a machine belonging to a key member of a target organization. It is hypothesized that this is the manner in which a significant chunk of source code for the Windows OS was stolen. A computer belonging to a Microsoft developer who worked from home was infected. His remote access (VPN) credentials were stolen and Windows source code eventually ended up on the Internet as the object of an auction. Trojan horses are a primary technology of cyber warfare. A Trojan horse is code that is surreptitiously installed on a computer and grants the attacker remote control over his target.