MASTER'S THESIS Defence Against Cyber-Espionage: A Cyber-Defence For IT Assets In Armed Forces As Exemplary Use Case Christian Forst 2016 Master (120 credits) Master of Science in Information Security Luleå University of Technology Department of Computer science, Electrical and Space engineering christian forst defence against cyber es- pionage: a cyber-defence for it assets in armed forces as exemplary use- case master thesis Luleå University Of Technology Supervisor: Maung K. Sein in Cooperation with Swedish Armed Forces Supervisor: Ross Tsagalidis August 10, 2016 ABSTRACT Cyber espionage is a very significant threat for various IT systems likeforthemilitary,businessnetworksandindustrialcontrolsystems, making it necessary to have an in-detail look on defense mechanisms against cyber espionage and how to put those defense mechanisms in context of specific scenarios. This thesis defines military scenarios as practical use case in order to analyse the main threats and actors that can be found in context of cyber espionage. Furthermore, gen- eral countermeasures against chosen espionage attack types are in- troduced, brought into context of specific military use cases and put together with a detailed explanation on how to implement the result- ing security strategy in real. A descriptive statical evaluation and the expertise of experts from different areas of information security like the military ensure that the proposed security strategy is sufficient enough to help mitigating cyber espionage in general and in specific use cases like for IT assets of armed forces. ii ABBREVIATIONS AES Advanced Encryption Standard CPU Central Processing Unit CSRF Cross Site Request Forgery DDoS Distributed Denial Of Service DES Data Encryption Standard DLP Data Leakage Prevention DoS Denial Of Service GMR-1 GEO-Mobile Radio GSM Global System for Mobile Communications FA Functional Areas EA Eavesdropping EX Exfiltration HQ Headquarters ID Identity IDS Intrusion Detection System IPS Intrusion Prevention System IPSec Internet Protocol Security IT Information Technology LTE Long Term Evolution MA Malware MO Mobile Operation PC Personal Computer PGP Pretty Good Privacy QoS Quality Of Service S/MIME Secure / Multipurpose Internet Mail Extensions SE Social Engineering iii iv SMTP Simple Mail Transfer Protocol SQL Structured Query Language SwAF Swedish Armed Forces TLS Transport Layer Security URL Uniform Resource Locator USA United States Of America USB Universal Serial Bus XSS Cross Site Scripting CONTENTS 1 introduction 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1 . Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3 . Research Questions . . . . . . . . . . . . . . . . . . . . . . 2 literature review 5 . . . . . . . . . . . . . . . . . . . . . . . . 21 5 . What Is Cyber Espionage? . . . . . . . . . . . . . . . . . . 22 7 . Threats In Cyberspace . . . . . . . . . . . . . . . . . . . . 23 9 . Cyber Security Incidents . . . . . . . . . . . . . . . . . . . 24 10 . Countermeasuring Cyber Espionage . . . . . . . . . . . . 25 11 . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 methodology 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 13 . Research Method . . . . . . . . . . . . . . . . . . . . . . . 32 14 . Realization . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 use cases 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 19 . Scenario One - Daily Work In A Headquarters . . . . . . 411 22 . . Key Characteristics . . . . . . . . . . . . . . . . . . 42 23 . Scenario Two - Mobile Operations . . . . . . . . . . . . . 421 24 . . Key Characteristics . . . . . . . . . . . . . . . . . . 43 26 . Characteristics Of Military-Scenarios . . . . . . . . . . . . 5 threats 29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 29 . Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 34 . Actors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 cyber defense 37 . . . . . . . . . . . . . . . . . . . . . . . . . . 61 38 . Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 42 . Social Engineering . . . . . . . . . . . . . . . . . . . . . . . 63 45 . Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 49 . Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . 65 51 . Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 52 . . Technical Defence . . . . . . . . . . . . . . . . . . . 652 62 . . Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7 evaluation 67 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 68 . Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . . . 711 68 . . Inside Threats . . . . . . . . . . . . . . . . . . . . . 712 71 . . Outside Threats . . . . . . . . . . . . . . . . . . . . 72 77 . Defence-Verification . . . . . . . . . . . . . . . . . . . . . . 721 1 1 78 . . Threat : HQ-EX . . . . . . . . . . . . . . . . . . . 722 2 2 80 . . Threat : HQ-EX . . . . . . . . . . . . . . . . . . . v vi contents 723 3 3 82 . . Threat : HQ-EX . . . . . . . . . . . . . . . . . . . 724 4 1 83 . . Threat : MO-EX . . . . . . . . . . . . . . . . . . . 725 5 2 85 . . Threat : MO-EX . . . . . . . . . . . . . . . . . . . 726 6 3 86 . . Threat : MO-EX . . . . . . . . . . . . . . . . . . . 727 7 1 88 . . Threat : HQ-SE . . . . . . . . . . . . . . . . . . . 728 8 2 89 . . Threat : HQ-SE . . . . . . . . . . . . . . . . . . . 729 9 1 90 . . Threat : MO-SE . . . . . . . . . . . . . . . . . . . 7210 10 2 92 . . Threat : MO-SE . . . . . . . . . . . . . . . . . . 7211 11 1 93 . . Threat : HQ-MA . . . . . . . . . . . . . . . . . . 7212 12 2 95 . . Threat : HQ-MA . . . . . . . . . . . . . . . . . . 7213 13 1 96 . . Threat : MO-MA . . . . . . . . . . . . . . . . . . 7214 14 2 97 . . Threat : MO-MA . . . . . . . . . . . . . . . . . . 7215 15 1 98 . . Threat : HQ-EA . . . . . . . . . . . . . . . . . . 7216 16 1 99 . . Threat : MO-EA . . . . . . . . . . . . . . . . . . 73 100 . Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 conclusion 103 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 103 . Summary And Contribution . . . . . . . . . . . . . . . . . 82 104 . Limitations And Future Work . . . . . . . . . . . . . . . . bibliography 106 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LIST OF FIGURES 1 5 2 Cyberspace as the th dimension of warfare . . . . . . . . . 2 3 Research questions which will be covered by the thesis . . . 3 11 7 Extract of the attack classification diagram of [ ] . . . . . . 4 11 Overview about chosen literature with influence on this thesis 5 14 Typical steps in Design Research . . . . . . . . . . . . . . . . 6 Overviewofwhichdesign-research-stepsarecoveredbywhich 16 thesis-chapters . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 21 The (simplified) network of a military headquarters . . . . . 8 23 The (simplified) network of mobile operations . . . . . . . . 9 25 Key-Characteristics of the scenarios . . . . . . . . . . . . . . 10 Characteristics of military scenarios compared to standard 27 scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 32 Choice of relevant risks to be treated within the thesis . . . 12 36 Adversaries which can play a role in cyber espionage . . . . 13 Defence-Goals: Mitigation,Complication,DetectionandIm- 37 pact Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Maintechniquesagainstexfiltrationattacks(green: thetech- 40 nique can be used for the specified task) . . . . . . . . . . . . 15 Main techniques against social engineering attacks (green: 43 the technique can be used for the specified task) . . . . . . . 16 Main techniques against malware attacks (green: the tech- 46 nique can be used for the specified task) . . . . . . . . . . . . 17 Main techniques against eavesdropping attacks (green: the 49 technique can be used for the specified task) . . . . . . . . . 18 The proposed security defense will be built based on the defined scenarios and the recommended security measures 51 for each type of attack . . . . . . . . . . . . . . . . . . . . . . 19 63 Security mechanisms in context of the stationary scenario . 20 64 Security mechanisms in context of the mobile scenario . . . 21 AnextractoftheHQ-scenariowithopportunitiestoperform 69 exfiltration-attacks . . . . . . . . . . . . . . . . . . . . . . . . 22 An extract of the mobile scenario with opportunities to per- 71 form exfiltration-attacks . . . . . . . . . . . . . . . . . . . . . 23 AnextractoftheHQ-scenariowithopportunitiestoperform 73 social-engineering-attacks . . . . . . . . . . . . . . . . . . . . 24 An extract of the mobile-scenario with opportunities to per- 73 form social-engineering-attacks . . . . . . . . . . . . . . . . . 25 AnextractoftheHQ-scenariowithopportunitiestoperform 75 malware-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 26 An extract of the mobile scenario with opportunities to per- 76 form malware-attacks. . . . . . . . . . . . . . . . . . . . . . . vii viii List of Figures 27 AnextractoftheHQ-scenariowithopportunitiestoperform 77 eavesdropping-attacks. . . . . . . . . . . . . . . . . . . . . . . 28 An extract of the mobile scenario with opportunities to per- 77 form eavesdropping-attacks. . . . . . . . . . . . . . . . . . . . 29 1 80 Evaluation of the attack scenario HQ-EX . . . . . . . . . . . 30 2 82 Evaluation of the attack scenario HQ-EX . . . . . . . . . . . 31 3 83 Evaluation of the attack scenario HQ-EX . . . . . . . . . . . 32 1 85 Evaluation of the attack scenario MO-EX . . . . . . . . . . . 33 2 86 Evaluation of the attack scenario MO-EX . . . . . . . . . . . 34 3 88 Evaluation of the attack scenario MO-EX . . . . . . . . . . . 35 1 89 Evaluation of the attack scenario HQ-SE . . . . . . . . . . . 36 2 90 Evaluation of the attack scenario HQ-SE . . . . . . . . . . . 37 1 91 Evaluation of the attack scenario MO-SE . . . . . . . . . . . 38 2 93 Evaluation of the attack scenario MO-SE . . . . . . . . . . . 39 1 94 Evaluation of the attack scenario HQ-MA . . . . . . . . . . 40 2 96 Evaluation of the attack scenario HQ-MA . . . . . . . . . . 41 1 97 Evaluation of the attack scenario MO-MA . . . . . . . . . . 42 2 98 Evaluation of the attack scenario MO-MA . . . . . . . . . . 43 1 99 Evaluation of the attack scenario HQ-EA . . . . . . . . . . . 44 1 100 Evaluation of the attack scenario MO-EA . . . . . . . . . . 1 INTRODUCTION 1.1 motivation Espionagehasalonghistory,includingforexampleincidentsofcom- 1 puter espionage during the cold war [ ]. This long history is un- surprising since information technology (IT) influenced military pro- cesses as well as businesses and private life already from the start. It helped not only to make our private lives more efficient, but was even in its early stages used to share high amounts of information between forces within a very short time. This influenced not only the quality of information, but also the situation awareness in vaious 2 scenarios [ ]. However, even if information technology comes with plenty of advantages it also includes a dark side. Since IT reached a high grade of ubiquity it does not only support us, but can also offer a high variety of vectors to target IT systems with the help of various cyber attacks. In contrast to conventional warfare, winning of battle-space is not the priority when it comes to cyber wars. Cyber warfare includes rather an asymmetric style of war where the main aims are to dis- 2 rupt, distract or to weaken the enemy [ ]. This asymmetry allows to perform successful attacks with just low resources like limited bandwidth, while in contrast to this, a satisfying level of security 2 normally comes together with higher complexity and costs [ ]. And even though we are gaining more and more knowledge about the current technologies, the complexity of current IT systems, which act more like all-round systems instead of a specialized tool, makes us 1 more and more vulnerable [ ]. This especially but not exclusively goes for military IT-assets which are one crucial pillar for the success 1 of critical military operations as visualized in Figure in which the 5 cyberspace is included as th dimension of warfare that cannot be seen apart from the conventional dimensions: a ubiquitous support- 3 ing dimension of warfare [ ]. And still: many countries are relying on the information systems of other nations. Russia, for example, is using components and contractors from Germany, Slovenia, Sweden, France,USAandmore. Eventhecommunicationnetworksofthemin- istry of defense are leased and not built with own resources, which is why forces with such dependencies have to reckon on possible cy- 4 ber espionage even more [ ]. Considering this, it is not surprising that nations are accusing each other to perform nation-driven attacks 1
Description: