Three essays on international cyber threats: Target nation characteristics, international rivalry, and asymmetric information exchange

Mauslein, Jacob A.

January 1900

Doctor of Philosophy / Security Studies / Jeffrey J. Pickering / As the Internet is progressively integrated into industrial and defense-related networks around the globe, it is becoming increasingly important to understand how state and sub-state groups can use Internet vulnerabilities as a conduit of attack. The current social science literature on cyber threats is largely dominated by descriptive, U.S.-centric research. While this scholarship is important, the findings are not generalizable and fail to address the global aspects of network vulnerabilities. As a result, this dissertation employs a unique dataset of cyber threats from around the world, spanning from 1990 to 2011. This dataset allows for three diverse empirical studies to be conducted. The first study investigates the political, social, and economic characteristics that increase the likelihood of a state being targeted for cyber threats. The results show that different state characteristics are likely to influence the forms of digital attack targeting. For example, states that experience increases in GDP per capita and military size are more likely to be targeted for cyber attacks. Inversely, states that experience increases in GDP per capita and those that are more democratic are less likely to be targeted for cyber terrorism. The second study investigates the role that international rivalries play in cyber threat targeting. The results suggest that states in rivalries may have more reason to strengthen their digital security, and rival actors may be cautious about employing serious, threatening forms of cyber activity against foes because of concerns about escalation. The final study, based upon the crisis bargaining theory, seeks to determine if cyber threat targeting decreases private information asymmetry and therefore decreases conflict participation. Empirical results show that the loss of digital information via cyber means may thus illicit a low intensity threat or militarized action by a target state, but it also simultaneously increases the likelihood that a bargain may be researched, preventing full scale war by reducing the amount of private information held between parties.

Cyber attack

Cyber terrorism

Cyber espionage

Targeting

Interstate rivalry

Crisis bargaining

Political Science (0615)

Constructing a Cyber Preparedness Framework (CPF): The Lockheed Martin Case Study

Beyer, Dawn Marie

01 January 2014

The protection of sensitive data and technologies is critical in preserving United States (U.S.) national security and minimizing economic losses. However, during a cyber attack, the operational capability to constrain the exfiltrations of sensitive data and technologies may not be available. A cyber preparedness methodology (CPM) can improve operational capability and cyber security. The CPM enables a corporation to (a) characterize cyber threats; (b) determine the level of preparedness necessary to ensure mission success; (c) facilitate strategic planning for cyber security (CS); and (d) establish priorities for CS investment planning and management decisions. The cyber preparedness framework (CPF) underlies the CPM. A corporation's leadership articulates its fundamental approach to risk management (RM) and mission assurance, and determines its target level of preparedness. Typically, corporations utilize the CPF to (a) characterize the caliber of the threat; (b) assess the technical and operational capabilities to counter the threat; and (c) develop the governance and processes necessary to achieve its cyber preparedness level. The problem that was investigated in this case study was how to construct a CPF for Lockheed Martin (LM) that works in conjunction with a risk management process (RMP). The goal was to extend the CPF into an RMP to construct a risk management framework (RMF) paradigm that can aid similarly large-sized private sector U.S. Government (USG) contractors in implementing the CPM. In this investigation, the author identified the corporate (a) security categorization, (b) cyber threats, (c) cyber threat level, (d) cyber preparedness level, (e) capabilities the corporation should utilize to counter cyber threats, and (f) governance and processes necessary to achieve the cyber preparedness level for a large-sized private sector USG contractor. The results of this investigation were organized in terms of RMP phases. Based on the results, the author constructed an RMF paradigm that can aid similarly large-sized USG contractors in implementing a CPM.

Advanced Persistent Threats

Cyber Espionage

Cyber Preparedness

Information Security

Risk Management

Security Engineering

Computer Sciences

The Defense Against the latest Cyber Espionage both insider and outsider attacks

Nsambu, Emmanuel, Aziz, Danish

January 2012

This study was carried out with the intention of examining the defensive mechanism employed against the latest cyber espionage methods including both insider and outsider attacks. The main focus of this study was on web servers as the targets of the cyber attacks. Information in connection to the study was obtained from researchers’ online articles. A survey was also conducted at MidSweden University in order to obtain information about the latest cyber attacks on web servers and about the existing defensive mechanism against such attacks. The existing defensive mechanism was surveyed and a simple design was created to assist in the investigation of the efficiency of the system. Some simple implementations of the existing defensive mechanism were made in order to provide some practical results that were used for the study. The existing defensive mechanism was surveyed and improved upon where possible. The improved defensive mechanism was designed and implemented and its results were compared with the results from the existing defensive mechanism. Due to the fact that the majority of the attackers use defensive mechanisms’ vulnerability in order to find their way into devices such as web servers, it was felt that, even with the most sophisticated improved defensive mechanism in place, it would not be entirely correct to claim that it is possible to fully protect web servers against such attacks.

Cyber attacks

Cyber Esionage

Hackers

SQL injection

DDoS attack

DoS attack

Open-source environmental scanning and risk assessment in the statutory counterespionage milieu

Duvenage, Petrus Carolus

23 May 2011

The research focuses on the utilisation of open-source information in augmentation of the all-source counterespionage endeavour. The study has the principal objective of designing, contextualising and elucidating a micro-theoretical framework for open-source environmental scanning within the civilian, statutory counterespionage sphere. The research is underpinned by the central assumption that the environmental scanning and the contextual analysis of overt information will enable the identification, description and prioritisation of espionage risks that would not necessarily have emerged through the statutory counterespionage process in which secretly collected information predominates. The environmental scanning framework is further assumed to offer a theoretical foundation to surmount a degenerative counterespionage spiral driven by an over-reliance on classified information. Flowing from the central assumption, five further assumptions formulated and tested in the research are the following: (1) A methodically demarcated referent premise enables the focusing and structuring of the counterespionage environmental scanning process amid the exponential proliferation of overt information. (2) Effective environmental scanning of overt information for counterespionage necessitates a distinctive definition of ‘risk’ and ‘threat’, as these are interlinked yet different concepts. It is therefore asserted that current notions of ‘threat’ and ‘risk’ are inadequate for feasible employment within an overt counterespionage environmental scanning framework. (3) A framework for overt counterespionage environmental scanning has as its primary requirement the ability to identify diverse risks, descriptively and predicatively, on a strategic as well as a tactical level. (4) The degree of adversity in the relationship between a government and an adversary constitutes the principal indicator and determinant of an espionage risk. (5) The logical accommodation of a framework for overt counterespionage environmental scanning necessitates a distinctive counterintelligence cycle, as existing conceptualisations of the intelligence cycle are inadequate. The study’s objective and the testing of these five assumptions are pursued on both the theoretical and pragmatic-utilitarian levels. The framework for counterespionage, open-source environmental scanning and risk assessment is presented as part of a multilayered unison of alternative theoretical propositions on the all-source intelligence, counterintelligence and counterespionage processes. It is furthermore advanced from the premise of an alternative proposition on an integrated approach to open-source intelligence. On a pragmatic-utilitarian level, the framework’s design is informed and its application elucidated through an examination of the 21st century espionage reality confronting the nation state, contemporary statutory counterintelligence measures and the ‘real-life’ difficulties of open-source intelligence confronting practitioners. Although with certain qualifications, the assumptions are in the main validated by the research. The research furthermore affirms this as an exploratory thesis in a largely unexplored field. / Thesis (Ph.D)--University of Pretoria, 2010. / Political Sciences / Unrestricted

UCTD

Business Intelligence

Cyber espionage

Competitor Intelligence

Competitive Intelligence

CounterEspionage

Environmental Scanning

Knowledge Management

National Security

Open-Source intelligence (OSInt)

Kybernetická bezpečnost: vztah USA a Číny / Cyber Security: US - Chinese Relations

Debnárová, Barbora

January 2015

This diploma thesis deals with cyber relation of the United States of America and the People's republic of China. The aim of this diploma thesis is to answer the following questions: What kind of cyber threat for the United States does China represent? How is China's cyber strategy characterised? How do USA react on this threat and what are the gaps in this reaction? The thesis is divided into four chapters. The first chapter deals with definition of cyberwarfare and its perception in Chinese context. The second chapter analyses USA - China relation and its implication for cyber security. The third chapter represents US reaction on Chinese cyber threat. The last chapter deals with the gaps in the reaction. Keywords USA, China, cyber threat, cyberwarfare, cyber espionage

Increasing Effectiveness of U.S. Counterintelligence: Domestic and International Micro-Restructuring Initiatives to Mitigate

Ferguson, Cody J.

20 August 2012

Approved for public release; distribution is unlimited. / Cyberespionage is a prolific threat that undermines the power projection capacity of the United States through reduced economic prowess and a narrowing of the technical advantage employed by the American military. International attempts to limit hostile cyber activity through the development of institutions, normative patterns of behavior, or assimilation of existing laws do not provide the American national security decision maker with a timely or effective solution to address these threats. Unfortunately, the stove-piped, redundant and inefficient nature of the U.S. counterintelligence community does not deliver a viable alternative to mitigating cyberespionage in an effective manner. Instituting a domestic and international micro-restructuring approach within the Department of Defense (DoD) addresses the need for increased effectiveness within an environment of fiscal responsibility. Domestic restructuring places emphasis on developing a forcing mechanism that compels the DoD counterintelligence services to develop joint approaches for combating cyberespionage by directly addressing the needs of the Combatant Commands. International restructuring places an emphasis on expanding cybersecurity cooperation to like-minded nations and specifically explores the opportunity and challenges for increased cyber cooperation with Taiwan. This approach recognizes that Taiwan and the United States are both negatively affected from hostile cyber activity derived from within the People’s Republic of China.

Counterintelligence

Reform

Restructuring

Effectiveness

Counterespionage

Counter-espionage

Cyberespionage

Cyber-espionage

Cybersecurity

Cyber-security

Cyberattack

Cyber-attack

Taiwan

Naval Criminal Investigative Service

NCIS

AFOSI

Law Enforcement

Micro-restructing

Modeling of Advanced Threat Actors: Characterization, Categorization and Detection

Villalón Huerta, Antonio

05 June 2023

Tesis por compendio / [ES] La información y los sistemas que la tratan son un activo a proteger para personas, organizaciones e incluso países enteros. Nuestra dependencia en las tecnologías de la información es cada día mayor, por lo que su seguridad es clave para nuestro bienestar. Los beneficios que estas tecnologías nos proporcionan son incuestionables, pero su uso también introduce riesgos que ligados a nuestra creciente dependencia de las mismas es necesario mitigar. Los actores hostiles avanzados se categorizan principalmente en grupos criminales que buscan un beneficio económico y en países cuyo objetivo es obtener superioridad en ámbitos estratégicos como el comercial o el militar. Estos actores explotan las tecnologías, y en particular el ciberespacio, para lograr sus objetivos. La presente tesis doctoral realiza aportaciones significativas a la caracterización de los actores hostiles avanzados y a la detección de sus actividades. El análisis de sus características es básico no sólo para conocer a estos actores y sus operaciones, sino para facilitar el despliegue de contramedidas que incrementen nuestra seguridad. La detección de dichas operaciones es el primer paso necesario para neutralizarlas, y por tanto para minimizar su impacto. En el ámbito de la caracterización, este trabajo profundiza en el análisis de las tácticas y técnicas de los actores. Dicho análisis siempre es necesario para una correcta detección de las actividades hostiles en el ciberespacio, pero en el caso de los actores avanzados, desde grupos criminales hasta estados, es obligatorio: sus actividades son sigilosas, ya que el éxito de las mismas se basa, en la mayor parte de casos, en no ser detectados por la víctima. En el ámbito de la detección, este trabajo identifica y justifica los requisitos clave para poder establecer una capacidad adecuada frente a los actores hostiles avanzados. Adicionalmente, proporciona las tácticas que deben ser implementadas en los Centros de Operaciones de Seguridad para optimizar sus capacidades de detección y respuesta. Debemos destacar que estas tácticas, estructuradas en forma de kill-chain, permiten no sólo dicha optimización, sino también una aproximación homogénea y estructurada común para todos los centros defensivos. En mi opinión, una de las bases de mi trabajo debe ser la aplicabilidad de los resultados. Por este motivo, el análisis de tácticas y técnicas de los actores de la amenaza está alineado con el principal marco de trabajo público para dicho análisis, MITRE ATT&CK. Los resultados y propuestas de esta investigación pueden ser directamente incluidos en dicho marco, mejorando así la caracterización de los actores hostiles y de sus actividades en el ciberespacio. Adicionalmente, las propuestas para mejorar la detección de dichas actividades son de aplicación directa tanto en los Centros de Operaciones de Seguridad actuales como en las tecnologías de detección más comunes en la industria. De esta forma, este trabajo mejora de forma significativa las capacidades de análisis y detección actuales, y por tanto mejora a su vez la neutralización de operaciones hostiles. Estas capacidades incrementan la seguridad global de todo tipo de organizaciones y, en definitiva, de nuestra sociedad. / [CA] La informació i els sistemas que la tracten són un actiu a protegir per a persones, organitzacions i fins i tot països sencers. La nostra dependència en les tecnologies de la informació es cada dia major, i per aixó la nostra seguretat és clau per al nostre benestar. Els beneficis que aquestes tecnologies ens proporcionen són inqüestionables, però el seu ús també introdueix riscos que, lligats a la nostra creixent dependència de les mateixes és necessari mitigar. Els actors hostils avançats es categoritzen principalment en grups criminals que busquen un benefici econòmic i en països el objectiu dels quals és obtindre superioritat en àmbits estratègics, com ara el comercial o el militar. Aquests actors exploten les tecnologies, i en particular el ciberespai, per a aconseguir els seus objectius. La present tesi doctoral realitza aportacions significatives a la caracterització dels actors hostils avançats i a la detecció de les seves activitats. L'anàlisi de les seves característiques és bàsic no solament per a conéixer a aquests actors i les seves operacions, sinó per a facilitar el desplegament de contramesures que incrementen la nostra seguretat. La detección de aquestes operacions és el primer pas necessari per a netralitzar-les, i per tant, per a minimitzar el seu impacte. En l'àmbit de la caracterització, aquest treball aprofundeix en l'anàlisi de lestàctiques i tècniques dels actors. Aquesta anàlisi sempre és necessària per a una correcta detecció de les activitats hostils en el ciberespai, però en el cas dels actors avançats, des de grups criminals fins a estats, és obligatòria: les seves activitats són sigiloses, ja que l'éxit de les mateixes es basa, en la major part de casos, en no ser detectats per la víctima. En l'àmbit de la detecció, aquest treball identifica i justifica els requisits clau per a poder establir una capacitat adequada front als actors hostils avançats. Adicionalment, proporciona les tàctiques que han de ser implementades en els Centres d'Operacions de Seguretat per a optimitzar les seves capacitats de detecció i resposta. Hem de destacar que aquestes tàctiques, estructurades en forma de kill-chain, permiteixen no només aquesta optimització, sinò tambié una aproximació homogènia i estructurada comú per a tots els centres defensius. En la meva opinio, una de les bases del meu treball ha de ser l'aplicabilitat dels resultats. Per això, l'anàlisi de táctiques i tècniques dels actors de l'amenaça està alineada amb el principal marc públic de treball per a aquesta anàlisi, MITRE ATT&CK. Els resultats i propostes d'aquesta investigació poden ser directament inclosos en aquest marc, millorant així la caracterització dels actors hostils i les seves activitats en el ciberespai. Addicionalment, les propostes per a millorar la detecció d'aquestes activitats són d'aplicació directa tant als Centres d'Operacions de Seguretat actuals com en les tecnologies de detecció més comuns de la industria. D'aquesta forma, aquest treball millora de forma significativa les capacitats d'anàlisi i detecció actuals, i per tant millora alhora la neutralització d'operacions hostils. Aquestes capacitats incrementen la seguretat global de tot tipus d'organitzacions i, en definitiva, de la nostra societat. / [EN] Information and its related technologies are a critical asset to protect for people, organizations and even whole countries. Our dependency on information technologies increases every day, so their security is a key issue for our wellness. The benefits that information technologies provide are questionless, but their usage also presents risks that, linked to our growing dependency on technologies, we must mitigate. Advanced threat actors are mainly categorized in criminal gangs, with an economic goal, and countries, whose goal is to gain superiority in strategic affairs such as commercial or military ones. These actors exploit technologies, particularly cyberspace, to achieve their goals. This PhD Thesis significantly contributes to advanced threat actors' categorization and to the detection of their hostile activities. The analysis of their features is a must not only to know better these actors and their operations, but also to ease the deployment of countermeasures that increase our security. The detection of these operations is a mandatory first step to neutralize them, so to minimize their impact. Regarding characterization, this work delves into the analysis of advanced threat actors' tactics and techniques. This analysis is always required for an accurate detection of hostile activities in cyberspace, but in the particular case of advances threat actors, from criminal gangs to nation-states, it is mandatory: their activities are stealthy, as their success in most cases relies on not being detected by the target. Regarding detection, this work identifies and justifies the key requirements to establish an accurate response capability to face advanced threat actors. In addition, this work defines the tactics to be deployed in Security Operations Centers to optimize their detection and response capabilities. It is important to highlight that these tactics, with a kill-chain arrangement, allow not only this optimization, but particularly a homogeneous and structured approach, common to all defensive centers. In my opinion, one of the main bases of my work must be the applicability of its results. For this reason, the analysis of threat actors' tactics and techniques is aligned with the main public framework for this analysis, MITRE ATT&CK. The results and proposals from this research can be directly included in this framework, improving the threat actors' characterization, as well as their cyberspace activities' one. In addition, the proposals to improve these activities' detection are directly applicable both in current Security Operations Centers and in common industry technologies. In this way, I consider that this work significantly improves current analysis and detection capabilities, and at the same time it improves hostile operations' neutralization. These capabilities increase global security for all kind of organizations and, definitely, for our whole society. / Villalón Huerta, A. (2023). Modeling of Advanced Threat Actors: Characterization, Categorization and Detection [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/193855 / Compendio

Explotación del ciberespacio

Ciberespionaje

Ataque ciberespacial

Técnicas Mitre

Matriz Mitre Attack

Tácticas CNA

Actores de amenazas

Cyber espionage

Cyberspace exploitation

Cyberspace attack

Mitre matrix tactics and techniques

CNA Tactics

Advanced Threat Actors

MITRE ATT&CK