Leveraging Cyberspace - Marine Corps Association
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Leveraging
Cyberspace
Reconnaissance and counter-reconnaissance
in the information environment
by Capt Michael Holdridge
T
he Watch Officer for the MEB For the Marine Corps to succeed in
Operations Center attempts to the era of great power competition,
log in to his NIPR computer >Maj Holdridge is the 2d MARDIV the Service must continue to increase
but receives an error stating his G-6 Operations Officer. He was pre- the synergy between communicators
account is locked because of excessive failed viously the Commanding Officer for and defensive cyberspace operators to
login attempts. He angrily calls over to the Company C, 8th Communication Bat- better enable both reconnaissance and
Communication Help Desk, stating that talion. counter-reconnaissance.
he had just come on shift and had not Two recent incidents demonstrate
attempted to log in yet. The Help Desk the importance of the synergy between
Marines re-enable his account, and he and attack the ground lines of communi- communication elements and cyber-
successfully logs on. When he checks his cation in these now-exposed areas. space: the NotPetya attack in Ukraine
inbox, he finds a few unread emails that This vignette demonstrates the pos- in 2017 and the 2021 Colonial Pipeline
he did not recognize from the day prior. sible results of the invisible reconnais- Ransomware attack.1 The NotPetya at-
At the same moment, he hears the G-4 sance that occurs on the front lines of tack was a cyberattack targeting civil-
Operations section calling down to the the information domain on a daily basis. ian and government users in Ukraine
CLR to ask why the infantry regiment It reveals the very real way that opera- that leveraged the Eternal Blue exploit:
never received its ammo and fuel resupply.
He overhears the MEB Surgeon talking
about CASEVAC flights being cancelled
without reason. When he looks at the com-
For the Marine Corps to succeed in the era of great
mon operating picture, he realizes that power competition, the Service must continue to in-
the delayed resupply caused the eastern
flank for the infantry regiment to become crease the synergy between communicators and de-
exposed. Simultaneously, he overhears a fensive cyberspace operators ...
report of troops in contact from within
the rear area.
Unbeknownst to the MEB watch of-
ficer, the adversary had gained access to tions in the information environment a National Security Agency tool that the
the MEB communications network and can impact the kinetic battle and op- hacking group Shadow Brokers stole in
had stolen his log in credentials. Using his erations across the land, air, space, and 2017.2 The Eternal Blue exploit is a vul-
credentials, the adversary leveraged the sea domains. In the scenario, the failure nerability in Microsoft’s Server Message
unclassified logistics programs to cancel to investigate the account access issues Block Protocol that tricks a breached
the resupply for the infantry regiment. and suspect emails caused the MEB to system into allowing illegitimate traf-
Additionally, the adversary sent false overlook a gap that the adversary was fic into the network. Once the Eternal
weather reports sent to the Marine Air actively exploiting. The end result of Blue tool was stolen, the National Se-
Wing, grounding CASEVAC flights that this critical gap leads directly to mis- curity Agency alerted Microsoft, who
caused a lengthy delay to life support for sion failure. Within the Marine Corps, then released a patch in March 2017
the troops in contact. The adversary also the MEF Information Group is leading that addressed the vulnerabilities.3 The
leveraged access to these logistics programs the charge to address these gaps head impact of NotPetya in Ukraine was
to identify staging areas for combat service on by strengthening the relationship immediate, as the attack wiped data
support and gaps in the front line. With between the 17XX Cyberspace Opera- from banks, energy firms, government
this knowledge, the adversary sent special tions, 02XX Intelligence, and 06XX officials, and an airport.4 The attack
operations forces to penetrate friendly lines Communication occupational fields. crippled and froze domestic functions
Marine Corps Gazette • September 2021 www.mca-marines.org/gazette 9
Ideas & Issues (MCISRE/OIE)
at all affected entities within Ukraine Most importantly, however, these when it comes to patching in response
and caused major difficulties for the attacks could have been completely to a previously identified vulnerability
Ukrainian government in managing mitigated through a concerted approach or in responding to a true Zero Day.
the ongoing conflict with pro-Russian to preventing cyberattacks. Both intru- In the event of a previously identified
Separatists in the Donbass region.5 This sions relied upon vulnerable systems vulnerability, the network and systems
attack demonstrated that the cyberspace that already had fixes in place. Without administrators who fill the duties of
domain is not limited to geographic bor- the network and system administra- the cybersecurity professional are re-
ders, a theater of operations, or an area tors to apply the patches, and without sponsible for applying the patches and
of responsibility. Our adversaries do not a defensive cyberspace capability to searching for indicators of compromise
have the same reluctance to target civil- assess the threat environment and the on the network. The cyberspace defense
ian infrastructure, non-military targets, intelligence teams to gather the relevant operators are responsible for assessing
or even their own citizens. All targets information, the victims of NotPetya the intelligence from the threat envi-
are fair game. and Colonial Pipeline were left unaware ronment, providing recommendations
The 2021 Colonial Pipeline hack, of the risks they faced. If Colonial Pipe- to the administrators, and assessing
which impacted oil distribution across line and Ukraine had those teams in the overall protection level of the net-
the Southeastern United States, was place, like the DOD currently does, work. In the event of a true Zero Day,
the result of a compromised password they could have prevented these attacks the defensive cyberspace operators are
leaked onto a hacker forum.6 Com- from occurring in the first place. responsible for hunting, isolating, and
promised passwords are often leaked gathering intelligence on the intrusion
across the dark web, a series of difficult Before We Go Any Further, Some while providing recommendations to
to find web sites designed to promulgate Definitions the network and systems administra-
hacking tools and is a common source To fully understand the impact of tors to fix the network security. With-
of intelligence for cybersecurity firms. these cyberattacks, it is important to out both of these elements operating
Additionally, during the course of the understand what ransomware attacks in sync, networks will remain vulner-
Colonial Pipeline investigation, it was are. Ransomware, as seen in the Co- able and the response timeline for the
found that Colonial Pipeline did not use lonial Pipeline incident, is an attack eventual intrusion will increase, which
multi-factor authentication, an account where in which an adversary infiltrates results in more damage occurring.
access method that requires more than a system, encrypts all of the data, and
just username and password, such as a then ransoms the data to the owners. What Is the Difference Between Cy-
text message to a phone in the case of The encrypted data can be anything bersecurity and Cyber Defense, and
many banks or the use of a log on token from an individual user’s emails to the What Is Synergy Between Them?
for government computers.7 Multifac- operating system files required to run The DOD is currently postured in
tor authentication is a basic cybersecu- the device. By encrypting this data, an a three-column approach to deterring
rity tool that has been used for decades attacker can then deny a user access to cyberattacks: Offensive Cyberspace
and is a common security practice by the system or device until a fee is paid. Operations, Defensive Cyberspace
network administrators worldwide. All ransomware attacks start with an Operations (DCO), and Department
Neither of these incidents involved adversary gaining access to a system. of Defense Information Networks (DO-
direct kinetic attacks between the per- Common methods of gaining access in- DIN) Operations (DODIN Ops). The
petrators and the victims, but both clude through social engineering, which 0600 occupation field is focused on the
possess the same devastating ability to is the process of gaining access through DODIN Ops portion of cyberspace op-
shape the battlefield below the level of tricking someone into providing log in erations, specifically on the on the plan-
armed conflict. These attacks serve as information, or by using an exploit, such ning, installation, security, operation,
a warning to what we will shortly face as a Zero Day. A Zero Day exploit is and maintenance of communication
on the modern battlefield: cyberattacks a previously unidentified vulnerabil- architectures. The 1700 occupation field
designed to damage our ability to com- ity for which the manufacturer of the has the responsibility for Offensive Cy-
municate and conduct basic operational program or operating system does not berspace Operations and DCO, with
and support functions, to gain intel- have a patch or fix. Once a Zero Day is the 1721, Defensive Cyberspace Opera-
ligence on our operations, to shift our identified, manufacturers will quickly tor, supported by the 1702, Cyberspace
focus, and to disorient our military. As design a patch to prevent perpetrators Operations Officer, having a primary
the Commandant has already pointed from using them in the future. Once focus on DCO. The difference between
out, “the answer to the question of how inside the system, attackers can gather DCO and DODIN Ops can be sum-
we may best support the broader effort, intelligence, steal information, manipu- marized with the following statement:
it seems increasingly likely, is not lethal late information, or otherwise operate DODIN Ops is responsible for a threat
fires as an end themselves but rather re- undetected until they are found and agnostic but threat informed security
connaissance and counter-reconnaissance their access removed. posture, while DCO is an intelligence
applied in all domains and across the The cybersecurity and defensive cy- driven investigative, as well as command
competition continuum.”8 berspace operators have different roles and control function, body working
10 www.mca-marines.org/gazette Marine Corps Gazette • September 2021
Ideas & Issues (MCISRE/OIE) against an identified specific anomaly or threat. In practice, this equates to the following: DODIN Ops secures the network and any suspicious activity is routed to DCO to investigate and, if identified as an actual threat, neutralize that threat. The risk that arises with this three- column approach is the space that exists between them. While DODIN Ops and DCO are separate functions, they need to be closely aligned in order to ensure that the security and defense of the network is synchronized. Without the DODIN Ops support to apply changes to the security posture of the network, DCO is unable to truly eliminate a threat once it is identified. Without the intelligence and recommendations provided by DCO, DODIN Ops is un- able to secure the network against the specific threats it faces. What Is the Way Ahead? Reconnaissance and counter-reconnaissance in the context of the pillars of cyberspace op- As the DOD ramps up its cyber de- erations. (Graphic provided by author.) fense in response to increasing threats and invests heavily in the evolution of of the defensive cyberspace analysists tions for a synergistic operation would defensive cyberspace operations, it is and the cybersecurity administrators include the following: along with the worth noting that the first line of de- by facilitating the relationship between usual intelligence preparation of the bat- fense against these attacks is not the these units in order to increase infor- tlespace, the defensive cyberspace intel- 1700 community but the 0600 com- mation sharing, intelligence gathering, ligence analysts would provide an ad- munity. The 0631 Network Systems and threat response. The defensive cy- ditional intelligence preparation of the Administrators and 0671 Data Systems berspace analysists have access to the information environment, to include Administrators throughout the Marine intelligence resources to identify which the cyberspace threat actors active in Corps are the primary MOSs respon- advanced persistent threat, or specific the region. The cyberspace intelligence sible for the security of our systems and adversaries that contain “sophisticated analysists would review which peer ad- for patching previously identified vul- levels of expertise and significant re- versaries were likely to be active, which nerabilities. However, the biggest risk sources,”9 may be active in a region friendly systems are at risk, and which that we face in current practice is the as well as the TTPs associated with exploits are likely to be used against U.S. fact that our threat agnostic defense is those advanced persistent threat. Fur- forces. The intelligence analysts would often a threat uninformed defense. In thermore, increased synergy between also prepare a threat briefing to the G-2, other words, while a vulnerability may the DODIN Ops and DCO teams G-3, and G-6 about the risks in the area be listed as medium risk by the Defense enables the network administrators to and which advanced persistent threats Information Systems Agency (DISA), assist DCO is intelligence gathering belonging to which country would be it may also be a tactic, technique, or and reverse targeting of adversary teams in play. procedure (TTP) that is frequently em- through the use of various tools and Using this information, the defen- ployed by an adversary involved in our network changes. sive cyberspace intelligence analysts and area of operations. In that situation, a Currently, the synergy between DO- the DODIN Ops community would threat formed approach would grant DIN Ops and DCO is not where it prepare a threat informed security en- a higher priority for patching than a needs to be. Rarely do the DODIN Ops vironment, with a focus on patching vulnerability listed as critical by DISA Marines responsible for maintaining the vulnerabilities likely to be exploited. that is not a TTP of that specific ad- cybersecurity posture receive relevant This is much more threat focused and versary. Traditional DODIN Ops uses intelligence briefs in order to prepare relevant than the typical critical, high, a checklist to address the most dan- them for operations. This causes signifi- medium, low risk assessment included gerous vulnerabilities rather than the cant delays in response and can lead to within the information assurance vul- most likely vulnerabilities. The solu- disastrous consequences like NotPetya nerability alerts provided by the DISA. tion to this is to improve the synergy and Colonial Pipleine. The correct ac- Once the security posture is in place 12 www.mca-marines.org/gazette Marine Corps Gazette • September 2021
to counter an identified adversary, the Much of the intelligence gathered by a specific threat are implemented by
Systems Control Center (SYSCON), the 1700 community is often at the the network and systems administrators
which monitors, maintains, and chang- top-secret level, which is above the se- that the 0600 community owns and
es the communication architecture and curity clearance required by the vast develops. Without the administrators to
is staffed by the 0600 personnel, and majority of the 0600 community. Ad- patch systems, update the architecture,
the Cyberspace Defensive Operations ditionally, since DODIN Ops focuses and create mitigations, the 1700 com-
Center (CDOC), which commands and on a threat agnostic security posture, the munity is unable to successfully defend
controls the investigation of network specified threats posed by adversaries the network against identified threats.
anomalies and mitigation actions and are rarely addressed by the 0600 com- But most importantly, the communica-
is staffed by the 1700 personnel, would munity. However, as discussed earlier, tion officer and communication chiefs
have a synergistic relationship. This this results in a threat uninformed and have the specific requirement built
would enable the staff to address every therefore vulnerable network archi- into their billet and training to trans-
anomaly and vulnerability as a team to tecture. Furthermore, the 1700 com- late commander’s operational priorities
fully analyze the potential threat and munity lacks the ability to implement into communication plans that enable
response action. network and systems changes in the command and control. This means that
Some leaders argue that the 1700 architecture in order to mitigate specific communication officers and chiefs, by
community does not require the 0600 exploits discovered. necessity, must be able to effectively un-
community to conduct cyberspace op- There are two main benefits of the derstand and translate the risks identi-
erations. Other than the network being 0600 community to defensive cyber- fied by cyberspace focused intelligence.
established, what benefit does the 1700 space operations: the implementation of Without that synergy between the com-
community gain from the 0600 com- changes on the network to respond to munication officers, communication
munity? It is a fair question, especially a threat, and the understanding of the chiefs, and the defensive cyberspace
since the 0600 community will always network as a whole. The majority of the intelligence analysts, it is difficult to
create the network to enable command- network changes that are required by translate threats to risks, understand
ers to execute C2 across the battlespace. defensive cyberspace operations against when risk is unavoidable, and identify
FULL C4I
INTEGRATION
TO ENABLE
DISTRIBUTED
MARITIME OPERATIONS
www.systematicinc.com
Marine Corps Gazette • September 2021 www.mca-marines.org/gazette 13Ideas & Issues (MCISRE/OIE)
additional mitigation that improve the The Watch Officer for the MEB Opera- formation from the honey-pot, to identify
chance of operational success. tions Center attempts to log in to his NIPR specific adversary units involved. This in-
Computer but receives an error stating his formation is then provided to the Informa-
Conclusion account is locked because of excessive failed tion Operations Center which provides
The relationship between DODIN log in attempts. He angrily calls over to recommended targeting solutions to the
Ops and DCO already exists within II the Communication Help Desk, stating MEB G-3 for action.
MEF. The CDOC, as a component of that he had just come on shift and had not
the Information Command Center and attempted to log in yet. The Help Desk
the MEF SYSCON, both manned an Marines register the anomalous activity of Notes
operated by 8th Communication Bat- a locked account without login attempts to 1. Andy Greenberg, “The Untold Story of Not-
talion Marines, already have a relation- the SYSCON. The SYSCON Watch Of- Petya, the Most Devastating Cyberattack in
ship due to the proximity of command. ficer logs the issue with the CDOC, which History,” Wired, (August 2018), available at
The MEF Network Operations Center begins investigation into the anomaly. The https://www.wired.com; and Joe Tidy, “Colo-
already has defensive cyberspace opera- DCO Marine investigates the issue and nial Hack: How Did Cyber-Attackers Shut Off
tions liaisons located within their struc- discovers a breach in the network which is Pipeline?” BBC News, (May 2021), available at
https://www.bbc.com.
ture. The intelligence section within the impacting the logistics supply chain result-
MEF Information Group Information ing in manipulated logistics requests and 2. Hypr Security Encyclopedia, s.v. “EternalBlue,”
available at https://www.hypr.com.
... in conducting reconnaissance, counter-reconnais- 3. Staff, “Security update for Microsoft Win-
dows SMB Server (4013389),” Microsoft,
sance and counter-exploitation of our networks, the (March 2017), available at https://docs.mi-
crosoft.com.
synergy between the 0600 and the 1700 communities
must be ... strengthened. 4. Ellen Nakashima, “Russian Military Was
Behind ‘Notpetya’ Cyberattack in Ukraine, CIA
Concludes,” Washington Post, (January 2018),
available at https://www.washingtonpost.com.
Command Center already synthesizes weather reports. The DCO Marine iden- 5. Staff, “Conflict in Ukraine,” Council on For-
the intelligence requirements identified tifies that an adversary had compromised eign Relations, (July 2021), available at https://
within an area of operations. However, login credentials for the MEB Operations microsites-live-backend.cfr.org.
as demonstrated by the significance of staff allowed the adversary to manipulate
cyberattacks throughout the world, data and harvest intelligence within the 6. William Turton and Kartikay Mehrotra,
movement needs to be made to ensure MEB NIPR network. “Hackers Breached Colonial Pipeline Using
that these two occupational fields are After analyzing the specific threat vec- Compromised Pasword,” Bloomberg, (June
more closely aligned than ever, with tor used, he begins to hunt for the perpe- 2021), available at https://www.bloomberg.com.
a focus on closing the space between trating unit. After receiving approval from 7. Emily McKeown, “What Is Multi-factor Au-
DCO and DODIN Ops. Without a the MEB G-6 and Information Control thentication (MFA)?” PingIdentity, (September
clear threat picture provided by cyber- Center, the CDOC and SYSCON work 2020), available at https://www.pingidentity.
space intelligence analysists, patched together to establish a cyber-operations com.
systems provided by the network and approved honey-pot; a collection point
systems administrators, and the inves- designed to lure in the adversary to gather 8. Gen David H. Berger, “Preparing for the
tigative and response actions by defen- intelligence. Once the adversary is identi- Future” Marine Corps Support to Joint Opera-
sive cyberspace operators, the Marine fied, the CDOC provides recommenda- tions in Contested Littorals,” Military Review,
Corps places itself in a position of sig- tions to the SYSCON, which coordinates (May 2021), available at https://www.armyu-
nificant risk. But most importantly, in with the MEB G-6 to implement network press.army.mil.
the question of providing cybersecurity changes to protect the network. The Net-
9. Staff, “Glossary: Advanced Persistent Threat,”
to the MEF and in conducting recon- work Systems Administrators update the National Institute of Standards and Technology,
naissance, counter-reconnaissance and MEB firewalls to limit adversary traffic (n.d.), available at https://csrc.nist.gov.
counter-exploitation of our networks, into the network and the Data Systems
the synergy between the 0600 and the Administrator update the Assured Com-
1700 community must be nourished, pliance Assessment Solutions scanners to
grown, and strengthened. When the search for specific indicators of compro-
synergy between the 0600 and 1700 mise. The CDOC provides information
community is maximized, the open- to the Cyberspace Intelligence Analysts
ing vignette would have proceeded very who are able to connect the TTPs for the
differently: specific threat vector used, along with in-
14 www.mca-marines.org/gazette Marine Corps Gazette • September 2021You can also read
