An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

The Cyber Defense Review

Can Intelligence Preparation of the Battlefield/Battlespace Be Used to Attribute a Cyber-Attack to an Actor?

By Harrison Kieffer | March 22, 2016

Introduction

With the rising presence and sophistication of cyber-attacks and intrusions across all industries, attribution of the attack is of the upmost importance. Attribution is a difficult task as advanced persistent threats (APTs) look to obfuscate their attacks through various means and, in some cases, leave a false trail to frame another actor/country. However, APTs with their large organizational structures and numerous ongoing cyber campaigns traditionally develop a unique set of tactics, techniques and procedures (TTPs), which stay consistent due to their tried and true methodologies. An attack carried out by a particular APT can resemble a pattern and appear militaristic, because of this Intelligence Preparation of the Battlefield/Battlespace (IPB), a methodology developed by United States  Department of Defense (DoD) in order to identify the possible plans of action within a battle, could be an effective means to attribute a cyber-attack to a particular APT. The DoD defines IPB as “…a systematic process of analyzing and visualizing the portions of the mission variables of treat/adversary, terrain, weather, and civil considerations in a specific area of interested for a specific mission. By applying IPB, commanders gain the information necessary to selectively apply and maximize operational effectiveness at critical points in time and space.”[1]

IPB looks into three specific elements of a battle and adversary: the battlefield-environment, battlefield-effects, and adversary’s capabilities all of which determine the ‘courses of action’ (COAs).[2] These elements translate directly and loosely into a cyber-attack. To illustrate the similarities and differences between IPB and cyber-IPB, specifically for use in attribution, two APTs and their attack TTPs will be highlighted in conjunction with the corresponding element of IPB. The two adversaries highlighted are APT-1 and Axiom, both of these actors are high profile Chinese APTs. APT-1 is known due to the Mandiant report: APT1: Exposing One of China’s Cyber Espionage Units, and targets companies for espionage.  APT-1 and is considered, by some, to be sloppy, APT-1 also goes by the official name Chinese People’s Liberation Army Unit 61398 and the aliases Comment Crew, Comment Panda, Comment Group, and Shady Rat. In total APT-1 has attacked 141 different organizations 115 of these are American.[3] Axiom is considered a sophisticated actor, attacking governments and related industries for espionage.[4] Although both of these APTs are Chinese, they have differences as well as similarities, which can illustrate the effectiveness and weaknesses of IPB in attributing cyber-attacks.

 

Relating Step-One of IPB to Cyber-Attacks

Defining the battlefield is straightforward within a conventional battlespace. However, within an expanding cyber landscape defining the boundaries of a battlefield is much different. The concepts of the cyber and physical battlefield are similar as stated by LTC Bertrand Boyer. LTC Boyer wrote an article entitled: Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach for Cyber Defense Review on the similarities and differences between cyber and conventional battlespaces:

As with any urban area, information systems are divided into various functional zones. IS has, as does a city, storage areas, service areas, staging areas, limited and controlled access and perimeters. Furthermore, the wide diversity of urban areas echoes the architectures of information systems. In cyberspace, no place is like any other even if they share common infrastructures.[5]

Although the two battlefields have similar characteristics, when it comes to controlling ground the two battlefields differ. A physical battlefield section can only be controlled by one party and it is apparent to all involved. In a cyber-realm, however, an adversary can be in the same ‘place’ at the same time, with malicious files residing in the victim’s folder or the actor having access to the victim’s account.

For the circumstances of defining cyber-IPB, a battlefield is the victim’s network. This does not include internet service providers or the adversary’s network, but when applying IPB to cyber-attacks as a whole and mapping botnets these elements are included. The components not infected by the adversary are also important aspects, because information not of interest or inaccessible to the adversary can aid in attribution, as one can determine the capabilities and the focus of the adversary.[6] The layout of the network and the equipment on the network are also very important to attribution, and apply almost directly to IPB. Mapping the typography a network helps to understand its strengths and weaknesses which are further analyzed in the second-step. Most of this step is not directly applicable to attribution. Still, it aids in increasing network defenses, as well as aid in the second and third-step as the actor operates within the network.

 

Step-One of Cyber-IPB applied to a Cyber-Attack

When applying these principles to a hypothetical cyber-attack on a network it is necessary to understand the layout and security measures in place. The network in question belongs to a defense-contractor which producers products for both public and government consumers. This network will be viewed at a high-level to understand its general rather than specific technical operation. The defense contractor not only makes weapons, but also aerospace technology, satellites, and telecommunication. The systems used to produce and support the production of government defense equipment is contained on a more complex and highly-secured system. The system presumably contains air-gapped and siloed systems in order to keep sensitive and classified data secure. The network producing and supporting the production of public consumer goods lacks the cyber security standardization which government connected systems have.[7]

 

Relating Step-Two/Four of IPB to Cyber-Attacks

The second-step of IPB is to determine how an adversary will attempt to operate within the battlefield, and possibly attempt to use the battlefield to their advantage. For cyber-attack attribution purposes the second-step and fourth-step, where adversary ‘COAs’ are determined, will be combined. The second-step of IPB breaks into two main categories ‘OAKOC’ and ‘ASCOPE’. When shifting the elements of ‘ASCOPE’ over to a cyber-landscape the elements would correlate as followed: ‘area’ (network), ‘structures’ (data), ‘capabilities’ (network administrators), ‘organizations’ (programs), ‘people’ (people on the network), and ‘events’ (network patterns). Under ‘OAKOC’ the translation is: ‘observation and fields of fire’ (‘AA’ not utilized), ‘AAs’ (forward-facing servers/ports), ‘key terrain’ (administrative accounts), ‘obstacles’ (security software), and ‘cover and concealment’ (network traffic).[8]  Several elements of ‘ASCOPE’ and ‘OAKOC’ are vital in attribution: ‘AAs’, ‘key terrain’, ‘organizations’, ‘structures’, ‘obstacles’, and ‘area’. These elements mainly deal with security in place, and play roles in an enemy’s obfuscation process and determine ‘operational effectiveness’; however, these are evaluated within the third-step and the malware and TTPs analysis and not key in attribution.

The ‘AA’ utilized by the adversary helps understand the type of attack and the actor’s abilities, LTC Boyer reaffirms this point; “Using Internet as an ‘AAs’, cyber operators have to go through a closed area from outside something to enter inside something else…”.[9] The software ‘organizations’ can be an ‘AA’ in addition to ports or forward-facing servers. Seeing what and how an exploit is utilized can be a key element in attribution as each actor approaches vulnerabilities differently and utilizes a specific set of vulnerabilities, and is analyzed within ‘organizations’ and ‘obstacles’. Each of these factors can help provide insight to the type of malware being used and possible attribution. Controlling an administrative account theoretically grants an adversary an ‘area of influence’ and ‘key terrain’ which, according to IPB, “is a geographic area wherein a commander is directly capable of influencing operations…”.[10] Control over an administrative account grants access to new ‘area’ and ‘structures’. Therefore, aiding espionage and therefore an ‘area-of-influence’. [11]

How normal network traffic, ‘people’ and ‘events’, operate within the network and the individuals’ personal computer capabilities is important to understand as an adversary may attempt to mimic this, or will stand out because they use their own protocol, pattern, or exceed the capabilities of the people on the network. Seeing where the adversary is moving helps understand what they desire as they go through ‘area’ in search of what they would define as ‘key terrain’ and valuable ‘structures’. Thomas Rid and Ben Buchanan state, “By looking at an intruder’s movements between computers in a breached network… investigators may gain insight into what the attackers were after.”[12] Rid andBuchanan wrote Attributing Cyber Attacks for King’s College London Department of War Studies and their article is published within the Journal of Strategic Studies. Understanding what the adversary is looking for and what ‘AAs’ they are using can greatly aid in attribution.

 

Step-Two/Four of Cyber-IPB Applied to an APT-1 Attack

When applying step-two of IPB to cyber-attacks from APT-1 and Axiom the difference in TTPs and skill sets begins to show and the main element to analyze is ‘AA’. APT-1 utilizes spear-phishing as their main and almost exclusive ‘AA’, the spear-phishing email is typically tailored for the intended target, APT-1 will utilize spoofed-emails to increase the likelihood of the victim opening the email. The emails usually contain a malicious .exe spoofed as a Microsoft Office document, taking advantage of an ‘organization’ in place.[13]

 

Step-Two/Four of Cyber-IPB Applied to an Axiom Attack

Axiom utilizes many different attack methods and ‘AAs’ with one of their most sophisticated being watering-holes.  “‘Watering Hole’… [are] attacks in which the attackers compromise a legitimate website and insert a ‘drive-by’ exploit in order to compromise the website’s visitors.”[14] The infected website with the watering-hole is a means to the final target and not the target itself. Axiom looks to exploit a vulnerability on a website which is frequented by the intended target, showing that Axiom understands the ‘people’ of the network.  The infected website with the watering-hole is a means to the final target and not the target itself. When Axiom utilizes watering-holes as an ‘AA’ they typically exploit a vulnerability in the ‘organization’ Adobe Flash and many times utilize a zero-day vulnerability.[15]  The watering-hole will then prompt or automatically download, a perceived to be legitimate, update for the exploited plugin and thus compromise the intended target. This infection method generates numerous infected machines which are sorted through in the next part of IPB.  Knowing every possible ‘AA’ into a network is almost impossible as LTC Boyer writes, “Every leader will have to address and answer the following question: ‘how do I get close to my target and avoid the detection systems?’ In cyberwarfare as in urban warfare, there is no single answer to this complex question. “[16] As actors discover new ‘AAs’ and make them their signature it becomes an element which can be used in attribution.

 

Relating Step-Three/Four of IPB to Cyber-Attacks

The third-step of IPB will be combined with the fourth-step of IPB just as in the second-step, for this step the Threat/Adversary will be evaluated and their ‘COAs’ are determined.[17] This stage is the most crucial in attributing a cyber-attack as the malware, TTPs, exfiltrated data, and numerous other factors are analyzed to determine the actor behind the attack.[18] The elements of a threat/adversary within IPB include: ‘composition’, ‘disposition’, ‘tactics’, ‘training’, ‘logistics’, ‘operational effectiveness’, ‘communications’, ‘intelligence’, ‘recruitment’, ‘support’, ‘finance’, ‘reach’, ‘agency affiliations’, and ‘personality’. These elements are analyzed to produce a full understanding of the capabilities of an adversary. These are all used to determine the ‘COAs’ of the adversary and how the adversary will operate within the battlefield, and ultimately how effective TTPs will be in the battlefield.[19] Not all of these elements are necessary for attribution, but elements which are will be identified as malware is discussed.

The third part of the IPB framework is composition of the adversary; however, it is not possible to determine the full composition of the adversary until attribution is complete. However, the elements of the malware are also the ‘composition’, but on a smaller scale. ‘Disposition’ is essential in determining victim-zero, the first compromised system, determining this can help determine the infection method and the end goal of the adversary. From victim-zero one can see how and in what direction the adversary moved through the network, thus giving indicators of the capabilities and intent of the adversary.[20] LTC Boyer relates this concept between the two mediums, “The intelligence mission is not to simply identify locations on a map and pinpoint enemy units, but, rather to understand the architecture of the target, its logical organization, and therefore the key points to seize or defend.”[21] Understanding and seeing how an adversary moved throughout the network indicates their ‘disposition’ and what their objective was within the network.

‘Tactics’ are one of the most essential parts of attribution and fall within TTPs, each adversary is nuanced in their TTPs which leave a signature within the network which can be used for attribution. However, with so many different TTPs to analyze a structure and guideline should be put in place to help in this step. Many of the guidelines already present are extremely technical and analyze the tactical level as opposed to the operational and strategic level. Cyber-IPB is targeted for operation and strategic decision-making. Therefore, indicators are less atomic. As campaigns grow larger and more complex many actors become sloppy and lazy reusing indicators and in some cases leaving personal identifiable information (PII) within code, as seen with APT-1. [22] In some cases a language barrier will come across within spear-phishing messages, indicating a foreign actor is behind the attack. When the malware is active is also an indicator of the time zone where the actor is from and whether the actor is state-sponsored.[23] A state-sponsored actor is more likely to have set and consistent hours falling within a workweek; where as a hacktivist will tend to have erratic hours as individuals work at their own pace.[24]

Malware is the weapon used by actors within cyber-attacks and how the malware is packaged, behaves, and coded leaves clues within the code, and is a crucial part of actor attribution. However, as time passes actors will modify the malware and other actors may begin using the malware reducing/removing the effectiveness of MD5 scanning as a means to protect the network.[25] Malware falls into three general classes and has eight categories of characteristics which determine its capabilities and effectiveness.[26]

The three general classes of malware are Trojan-horse (Trojan), Worm, and Virus. Trojans appear to be normal non-malicious programs but contain hidden malicious code. Trojans are typically used as first-stage malware used in order to gain initial access into the network, and then replaced with more sophisticated malware for data-exfiltration. Worms are self-propagating malware type and do not need commands from an actor in order to spread to another system. The final category, virus, is malicious code that contains a malicious payload which can be deposited on a computer this payload could be another type of malware.[27]

These general categories can be analyzed further within eight characteristics which show specific functions and capabilities, these make up the ‘composition’ and ‘tactics’ of the threat/adversary Dennis Distler states “The components written into the code varies, depending on the purpose and goal of the malware as well as the experience and skill of the author.”[28] Distler wrote Malware Analysis: An Introduction as part of a GSEC Certification and the report is published on the SANS Institute Reading Room site.  These characteristics help within attribution, because they shed light on the motivation of the actors, their coding style, ‘tactics’, infrastructure of the actor, how the malware behaves/personality, and the overall ‘operational effectiveness’.[29] The following elements and attributes of malware are drawn from Microsoft’s The Antivirus Defense-in-Depth Guide, Lockheed Martin’s Intelligence-Driven Computer Network Dense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Kim Zetter’s Countdown to Zero-day, and Distler’s Malware Analysis: An Introduction.[30]  [31] [32]

  • Target Environments show the ‘disposition’ of the actor. Target environments are the specific system criteria which need to be met before fully infecting a machine, including device, OS, applications running, country of origin, or organization where the machine is which the malware searches for. The computers excluded within an attack can be extremely important in attribution as many state-sponsored actors will not attack systems within their or an ally country.[33]
  • Carrier Objects show the ‘logistics’ of the actor. File types, exploits, and processes targeted by malware are carrier objects. These can include, but are not limited to: executable files, scripts, and macros. Understanding the carrier objects and how they are employed sheds light into what the malware is attempting to do.[34] [35]
  • Transport Mechanism show the ‘reach’ and ‘logistics’ of the actor. The way in which the malware is spread from one system to another is the transport mechanism. Methods of transport include: email, local-area-networks, removable-media, or remote-exploit. The transport method demonstrates the capabilities of the actor and can indicate what type of network they were planning to attack.[36]
  • Payloads demonstrate the ‘tactics’ of the adversary. Payloads are the equivalent of a warhead in cyber-attacks, the payload is the truly malicious code which will exfiltrate, corrupt, or otherwise compromise the attacked network. The payloads indicate the intentions/targets of the attack, but can be encrypted within the malware itself in order to protect it from analysis. Typical payload types are: backdoor, data corruption/deletion, information theft.[37] [38]
  • Packaged ‘Programs’ also demonstrate the ‘tactics’. APT malware typically includes packaged programs including: administrative tools, unpacker/packer or encrypter.[39] [40]
  • Trigger Mechanism also demonstrate ‘tactics’ of the adversary. Events which determine the execution of the payload, or the exploit are trigger mechanisms. Typical triggers include: manual execution by the victim, social engineering, semi-automatic execution, automatic execution, time-bomb, and conditional. Trigger mechanisms display what the actor is waiting and looking for on the victim system.[41] [42]
  • Exfiltration and Command & Control (C2) are the ‘logistics’ and ‘communication’ of the adversary. These are the mechanisms used to exfiltrate data and communicate with the infected system, some actors employ high-levels of operational security (OPSEC) disguising the traffic as regular network traffic, like the ‘people’ and ‘events’ of step-two, involve botnets, ‘recruited’ computers, or encrypting the data. How the botnet communicates and type of proxies involved aids in attribution.[43] Exfiltration and C2 are crucial steps in attribution as it shows where the data is being sent to and what the data is.[44] [45]
  • Obfuscation/Defense can apply to ‘intelligence,’ ‘support’, and ‘operational effectiveness’. The level of OPSEC employed by the actors, and can involve several techniques including elements placed in the code to intentionally increase the difficulty of attribution. These techniques include; armor, stealth, encrypting, oligomorphic, and polymorphic. Some APTs will code in different time-zones, languages, styles, use stolen certificates which allow malware to appear legitimate, and attack remotely through botnets to reduce the possibility of attribution. The process of obfuscation can apply to all stages and elements of the malware.[46] [47] [48] [49]

Looking at these eight characteristics and how they are packaged together provides insight into the actor behind the attack. Actors will bring in tools for single use as they may need to penetrate a particular computer. As LTC Boyer states, “every machine in an IT system has its own specific role and configuration and will require using appropriate techniques and tools. A lot of these tools will be bespoke.”[50] Effective malware-analysis is crucial in this step and has been theorized by Shakarian, Simari, Moores and Parsons within; Cyber Attribution: An Argumentation-Based Approach, which looks into malware-analysis with an emphasis on attribution.[51] Malware-analysis can still be done at a high-level by analyzing what components were packaged together. The style and mixture of these components is distinctive to actors especially when unique identifiers are analyzed such as the language programmed in, compile dates/time, and PII left behind. Other elements of IPB including ‘training’, ‘elements of recruitment’, ‘elements of support’, and ‘agencies’ cannot be determined until after attribution.[52]

 

Step-Three/Four of Cyber-IPB Applied to an APT-1 Attack

Applying this step of IPB to cyber and a real world attack will make or break attribution. When looking at an attack from APT-1, after initial compromise APT-1 attempts to establish a foothold with a backdoor, APT-1 uses both publically available and custom backdoors. Using a publically available backdoor makes the actor easier to track, but harder to attribute. However, APT-1 does have custom tools, in this hypothetical attack, Auriga will be the malware utilized.[53] Auriga utilized the ‘AA’ of an email attachment with file spoofing which also is ‘logistics’/carrier objects. Auriga is a full-featured backdoor with a payload capable of stealing PII and trade secrets and show APT-1’s ‘tactics’ of monitoring the system including gathering passwords from programs. Auriga trigger/’tactic’ is to operate as soon as it enters the system.[54] The Capabilities of Auriga include: keylogging, capture mouse movement, create/kill process, create/modify files, file upload download, gather system information, harvest passwords, hide connections, hide processes, interactive command shell, log off the current user, modify the registry, open listening port, process injection, remote desktop interface, shutdown the system, and take screenshots.[55]  As a fully featured piece of malware Auriga is not packaged with anything else, Auriga does not inject itself into any processes. Auriga’s ‘disposition’ is to elevate itself into the highest administrative account in order to control ‘area’, ‘key terrain’, and access ‘structures’. The C2 or ‘communication’ and ‘logistics’ utilized by Auriga is unencrypted and utilizes port 443 to call to ‘recruited’ botnets, and hops through several botnets before reaching APT-1. Analysis into the computer accessing the network showed a VPN/botnet was utilized to control the computer and it utilized a Chinese Simplified – US Keyboard with the original IP address coming from within Shanghai. The data exfiltration phase is done with multiple 200MB .rar files utilizing file transfer profile (FTP). This data dealt with consumer aircraft components and did not include government contract information. There is little to no obfuscation utilized within Auriga demonstrating poor OPSEC, ‘intelligence’, and ‘support’ thus reducing, but not eliminating the ‘operational effectiveness’.[56] Looking at how these elements combine and match up to an APT-1 framework determined through Cyber-IPB aids and adds to analytic-confidence in attribution.

 

Step-Three/Four of Cyber-IPB Applied to an Axiom Attack

Axiom utilizes a stage oriented malware attack, which is considered sophisticated. The malware entered the system utilizing a watering-hole attack, Gh0st RAT was the tool deposited during the attack, without a dropper, Gh0St Rat is full-featured malware. Capabilities include: capture keystrokes, remote monitoring of webcam and/or microphone, file system search/browse, use of local command prompt, execution of arbitrary programs, and file download/upload.[57] Gh0st RAT comes as a UPX compressed binary and demonstrates a large amount of ‘intelligence’ and ‘support’ by disguising itself as a trusted Symantec update. Gh0st will use the ‘tactic’ of injecting itself into the VPTray.EXE as a carrier object and rewrites the registry to auto-start Gh0st RAT every time. A key element of the ‘disposition’ of Gh0st RAT is to not infect the machine, but rather the profile the user logged in with, using the profile as a ‘carrier object’ to infect networks/machines. Gh0st RAT demonstrates ‘intelligence’ by the way it hides its stored data, in HEX digits, and is able to regenerate itself if not fully removed. During the first stage of the attack, Gh0st RAT downloads VPTray.EXE and UP.BAK for the second stage and then deletes itself. The ‘intelligence’ and ‘disposition’ are displayed again as the registry editor and windows system restore are disabled and that the malware is trusted because it appears to be Norton. The ‘communication’ for data exfiltrated is via HTTPS. The data exfiltrated during this breach pertained to government defense contracts, employees on them, and emails related to the contract.[58] This two-stage attack differentiates Axiom from most other actors and enables them to run the same processes with a smaller footprint.

 

Conclusion

Even though at face value Axiom and APT-1 can seem like the same actor supported by the Chinese government, utilizing IPB helps distinguish between the two entities. The networks attacked, although at the same company, were different in content, structure, and security. The breach from APT-1 started via spear-phishing emails whereas employed a different ‘AA’ Axiom utilized a zero-day watering-hole. The separation continued as the ‘disposition’ of Axiom led them towards government contract data and APT-1 towards industrial and consumer products. The ‘tactics’, ‘intelligence’, ‘logistics’, ‘communication’, and ‘support’ differ greatly as the malware infects the system and the true ‘operational effectiveness’ shows. Axiom employs a more complex and sophisticated means of attack with two stages, zero-days, and forged/stolen certificates. Whereas, APT-1 utilizes simple, yet effective, file-spoofing to gain a foothold. Although the end result of the two attacks remains the same, compromise of data, the ‘tactics’, ‘intelligence’, ‘disposition’, ‘logistics’, ‘communication’, ‘AAs’, ‘COAs’, and ‘support’ are extremely different and IPB helps to illustrate this (please refer to the chart). A former federal-government employee, cyber-intelligence specialist, states when all indicators have been analyzed the “size, scope, anonymization, and duration of the attack” must also be analyzed for accurate attrition.[59]

In a conversation about advanced obfuscation techniques employed by APTs, former federal-government employee, cyber-intelligence specialist, stated that the use of botnets, in conjunction with proxy applications and/or protocols these proxy applications include fast-fluxing and domain generation algorithm. Proxy protocols include: transparent, anonymous proxy, and highly anonymous proxy, and the protocols remain a common obfuscation technique utilized to change the origin of the attack/actor. Through digital network analysis it is possible to trace the proxy hops of a botnet to the actor’s computer. Network analysis techniques include network discovery, network mapping, and protocol analysis. However, this is a time-consuming and resource-intensive process few individuals or organizations are able to effectively achieve. This analysis technique could possibly be applied to the mapping step of IPB in the future.[60]

Cyber-IPB is a framework which could be used to walk through an attack and narrow down possible actors for attribution. Pulling elements of the battlefield and how they were circumvented, accessed, or utilized by the adversary are all indicators of the adversary’s end goal and aid in attribution. Cyber-IPB provides a framework for attributing the attack by analyzing the adversary’s AAs, COAs, movement, areas of interest, and toolset features. These elements of the adversary and victim network relate to IPB’s ‘OAKOC’, ‘ASCOPE’, and adversary capabilities. Analyzing these three parts through a cyber-prospective provides a framework for attribution. However, as actors’ TTPs become exposed, other actors will mimic another actor’s attack cycle or turn to more advanced obfuscation likely reducing the effectiveness of cyber-attack-IPB. Other elements of cyber-analysis are crucial for IPB to be effective, but with effective analysis and oversight of the scope of the attack, IPB aids in the analysis of the key elements of an adversary and the battlefield and these can be used, as illustrated above, to distinguish and attribute attacks to different, yet similar, actors on a high level.

 

Notes

[1] DoD. “Intelligence Preparation of the Battlefield/Battlespace.” Department of Defense. 2009. (accessed July 2015). 126.

[2] Ibid

[3] Andy Greenberg, Andy, The Shanghai Army Unit That Hacked 115 US Targets Likely Wasn’t Even China’s “A-Team”. February 21, 2013. http://www.forbes.com/sites/andygreenberg/2013/02/21/the-shanghai-army-unit-that-hacked-115-u-s-targets-likely-wasnt-even-chinas-a-team/ (accessed July 21, 2015).

[4] Ellen Nakashima, Researchers identify sophisticated Chinese cyberespionage group. October 29, 2014. https://www.washingtonpost.com/world/national-security/researchers-identify-sophisticated-chinese-cyberespionage-group/2014/10/27/de30bc9a-5e00-11e4-8b9e-2ccdac31a031_story.html (accessed July 28, 2015).

[5] LTC Bertrand Boyer, “Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach.” The Cyber Defense Review. May 11, 2015. (accessed July 11, 2015).

[6] Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks.” Journal of Strategic Studies. Edited by King’s College

London Department of War Studies. December 23, 2014. http://www.tandfonline.com/doi/abs/10.1080/01402390.2014.977382#.VaGrAPntlBc (accessed July 2, 2015).

[7] Amitai Etzioni, Institute for Communitarian Policy Studies of The George Washington University. December 19,

  1. http://icps.gwu.edu/private-sector-reluctant-partner-cybersecurity (accessed February 2016).

[8] “Intelligence Preparation of the Battlefield/Battlespace.”

[9] “Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach.”

[10] “Intelligence Preparation of the Battlefield/Battlespace.” 126.

[11] Mandiant, “APT1 Exposint One of China’s Cyber Espionage Units.” FireEye. 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf  (accessed July 2014).

[12] “Attributing Cyber Attacks.”

[13] “APT1 Exposing One of China’s Cyber Espionage Units.”

[14] Nart Villeneuve, Watering Holes and Zero-Day Attacks. Trend Micro. October 23, 2012.

http://blog.trendmicro.com/trendlabs-security-intelligence/watering-holes-and-zero-day-attacks/ (accessed July 7, 2015).

[15] Alex Cox, Chris Elisan, Will Gragido, Chris Harrington, and Jon McNeill, “THE VOHO Campaign: an in Depth Analysis.” 2012. https://blogs.rsa.com/wp-content/uploads/2014/10/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf (accessed November 2014).

[16] “Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach.”

[17] “Intelligence Preparation of the Battlefield/Battlespace.”

[18] “Attributing Cyber Attacks.”

[19] “Intelligence Preparation of the Battlefield/Battlespace.”

[20] Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York City, New York: Crown Business, 2014.

[21] “Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach.”

[22] “APT1 Exposing One of China’s Cyber Espionage Units.”

[23] Ibid.

[24] Vic Hargrave, Hacker, Hacktivist, or Cybercriminal. June 17, 2012. http://blog.trendmicro.com/whats-the

difference-between-a-hacker-and-a-cybercriminal/ (accessed February 2016).

[25] Paulo Shakarian, Gerardo Simari, Geoffrey Moores, and Simon Parsons, “Cyber Attribtuion: An Argumentation-Based Approach.” 2014. https://www.academia.edu/13035248/Cyber_Attribution_An_Argumentation-Based_Approach (accessed July 2015).

[26] Microsoft. The Antivirus Defense-in-Depth Guide, Edited by Microsoft. Microsoft. August 25, 2004.

http://academy.delmar.edu/Courses/ITNW1454/Handouts/AntivirusDefenseInDepth-Chapter2_MalwareThreats.html (accessed July 15, 2015).

[27] Ibid.

[28] Dennis Distler, “Malware Analysis: An Introduction.” 2007. http://www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103 (accessed July 29, 2015).

[29] “Attributing Cyber Attacks.”

[30] “The Antivirus Defense-in-Depth Guide.”

[31] Eric M. Hutchins, Michael J Cloppert, and Rohan M Ph.D. Amin, “Intelligence-Driven Computer Network Defense

Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” 2012. http://www.lockheedmartin.com/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html (accessed June 2015).

[32] Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon..

[33] The Antivirus Defense-in-Depth Guide.”

[34] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.”

[35] “The Antivirus Defense-in-Depth Guide.”

[36] Ibid.

[37] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill

Chains.”

[38] The Antivirus Defense-in-Depth Guide.”

[39] Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.

[40] “Malware Analysis: An Introduction.”

[41] “The Antivirus Defense-in-Depth Guide.”

[42] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill

Chains.”

[43] Annoymous One, former federal-government employee, Interview by Harrison Kieffer. Phone interview. July 29,

2015.

[44] “The Antivirus Defense-in-Depth Guide.”

[45] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill

Chains.”

[46] “The Antivirus Defense-in-Depth Guide.”

[47] “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill

Chains.”

[48] Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.

[49] Ibid.

[50]“Urban Warfare and Lessons Learned for Cyber Operations: Developing a New Tactical Approach.”

[51] Cyber Attribtuion: An Argumentation-Based Approach.”

[52] Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.

[53] “APT1 Exposing One of China’s Cyber Espionage Units. “

[54] Mandiant, “APT-1 Exposing One of China;s Espionage Units Appendix C: The Malware Arsneal.” FireEye. February 2013. http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip (accessed November 2013).

[55] “APT1 Exposing One of China’s Cyber Espionage Units.”

[56] Ibid.

[57] “THE VOHO Campaign: an in Depth Analysis.”

[58] Ibid.

[59] Annoymous One, former federal-government employee. Interview by Harrison Kieffer.

[60] Ibid.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.