Shifting Gears in Cyberspace: Attack Modelling and Intellectual Property Breach
Updated: Feb 15
Cybersecurity encompasses everything that pertains to protecting and preserving critical infrastructure ranging from intelligence and technology to private information. In this world where digitalization has taken almost every sector, it has not only provided society with countless benefits but has also opened the gates to innumerable cyber attacks and cases of privacy invasions that hold the ability to paralyze an entire entity. The article discusses the nature of various cyber attacks ongoing in today's time period and highlights the importance of adopting a proactive approach to cybersecurity.
Even weeks after the US government announced that multiple federal agencies had been targeted by a sweeping cyber-attack on SolarWinds software, the full scope and consequences of the suspected Russian hack remain unknown. The Guardian noted that key federal agencies, ranging from the Department of Homeland Security to the Energy Department, which oversees America’s nuclear weapons arsenal, were reportedly targeted. Also victimized were powerful tech and security companies, including Microsoft. Investigators are still trying to determine what information the hackers might have stolen and how they might exploit it. This recent attack exposes the enormous cybersecurity challenges the world currently faces. Cybersecurity is defined as the protection and preservation of critical infrastructure, ranging from intelligence and technology to private communications and metadata. In addition, cybersecurity is an important consideration for privacy and digital security and can also serve to protect valuable intellectual property. Complicating matters, state and non-state actors continue to invest in asymmetric cyber-warfare in hopes to preserve strategic gains. The SolarWinds hack is just one example.
Some of the first instances of security exploits can be traced back to telephone communications in the early 1960s and 70s. Telephone signals were sent through copper lines, which could be tapped, allowing the tapper to listen to conversations. Once computers became more accessible, threats like network breaches and malware attacks became widespread. And as technology advances, cyber attackers look for new opportunities to exploit. Cyber actors and groups are constantly networking, researching modes to disrupt operations, and testing new tactics, techniques, and procedures.
The Washington Post created a timeline of internet security to show the history of significant cyber-attacks and developments in the cybersecurity sector. The first computer virus, the Creeper Virus of 1971, brought the somewhat hidden realm of computer viruses into the headlines. Since then, the number of large-scale attacks has been increasing both in magnitude and diversity. Instances such as the Morris worm and Sircam have been attributed to private entities, while several government-sanctioned operations bring geopolitical complexity to the discussion.
Impact of COVID-19 on Cyberspace
The pandemic has had an immense impact on our lives. It has forced people and organizations to adjust to the so-called “new normal,” which frequently involves remote working and learning. With the world's governments scrambling their critical resources and attention to cater to the health crisis and economic downturn, various actors in cyberspace are capitalizing on this crisis. Several governments have reported a spike in phishing, ransomware, and Malspam attacks; the targets are not limited to governments and also business and end-users.
The transition from physical to digital operation has mostly been phased and well-planned, but the pandemic jump-started this transition on an unprecedented scale. This enormous shift exposed previously latent vulnerabilities. Exacerbating the situation, the security teams' operations have been impacted, which has attenuated their detection and responding capabilities. The world needs a comprehensive post-COVID-19 cybersecurity posture to respond to this growing area of concern.
Cyberattacks can be categorized based on taxonomic factors. Because of the multidimensional nature of these attacks, a particular instance can belong to several categories from different taxonomic branches. Figure 1 details the various categories of cyberattacks.
Various Categories of Cyber Threats
Attack Modelling Techniques
Understanding attack models provides more insight into network vulnerabilities, and such insights can be used to predict potential attacks and to protect against them. Attack modelling enables advanced planning, which can be implemented rapidly during an ongoing attack event. Many researchers and experts are engaged in threat modelling to estimate cyber intrusions/attacks for computer networks and to provide the groundwork for future defense systems in cyberspace. The defense systems essentially depend on an understanding of the network, the rationale behind the attack, method of attack, and security vulnerabilities. Analysts use a myriad of modelling techniques to assess instances of cyber-attacks. These include, but are not limited to: tree/attack graph, kill chain, attack surface, Diamond model, attack vector approach, and the Open Web Application Security Project (OWASP) threat model. Let’s explore three of the most common attack modelling techniques, diamond modelling, kill chain modelling, and the attack graph technique.
The Diamond modelling technique is a unique cyber-attack analysis model where the perpetrator attacks the system based on two key goals instead of employing a designated series of steps as in the attack graph technique or in kill chain modelling.
The Diamond Model is comprised of four fundamental components: "adversary" (perpetrator), "capability," "infrastructure," and "victim." The adversary is defined as an individual actor (or a group of actors) who attacks a victim after assessing their "capability" against the “victim." The attack is initiated by the perpetrator without a complete understanding of the active or passive defenses of the victim’s system. After inspecting the potential resources of a victim, the perpetrator concludes whether he/she has the capability to attack. The Diamond model is pivotal for combating advanced attackers such as those who have gained some degree of command or management over the network. Further, the perpetrator also assesses their cyberinfrastructure with respect to the technical and logical ability to direct and manage any of the host's network.
Diamond Attack Modelling
Additionally, features like "phases," "time-stamp," "directions," "methodology" and "resources" can provide additional details to a model. During a breach, the Diamond model identifies phases using a timestamp. Elements of the model can be located within figure 2, which shows that the perpetrator searches for a chance to attack a host-based on "capability" or the "infrastructure."
Kill Chain Modelling
The US Department of Defense has defined the kill chain technique for an attack on a target, outlining the kill chain into five stages: "find, fix, track, target and assess." The kill chain has been applied in alternative areas, including cybersecurity, where it is used to describe attack levels within a countermeasure system. The analysis through the above technique leads to the description of the kill chain as a seven-step operation, which can be represented as:
● Phase 1 Probing | "Reconnaissance." ● Phase 2 Armament | "Weaponization ● Phase 3 Distribution | "Delivery" ● Phase 4 Abuse | "Exploitation" ● Phase 5 Establishing | "Installation" ● Phase 6 Directive | "Command and control" ● Phase 7 "Action on objectives."
The model below represents a common attack modelling technique for intrusion, which interprets an attack as a series or an ordered chain of action. It is an ordered attack; that is, a chain of events is followed by the assailant, progressing per the plan.
Kill Chain Attack Modelling
Attack Graph Technique
Attack graphs are abstract flowcharts used to assess and map an attack process during an attack. This modelling paradigm is derived from a graph that includes children on many levels that share a single root. The attack graph technique is among the conventional means of discovering system vulnerabilities common among many individuals and is extremely helpful in developing tools for effective security by examining the structure of a specific network such as a private network employed by the company.
The attack graph is primarily comprised of nodes (representing at least one electronic device) and may become complicated when interacting with a particular attack case. Complex attack graphs are computationally challenging to model and to understand. They may contain thousands of nodes and myriad paths. This computational impediment makes it tedious for analysts to use attack graphs to model more complex attacks.
There exists a plethora of tools and paradigms that generate attack graphs. These include techniques like Topological Analysis of Network Attack Vulnerability (TVA), Network Security Planning Architecture (NETSPA), and Multihost, Multistage, Vulnerability Analysis" (MULVAL). These techniques help us draw coherent attack graphs to ascertain the rationale behind an attack instead of simply answering the question of how the attack happens. The central goal of an attack graph is to understand the path attackers take to get into the host's network. Attack graph techniques facilitate the identification of intrusions and vulnerabilities of the system. An example of an attack graph is demonstrated below.
Attack Graph Modelling
Cost of Intellectual Property Breach: Insight
To illustrate the importance of cybersecurity, we present a hypothetical case study. Let us consider the case of an information technology company named Thing of Things. The company, based in the United States, has roughly 50,000 employees and is worth approximately $40 billion USD. This company's primary area of operation is developing software-based management tools for a myriad of IoT technologies. They have a profit margin of roughly 12% and have made significant developments in intellectual property development through its research and development division.
Six months before the release of the software, the company is notified by a federal agency of a cyber breach at one of its innovation centers. The relevant product was expected to contribute to 25% of total revenue over the next five years. This newfound information has exposed a vulnerability in their entire security system, and although the attackers' intentions are unknown, they represent a threat to both the company's existing technologies and to the new product.
Further, an investigative media outlet reported that the attackers are attempting to reverse engineer the network-based product, potentially destroying the market for the software – software on which Thing of Things invested millions of dollars in development.
The cost of a breach of this nature is enormous and perhaps non-obvious, and includes the price of the loss of the compromised intellectual property, the disruption to operations, lost contracts, increased insurance premiums, tarnished trade name, and lost investor confidence. This analysis, based on the 14 qualitative factors of Deloitte estimates, determines the cost of this breach to be approximately $3.2 billion, as identified in figure 5.
Estimated losses of ABC
The question we now face is whether the elements of this case study are valid. The fact remains that we have numerous examples of how security breaches in or via IoT devices have been orchestrated. One real-life example titled "The Big Hack" was featured in Bloomberg Businessweek in their October 2018 edition. This report highlighted how a China-based motherboard manufacturer compromised the entire security infrastructure of a major US firm by using a malicious chip that was masked as a signal conditioning unit. That chip had the power to change the system commands and receive instructions from an external source. It has triggered a heated debate regarding IP breach and cybersecurity while underscoring the vulnerabilities we have in our current devices.
However, this is not an isolated event. The Annual Cybercrime Report (ACR) from Cybersecurity Ventures estimated the cost of cybercrime-related damages will reach $6 trillion USD by the year 2021. It has nearly doubled since the year 2015, where it was approximately $3 billion USD. Ransomware damages alone amount to $20 billion USD globally. These figures are reflective of the large threat we face in the realm of cybersecurity. These statistics demonstrate the sheer scale of the damages and highlight the importance of adopting a proactive approach to cybersecurity.
Digitalization provides countless benefits to society, but it is also a double-edged sword: as the US Deputy Secretary of Defense has emphasized ‘In the 21st Century, bits and bytes can be as threatening as bullets and bombs.’ In fact, the more digitally reliant an entity is, the more vulnerable to cyber-attacks: if computer networks become the society’s ‘nerve system’, incapacitating them may mean paralyzing the entity. Hence, modelling and analysis of cyber-attacks enables us to prepare and possibly avert future ones as the findings from these models enable the development of advanced intrusion detection systems and associated cybersecurity software.