Cyber Security: The Anatomy of a Cyber Intrusion

Compromising the cyber integrity of the network threatens every user and every system on your ship or in your building. Violating security best practices, circumventing security policies, carelessness and falling victim to social networking exploits opens the door to cyber adversaries who can exploit vulnerabilities which may directly impact our Navy's warfighting capability and potentially threaten our lives.

Cyber foes are no longer just recreational hackers in pursuit of bragging rights. They are cyber-criminals, cyber-terrorists and nation-states who are in constant pursuit of access to our systems. They can corrupt our Navy's data, shut down our networks and business systems, steal our science or technology and compromise the systems that run our ships, aircraft and weapons-at keystroke speeds.

Each of us stands guard on our Navy's Digital Quarterdeck. To improve our Navy's cybersecurity and successfully detect, prevent and resolve cyber persistent threats, you need to understand important stages of how adversaries can compromise our defenses.

Stage 1 Recon
During cyber adversary work-up periods, adversaries learn about the vulnerabilities of their target. Prior to an incident, they will gather information about the targeted networks, their systems, personnel, logistics and warfighting capabilities. They will employ many techniques, but interacting with their targets online is often the easiest method due to the volume of freely accessible information posted to popular social networking, media and web sites. Well-known, highly successful techniques to gain initial network access include:

*    Social Engineering and Complacency - Adversaries rely on human interaction and are often successful due to their victims violating established security policies and procedures. Their goal is to get you to relax your vigilance to the point where you feel comfortable or compelled into surrendering personal or confidential information. This information could enable them to access sensitive data without your knowledge. Cyber criminals might trick you into visiting a webpage or plugging an unauthorized device (USB memory stick, CD/DVD, hard disk drive, cell phone charger, gaming console) containing malicious code into a computer on the network. By successfully piggy-backing through personnel checkpoints, thereby obtaining physical/close access to our networks, bad actors can also connect these devices to our workstations themselves.

*    Phishing ("fishing") Email - Although known by many names depending on the targets and medium used, adversaries will send what appears to be a legitimate business or trustworthy e-mail from someone you know. It will contain a sense of urgency and a web site link in the body or in an attachment. By clicking on the link, opening the attachment, or visiting a referenced web site, you might be directed to a realistic but fraudulent website that may prompt you to provide credentials, financial information or Personally Identifiable Information (PII). Alternately, you might be directed to another web site where additional bad software (malware) will be deployed onto your now compromised computer. Once the adversary owns your computer, you may be actually forwarded to the real site and you will never suspect a problem.

*    Watering Hole - Adversaries will target specific interest groups or organizations. They profile victims and observe the kind of websites they visit or the social media circles they frequent. Then, identify a vulnerability on one of those websites, compromises the legitimate site and wait silently for victims. Users who visit a watering hole site are stealthily redirected to another site and exploited by the adversary through the implanted malware. The computer is now compromised and often the victim will never see the incident.

Stage 2 Intrusion and Enumeration
As a result of falling victim to social engineering tactics, complacency, poor judgment, disregard for mandatory policy or unauthorized computer use, the network is now compromised - Set Cyber General Quarters! On your watch, the adversary has gotten past your digital quarterdeck. Once inside the network, a stealthy intruder will blend in with normal traffic, making detection very difficult.

Similar to the recon of the network's perimeter for access points, the adversary now begins identifying existing security flaws within the network's lifelines. Intruders will covertly deploy their cyber tools. Software will be used to probe computers, identify vulnerabilities and scan the environment to put together a cyber map for better understanding your network terrain. If it has power and it communicates, it is probably accessible.

Stage 3 Malware Insertion and Lateral Movement
Adversaries will establish persistence by creating additional points of presence throughout your network by using software such as remote access Trojans (RAT), which are more commonly known as backdoors. They will attempt to move laterally, spreading across the network and hiding in the deepest areas in the network while lying dormant. Other adversaries will implant software that captures key strokes and grabs passwords, which helps them crack accounts that give them more privileges on your network and get the keys that will give them access to mission critical information, sensitive data, valuable intellectual property or warfighting/platform control systems.

Once the intruder has persistent presence, they can degrade or disrupt network activity at whim. Determining the full scope of an intrusion can take months to years, and we can never fully guarantee that all backdoors and other software have been completely removed.

Stage 4 Data Exfiltration
The hull has been breached. The digital integrity of the network has been fully compromised. Once an adversary determines that they have established reliable network access, they can move sensitive information to an outside location. Even though files and passwords are often encrypted, encryption can be cracked outside of the compromised environment. When that happens, intruders can then identify alternate targets and re-engage, or use the information obtained to go after another victim.

Stage 5 Clean Up
The final step of a cyber incident is for the intruder to clean up. Some merely disconnect, unconcerned that the victim may eventually find out what happened. Other more sophisticated actors will attempt to rid all systems in the network of any forensic evidence or trail of compromise. The intruder will delete data, over-write data, remove implanted files, clean up event logs, deactivate alarms, roll back software updates, delete backups or erase hard drives. Their goal throughout the entire incident is to erase any trace that the incident ever happened or make it look like a computer glitch while maintaining backdoors they can revisit at any time to exploit our systems further.

Each of us is on the front line of the cyber warfighting domain. We are all sentries guarding a potential entry point on the perimeter of the Navy's network and are charged with the defense of our information systems' warfighting capability. Each of us has a finger on the keyboard and mouse and it only takes one lapse of judgment, mistake or a one click misfire to give it all away. You are our greatest asset, and our greatest vulnerability.

No matter what the intent, whether financial, to steal intellectual or state secrets, or install malicious software that will be activated during the next conflict, our cyber adversaries are determined, intelligent and have little chance of being identified and little concern about reprisal.

Cyber threats are real. Traditional cybersecurity measures, such as defense-in-depth, firewalls and antivirus, cannot protect against the human element of advanced persistent threats. However, you can. Do not engage in practices dangerous to our Navy's cybersecurity. The CNO has made it clear that "cybersecurity is a commander's business" and requires all hands to keep the Navy and our nation safe. It's important that each of us treat our network as the weapon system.

The mission of Navy Cyber Defense Operations Command is to coordinate, monitor and oversee the defense of Navy computer networks and systems and to be responsible for accomplishing Computer Network Defense (CND) missions as assigned by Commander, U.S. 10th Fleet and Commander, U.S. Cyber Command.