CYBER ESPIONAGE

Cyber Espionage



Cyber Espionage

Introduction

The cyber espionage threat is real. It is so because of the low cost of entry into Internet realm, any curious or incentivized person can steal secret information of any private computer network. If a spy steals proprietary knowledge of a private company's innovative product research and development, then this data holds a high monetary value, reportedly billions of dollars, to an industry competitor (Epstein, 2008). If that stolen information is sensitive to national defense or national strategy decision-making, then the value is arguably immeasurable. A consistently effective defense against cyber espionage requires a consistently effective way to identify it. While there are methodologies to detect facets of cyber espionage, there is no formal approach for identifying cyber espionage as a stand-alone network event classification in its own right. (Wall, 2007, 80)

This paper proposes a new approach that uses the synthesis of current cyber warfare detection and analysis techniques in a framework to holistically identify malicious or suspicious network events as cyber espionage. Due to the myriad of network attack methods and traditional espionage techniques, this paper cannot comprehensively address all techniques that a cyber spy would employ to achieve his mission (e.g., insider threat or physical access). Instead, the paper focuses on the most common method of performing cyber espionage from a remote location outside the victims' local network. Historically, the most common method for infiltrating a network for this purpose is through targeted spear emails with malicious file attachments. Both the emails and attachments are products of effective social engineering methods that tailor the content to the recipients of the emails. When an unsuspecting, targeted user opens the attachment, the malware, and the cyber spy, establish a foothold on the computer and affected network. (Epstein, 2008, 100)

The spy can then use his specialized malware to search for compelling data on the victim computer and network and exfiltrate this potentially sensitive data from the victim network to a place of his choosing. The synthesis approach and decision-making framework proposed in this paper allows a network defender to correctly identify this kind of targeted cyber espionage event. If this methodology is to catch cyber spies targeting specific victims, then this detection approach must look at each malicious activity (i.e., network infiltration, malware installation, and data exfiltration) within the context of the whole espionage event. This approach does not attempt to introduce new ways to detect network attacks, malware infections, or data exfiltration beyond the bounds of the current field of research. Rather, the current detection methods are integrated in a new way that yields a synthesis approach to categorize cyber espionage events. The paper first discusses techniques to detect each of the spy's three steps to espionage success, and then the synthesis approach and resulting framework are explained. (Steve, 2009, 21)

Network infiltration detection

Intrusion detection helps us answer the question: “Is there a malicious intrusion into the network?” Because there are countless manual and automated mechanisms to identify suspicious network behavior, this section will only discuss ...