DOCSLIB.ORG

Crisis and Escalation in Cyberspace

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

CHILDREN AND FAMILIES The RAND Corporation is a nonprofit institution that EDUCATION AND THE ARTS helps improve policy and decisionmaking through ENERGY AND ENVIRONMENT research and analysis. HEALTH AND HEALTH CARE This electronic document was made available from INFRASTRUCTURE AND www.rand.org as a public service of the RAND TRANSPORTATION Corporation. INTERNATIONAL AFFAIRS LAW AND BUSINESS NATIONAL SECURITY Skip all front matter: Jump to Page 16 POPULATION AND AGING PUBLIC SAFETY SCIENCE AND TECHNOLOGY Support RAND Purchase this document TERRORISM AND HOMELAND SECURITY Browse Reports & Bookstore Make a charitable contribution For More Information Visit RAND at www.rand.org Explore RAND Project AIR FORCE View document details Limited Electronic Distribution Rights This document and trademark(s) contained herein are protected by law as indicated in a notice appearing later in this work. This electronic representation of RAND intellectual property is provided for non-commercial use only. Unauthorized posting of RAND electronic documents to a non-RAND website is prohibited. RAND electronic documents are protected under copyright law. Permission is required from RAND to reproduce, or reuse in another form, any of our research documents for commercial use. For information on reprint and linking permissions, please see RAND Permissions. This product is part of the RAND Corporation monograph series. RAND monographs present major research findings that address the challenges facing the public and private sectors. All RAND mono- graphs undergo rigorous peer review to ensure high standards for research quality and objectivity. Crisis and Escalation in Cyberspace Martin C. Libicki Prepared for the United States Air Force Approved for public release; distribution unlimited PROJECT AIR FORCE The research described in this report was sponsored by the United States Air Force under Contract FA7014-06-C-0001. Further information may be obtained from the Strategic Planning Division, Directorate of Plans, Hq USAF. Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-0-8330-7678-6 The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. R® is a registered trademark. © Copyright 2012 RAND Corporation Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND documents to a non-RAND website is prohibited. RAND documents are protected under copyright law. For information on reprint and linking permissions, please visit the RAND permissions page (http://www.rand.org/publications/ permissions.html). Published 2012 by the RAND Corporation 1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138 1200 South Hayes Street, Arlington, VA 22202-5050 4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665 RAND URL: http://www.rand.org To order RAND documents or to obtain additional information, contact Distribution Services: Telephone: (310) 451-7002; Fax: (310) 451-6915; Email: [email protected] Preface This report presents some of the results of a fiscal year 2011 RAND Project AIR FORCE study on the integration of kinetic and nonkinetic weapons, “U.S. and Threat Non-Kinetic Capabilities.” It discusses the management of cybercrises throughout the spectrum from precrisis to crisis to conflict. The basic message is simple: Crisis and escalation in cyberspace can be managed as long as policymakers understand the key differ- ences between nonkinetic conflict in cyberspace and kinetic conflict in the physical world. Among these differences are the tremendous scope that cyberdefense affords; the near impossibility and thus the pointless- ness of trying to disarm an adversary’s ability to carry out cyberwar; and the great ambiguity associated with cyberoperations—notably, the broad disjunction between the attacker’s intent, the actual effect, and the target’s perception of what happened. Thus, strategies should con- centrate on (1) recognizing that crisis instability in cyberspace arises largely from misperception, (2) promulgating norms that might modu- late crisis reactions, (3) knowing when and how to defuse inadvertent crises stemming from incidents, (4) supporting actions with narrative rather than signaling, (5) bolstering defenses to the point at which potential adversaries no longer believe that cyberattacks (penetrat- ing and disrupting or corrupting information systems, as opposed to cyberespionage) can alter the balance of forces, and (6) calibrating the use of offensive cyberoperations with an assessment of their escalation potential. iii iv Crisis and Escalation in Cyberspace The research reported here was sponsored by Gen Gary North, Commander, U.S. Pacific Air Forces, and conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE. It should be of interest to the decisionmakers and policy researchers associated with cyberwarfare, as well as to the Air Force strategy community. RAND Project AIR FORCE RAND Project AIR FORCE (PAF), a division of the RAND Corpo- ration, is the U.S. Air Force’s federally funded research and develop- ment center for studies and analyses. PAF provides the Air Force with independent analyses of policy alternatives affecting the development, employment, combat readiness, and support of current and future air, space, and cyber forces. Research is conducted in four programs: Force Modernization and Employment; Manpower, Personnel, and Train- ing; Resource Management; and Strategy and Doctrine. Additional information about PAF is available on our website: http://www.rand.org/paf/ Contents Preface ............................................................................. iii Figures and Table ................................................................ ix Summary .......................................................................... xi Acknowledgments ............................................................ xxiii Abbreviations ................................................................... xxv CHAPTER ONE Introduction ....................................................................... 1 Some Hypothetical Crises ......................................................... 2 Mutual Mistrust Is Likely to Characterize a Cybercrisis ...................... 5 States May Have Room for Maneuver in a Cybercrisis .......................10 A Note on Methodology .........................................................16 Purpose and Organization .......................................................17 CHAPTER TWO Avoiding Crises by Creating Norms ..........................................19 What Kind of Norms Might Be Useful? ...................................... 20 Enforce Laws Against Hacking .............................................. 20 Dissociate from Freelance Hackers .......................................... 22 Discourage Commercial Espionage .......................................... 23 Be Careful About the Obligation to Suppress Cybertraffic ............... 24 How Do We Enforce Norms? .................................................. 24 Confidence-Building Measures ................................................. 26 Norms for Victims of Cyberattacks ............................................ 28 Norms for War ....................................................................29 Deception ....................................................................... 30 v vi Crisis and Escalation in Cyberspace Military Necessity and Collateral Damage ..................................31 Proportionality ..................................................................33 Reversibility ......................................................................35 Conclusions ....................................................................... 36 CHAPTER THREE Narratives, Dialogue, and Signals ............................................39 Narratives to Promote Control ................................................. 40 A Narrative Framework for Cyberspace ........................................41 Victimization, Attribution, Retaliation, and Aggression .................... 44 Victimization ....................................................................45 Attribution ...................................................................... 46 Retaliation .......................................................................47 Aggression .......................................................................49 Emollients: Narratives to Walk Back a Crisis ................................. 50 “We Did Nothing” .............................................................51 “Well, At Least Not on Our Orders” ........................................ 54 “It Was an Accident” ...........................................................57 “This Is Nothing New” ........................................................58 “At Least It Does Not Portend Anything” .................................. 60 Broader Considerations ........................................................61 Signals ..............................................................................62 Ambiguity in Signaling ........................................................65 Signaling Resolve ...............................................................67 Signaling That Cybercombat
Recommended publications
  • South Korea Section 3

    South Korea Section 3

    DEFENSE WHITE PAPER Message from the Minister of National Defense The year 2010 marked the 60th anniversary of the outbreak of the Korean War. Since the end of the war, the Republic of Korea has made such great strides and its economy now ranks among the 10-plus largest economies in the world. Out of the ashes of the war, it has risen from an aid recipient to a donor nation. Korea’s economic miracle rests on the strength and commitment of the ROK military. However, the threat of war and persistent security concerns remain undiminished on the Korean Peninsula. North Korea is threatening peace with its recent surprise attack against the ROK Ship CheonanDQGLWV¿ULQJRIDUWLOOHU\DW<HRQS\HRQJ Island. The series of illegitimate armed provocations by the North have left a fragile peace on the Korean Peninsula. Transnational and non-military threats coupled with potential conflicts among Northeast Asian countries add another element that further jeopardizes the Korean Peninsula’s security. To handle security threats, the ROK military has instituted its Defense Vision to foster an ‘Advanced Elite Military,’ which will realize the said Vision. As part of the efforts, the ROK military complemented the Defense Reform Basic Plan and has UHYDPSHGLWVZHDSRQSURFXUHPHQWDQGDFTXLVLWLRQV\VWHP,QDGGLWLRQLWKDVUHYDPSHGWKHHGXFDWLRQDOV\VWHPIRURI¿FHUVZKLOH strengthening the current training system by extending the basic training period and by taking other measures. The military has also endeavored to invigorate the defense industry as an exporter so the defense economy may develop as a new growth engine for the entire Korean economy. To reduce any possible inconveniences that Koreans may experience, the military has reformed its defense rules and regulations to ease the standards necessary to designate a Military Installation Protection Zone.
  • Mitigate Cyber Attack Risk Solution Brief

    Mitigate Cyber Attack Risk Solution Brief

    SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations extend technology deeper into their day-to-day business HIGH operations, their risk profiles evolve. DIGITAL RISK New digital risks—those unwanted and often unexpected outcomes that stem MEDIUM from digital transformation, digital business processes and the adoption RISK of related technologies—represent a LOW larger portion of potential obstacles to TRADITIONAL BUSINESS RISK achieving business objectives. While the digital technology creates new DIGITAL ADOPTION business opportunities, it frequently leads to higher levels of cybersecurity, FIGURE 1: Digital risk increasing the overall business risk as organizations embrace digital transformation. third-party, compliance and business resiliency risk. The impacts from these growing digital risks may be more disruptive than the operational risks that businesses have historically managed. In fact, many organizations are finding that as digital adoption accelerates, digital risk becomes the greatest facet of risk they face, especially growing cyber risks. AS ORGANIZATIONS EXPAND DIGITAL OPERATIONS, CYBER SECURITY RISKS MULTIPLY Organizations need to evolve to stay in front of rising cyber threats and their wide-reaching impact across increasingly digitized operations. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. At the same time, responsibilities for detecting and responding to security It’s arguably impossible incidents are expanding beyond the security operations center (SOC). Business stakeholders continue to digitize their operations, elevating the risk and potential to prevent all cyber impact of cyber attacks.
  • The Report of the Daniel Morgan Independent Panel

    The Report of the Daniel Morgan Independent Panel

    The Report of the Daniel Morgan Independent Panel The Report of the Daniel Morgan Independent Panel June 2021 Volume 1 HC 11-I Return to an Address of the Honourable the House of Commons dated 15th June 2021 for The Report of the Daniel Morgan Independent Panel Volume 1 Ordered by the House of Commons to be printed on 15th June 2021 HC 11-I © Crown copyright 2021 This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3. Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned. This publication is available at www.gov.uk/official-documents. Any enquiries regarding this publication should be sent to us at [email protected]. ISBN 978-1-5286-2479-4 Volume 1 of 3 CCS0220047602 06/21 Printed on paper containing 75% recycled fibre content minimum Printed in the UK by the APS Group on behalf of the Controller of Her Majesty’s Stationery Office Daniel Morgan Independent Panel Daniel Morgan Independent Panel Home Office 2 Marsham Street London SW1P 4DF Rt Hon Priti Patel MP Home Secretary Home Office 2 Marsham Street London SW1P 4DF May 2021 Dear Home Secretary On behalf of the Daniel Morgan Independent Panel, I am pleased to present you with our Report for publication in Parliament. The establishment of the Daniel Morgan Independent Panel was announced by the Home Secretary, the Rt Hon Theresa May MP, on 10 May 2013 in a written statement to the House of Commons.
  • In the Supreme Court of Florida Jason Andrew

    In the Supreme Court of Florida Jason Andrew

    IN THE SUPREME COURT OF FLORIDA JASON ANDREW SIMPSON, Appellant, v. Case No. SC07-0798 STATE OF FLORIDA, Appellee. ON APPEAL FROM THE CIRCUIT COURT OF THE FOURTH JUDICIAL CIRCUIT, IN AND FOR DUVAL COUNTY, FLORIDA ANSWER BRIEF OF APPELLEE BILL McCOLLUM ATTORNEY GENERAL STEPHEN R. WHITE ASSISTANT ATTORNEY GENERAL Florida Bar No. 159089 Office of the Attorney General PL-01, The Capitol Tallahassee, Fl 32399-1050 (850) 414-3300 Ext. 4579 (850) 487-0997 (FAX) COUNSEL FOR APPELLEE TABLE OF CONTENTS PAGE# TABLE OF CONTENTS ................................................... i TABLE OF CITATIONS ............................................... iii PRELIMINARY STATEMENT .............................................. 1 STATEMENT OF THE CASE AND FACTS ..................................... 1 SUMMARY OF ARGUMENT ................................................ 14 ARGUMENT ISSUE I: ISSUES I THROUGH IV: DID THE TRIAL COURT REVERSIBLY ERR IN ITS HANDLING OF JUROR CODY'S POST GUILTY-VERDICT STATEMENTS? .................................................... 15 A. Overview of Juror Cody-related claims ..................... 16 B. Contextual timeline ....................................... 16 C. Applicable preservation principles ........................ 18 D. Judge's Order ............................................. 19 E. Simpson's self-serving inference of Juror Cody's timidness ................................................. 21 ISSUE I: DID THE TRIAL COURT UNREASONABLY DENY A MOTION FOR NEW TRIAL WHERE, OVER A WEEK AFTER THE GUILTY VERDICT WAS RENDERED
  • 2016 8Th International Conference on Cyber Conflict: Cyber Power

    2016 8Th International Conference on Cyber Conflict: Cyber Power

    2016 8th International Conference on Cyber Conflict: Cyber Power N.Pissanidis, H.Rõigas, M.Veenendaal (Eds.) 31 MAY - 03 JUNE 2016, TALLINN, ESTONIA 2016 8TH International ConFerence on CYBER ConFlict: CYBER POWER Copyright © 2016 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1626N-PRT ISBN (print): 978-9949-9544-8-3 ISBN (pdf): 978-9949-9544-9-0 CopyriGHT AND Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non-commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2016 8th International Conference on Cyber Conflict: Cyber Power N.Pissanidis, H.Rõigas, M.Veenendaal (Eds.) 2016 © NATO CCD COE Publications PrinteD copies OF THIS PUBlication are availaBLE From: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Head of publishing: Jaanika Rannu Layout: Jaakko Matsalu LEGAL NOTICE: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
  • Murder and Women in 19Th-Century America Trial Accounts in the Yale Law Library

    Murder and Women in 19Th-Century America Trial Accounts in the Yale Law Library

    Murder and Women in 19th-Century America Trial Accounts in the Yale Law Library Lillian Goldman Law Library, Yale Law School Murder and Women in 19th-Century America Trial Accounts in the Yale Law Library An exhibition curated by Emma Molina Widener & Michael Widener November 19, 2014 – February 21, 2015 Lillian Goldman Law Library, Yale Law School New Haven, Connecticut Emma Molina Widener retired in December 2014 after Michael Widener is the Rare Book Librarian at the Lillian twenty years teaching college Spanish at the University of Goldman Law Library, Yale Law School, and is on the faculty Texas, Austin Community College, the University of New of the Rare Book School, University of Virginia. He was previ- Haven, Yale University, and most recently at Southern Con- ously Head of Special Collections at the Tarlton Law Library, necticut State University. Her bachelor’s degree is in politi- University of Texas at Austin. He has a bachelor’s degree in cal science and public administration from the Universidad journalism and a master’s in library & information science, Nacional Autónoma de México. From the University of Texas both from the University of Texas at Austin. at Austin she has a master’s in library science, a Certificate of Advanced Study in Latin American libraries & archives, a master’s in Latin American Studies, and A.B.D. in Spanish literature. She worked as a librarian at El Colegio de Mexico and at the Universidad Nacional Autónoma de México before going to the Office of the President of Mexico, where she was in charge of the Presidential Library.
  • Round 5 Round 5 First Half

    Round 5 Round 5 First Half

    USABB National Bowl 2015-2016 Round 5 Round 5 First Half (1) Brigade 2506 tried to overthrow this leader but was stymied at Playa Giron. This man took control of his country after leading the 26th of July Movement to overthrow Fulgencio Batista; in that coup, he was assisted by Che Guevara. After nearly a (*) half-century of control, this leader passed power on to his 77-year-old brother, Raul in 2008. The Bay of Pigs invasion sought to overthrow, for ten points, what long-time dictator of Cuba? ANSWER: Fidel Castro (1) This man murdered his brother for leaping over the wall he had built around the Palatine Hill. For ten points each, Name this brother of Remus. ANSWER: Romulus Romulus and Remus were the legendary founder twins of this city. ANSWER: Rome According to legend, Romulus and Remus were abandoned in the Tiber, but washed ashore safely and were protected by this animal until shepherds found and raised them. ANSWER: she-wolf (2) This man made the film Chelsea Girls and filmed his lover sleeping for five hours in his film Sleep. This artist, who was shot by Valerie Solanas, used a fine mesh to transfer ink in order to create portraits of icons like (*) Mao Zedong and Marilyn Monroe. This artist produced silk screens in his studio, \The Factory," and he coined the term “fifteen minutes of fame." For ten points, name this Pop Artist who painted Cambell's soup cans. ANSWER: Andrew \Andy" Warhola, Jr Page 1 USABB National Bowl 2015-2016 Round 5 (2) Two singers who work in this type of location sing \Au fond du temple saint," and Peter Grimes commits suicide in this type of location.
  • Cybersecurity in a Digital Era.Pdf

    Cybersecurity in a Digital Era.Pdf

    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
  • The Flame: Questions and Answers 1.8

    The Flame: Questions and Answers 1.8

    The Flame: Questions and Answers 1.8 Aleks Kaspersky Lab Expert Posted May 28, 13:00 GMT Tags: Targeted Attacks, Wiper, Cyber weapon, Cyber espionage, Flame Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame. Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super­weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage. For the full low­down on this advanced threat, read on… General Questions What exactly is Flame? A worm? A backdoor? What does it do? Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm­like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.
  • Potential Human Cost of Cyber Operations

    Potential Human Cost of Cyber Operations

    ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS REPORT ICRC EXPERT MEETING 14–16 NOVEMBER 2018 – GENEVA THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Report prepared and edited by Laurent Gisel, senior legal adviser, and Lukasz Olejnik, scientific adviser on cyber, ICRC THE POTENTIAL HUMAN COST OF CYBER OPERATIONS Table of Contents Foreword............................................................................................................................................. 3 Acknowledgements ............................................................................................................................. 4 Executive summary ............................................................................................................................. 5 Introduction....................................................................................................................................... 10 Session 1: Cyber operations in practice .………………………………………………………………………….….11 A. Understanding cyber operations with the cyber kill chain model ...................................................... 11 B. Operational purpose ................................................................................................................. 11 C. Trusted systems and software supply chain attacks ...................................................................... 13 D. Cyber capabilities and exploits ..................................................................................................
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX

    A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX

    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
  • Detecting Botnets Using File System Indicators

    Detecting Botnets Using File System Indicators

    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.