CNA Tactics and Techniques: A Structure Proposal

Destructive and control operations are today a major threat for cyber physical systems. These operations, known as Computer Network Attack (CNA), and usually linked to state-sponsored actors, are much less analyzed than Computer Network Exploitation activities (CNE), those related to intelligence gathering. While in CNE operations the main tactics and techniques are defined and well structured, in CNA there is a lack of such consensuated approaches. This situation hinders the modeling of threat actors, which prevents an accurate definition of control to identify and to neutralize malicious activities. In this paper, we propose the first global approach for CNA operations that can be used to map real-world activities. The proposal significantly reduces the amount of effort need to identify, analyze, and neutralize advanced threat actors targeting cyber physical systems. It follows a logical structure that can be easy to expand and adapt.

The Defender’s View

This chapter examines defensive cyber operations in a fashion similar to kill chain analysis. It presents an outline of how baseline network defense is done, and what technologies and techniques contribute to that mission. This includes memory forensics, penetration testing, and incident response. It shows as well how those efforts are likely to be insufficient, and how advanced states have an incentive to go further and intrude into other states’ networks for defensive reasons—operations that are sometimes called counter-computer network exploitation. It is these intrusions, which are genuinely defensive, that can be misperceived and interpreted as offensive intrusions—leading to a cycle of escalation.

Tools and Technologies for Professional Offensive Cyber Operations

Since 2008, several countries have published new national cyber security strategies that allow for the possibility of offensive cyber operations. Typically, national strategies call for the establishment of a cyber operations unit capable of computer network defence, exploitation, and, in some nations, attack. The cyber operations unit will be manned by professionals and operate under government authority compliant with national and international law. Our research focuses on offensive cyber operations (i.e. computer network exploitation and attack). The cyber unit must be provided with the right resources, in the form of accommodation, computing and networking infrastructure, tools and technologies, doctrine, and training. We contend that the open literature gives an unbalanced view of what tools and technologies a professional group needs because it emphasizes malware and, to a lesser extent, the delivery media used by cyber criminals. Hence, the purpose of this paper is to identify systematically the tools and technologies needed for professional, offensive cyber operations. A canonical model of the cyber attack process was obtained by rationally reconstructing a set of existing attack process models found in the literature. This canonical model was formalized using Structured Analysis and Design Technique (SADT) notation, in which processes are logically linked by inputs, outputs, controls, and mechanisms. A set of tools and technologies was extracted from the mechanisms. The canonical model and set of tools and technologies have been checked by subject matter experts.