How do you wage cyber warfare? How do you make a world wide reach? What does it look like? What can we count on for results? All of these questions are part of the process of designing and implementing a cyber warfare solution. A large part of this solution is a superior level of technical sophistication. Throughout this over view the reader should readily assume two principles are required: 1) Stealth, the system should be hidden amongst the noise; 2) Resilient, the system should be able to withstand attack and respond in kind. Through a series of diagrams this will be a quick overview of the infrastructure to wage cyber warfare. Should any funding agencies want to fund it about 10 million USD should do it, the funds will be tax deductible too.
The overall architecture is similar to how a botnet is run. However, instead of parasitic each system is in a data center and serves as a simple web server for a dummy corporation or some other form of cover. A centralized command and control node provides updates and secure links. The preferred method for communication between nodes is through a proxy system so that direct communication does not expose the network. There are a variety of ways including IRC, file drops, and other ways to coordinate communication. A simple but key way to do this effectively would be to set up N*N-N=P proxy nodes similar to The Onion Routing network. Where N is the number of sentinels multiplied by itself subtracting the targeted number of sentinels to give the number of proxies for a good obscuration layer.
The plan would be to install the sentinel and centurion nodes around the world so that each was provided ready access to the surrounding environment. With a deep penetration into the general computing environment these ticking time bombs would extend an adversarial push into the cyber landscape. Cloaked as web servers or mail servers and purchased by shell companies a nation state could for the cost of a few large trucks monitor large segments of the Internet silently. Another method would be to create an install package of the sentinel and silently install it like malware on servers and hitchhike to total information awareness. This is much like how a zombie or botnet works.
There are of course issues with this architecture. It is not easy to do. There is significant cost to accomplish this task. It would require significant capital to hide. From a corporate espionage effort it would be nearly trivial. The programming required is nearly trivial.
A key to this architecture is how datacenters often place computers within their confines. In many cases equipment managed by the customer will be placed higher in the network than the virtual shared hosting servers. If it isn’t placed nearer the core distribution network it can often be requested if the server is running time sensitive or other delay sensitive protocols. If you look at the infamous AT&T fiasco one part of that architecture for the NSA spying was about re-directing traffic through taps so that deep packet inspection could be accomplished. If any of this is true the architecture of many-many small commodity computers in the Internet attempts to address that limited AT&T style system by saturation versus direction. It is an open model.
The centurion nodes can be used for active attack. They receive information from the command and control systems to activate. They can be hidden amongst the noise of the Internet quite easily. A nice architecture is to deploy them with a virtual machine running a web server in a fairly well protected environment. That can be tossed away and underlying hostile game engine based artificial intelligence engine can take in inputs from command and control and instigate hostile action. There may be other ways that work better but my understanding is that game engine AI has been used with rule sets (databases of actions) to run strategic/tactical scenarios in the real world. When we’re talking about game engine AI we’re talking about the strategy component not just the rendering component. Using a relational database of vulnerabilities and exploits along with known information about targets best guesses on attacks can be made by the AI very quickly.
Now imagine that in thousands of machines across the world attacks are generated against millions of targets every few seconds. At some point we come down to the law of averages. Even if small percentages of the exploits work the damage could be extensive. Which starts to raise the specter of another issue with this architecture. It will be detected. The equipment will be traced back to the purchasers. There is relatively little anonymity if the purchasers can be tracked down. Attribution is possible. There could be a significant response against an attacker. Which is why we talk about hiding these on other peoples processors (OPP). If an organization considers over a period of months or even years rooting and then installing hidden partitions or processes the use of OPP makes sense. If this can be infected into the production life cycle of computers being manufactured as a systemic exploit even better.
One point that should become obvious is that systemic exploits take time to propagate fully into the technology ecosystem. Infecting the supply chain by an adversary can take place even years before the actual exploits are implemented or used. In an interesting twist it could be easily argued that patience increases capability. The further up the supply chain that exploits are engineered the more likely they are to succeed undetected. Patience for the propagation of an exploit through this method is further assured by unitized commoditization of black box units as they are sold across the enterprise. In simple terms, little components become bigger components, that become equipment and nobody is checking their suppliers up the supply chain because they are incentivized to watch their buyers and commerce down the chain. You pay people up the supply chain, and get paid (fed, housed, etc..) by people down the supply chain. For those few companies who do look up the supply chain for threats it is to insure they get more stuff, rarely to insure quality, and even more rarely to look at specifications. Once that supply is rolling changes are supposed to be detected but often are missed. Tampering with chips according to one IEEE article is nearly impossible to detect.
This all leads to another way to implement the architecture using OPP and conversely making them pay for it. The barrier to entry decreases again. Patience is rewarded and the sheer scope of the possible attacks increases dramatically. This blog post started out as a thought exercise on my part and though it rambles a bit was meant to look at how to build an attack architecture using current day tools. I wanted to walk through an architecture that at least made passable sense, identify holes in the theory and then attempt to patch a few of those holes. The overall goals were to provide a networked attack tool for attacking a network. Critical vulnerabilities exist in this architecture like the obvious centralized command and control node. There is no reason it has to be centralized.
In some ways this network architecture is a metaphor for how a cyber command for personnel should be organized. A networked structure in some cases installed and working behind obscurity or even better living with the people. In some cases working in the open as wholly owned entities. Sometimes working as listeners evaluating risks and collecting information for future attacks. Then there are the attackers fewer in number but prepared to take action when told to. A command to attack is a command by intention diffused through the network rather than an operational order to a specific entity. The rules already in place would direct what those actions would be through previous preparations. In some cases the cyber command would be housed using other peoples premises (OPP2). All the same risks exist in the network architectures but it makes more sense than the hierarchical beast that has been suggested.