Active offensive cyber situational awareness: theory and practice

Abstract

There is an increasing gap between the progress of technological systems and the successful exploitation of these systems through cyber-attack. Whilst the mechanism and scope of cyberspace is progressing with each passing day, risk factors and the ability to process the required amount of data from cyberspace efficiently are proving to be major obstacles to achieving desired outcomes from cyber operations. This, coupled with the dramatic increase in the numbers of cyber attackers, who are constantly producing new ways of attacking and paralysing cyber systems for political or financial gain, is a critical issue for countries that have linked their major infrastructures with Internet applications. The defensive methods currently applied to counter these evolving attacks are no longer sufficient, due to their preventive and reactive nature. This research has developed a new Active Situational Awareness theoretical model for Active Defence that aims to enhance the agility and quality of cyber situational awareness in organisations in order to counter cyber attacks. Situational Awareness (SA) is a crucial component in every organisation. It helps in the assessment of an immediate situation in relation to the environment. Current SA models adopt a reactive attitude, which responds to events and works in passive manner to any progressing enemy cyber attack. This creates a defensive mind-set and consequently influences the operator to process and utilise knowledge only within the concept of attack prevention. Thus, one can assume that operators will only gather certain knowledge after the occurrence of an attack, instead of actively searching for new intelligence to create new knowledge about the cyber attack before it takes place. This research study introduces a new approach that incorporates an Active Defence posture; namely, a ‘winning attitude’ that conforms to the military stratagems of Sun Tzu, where operators always engage attackers directly in order to create new knowledge in an agile manner by deploying active intelligence-gathering techniques to inform active defence postures in cyberspace. This also allows the system being protected to remain one step ahead of the attackers to ultimately defeat them and thwart any costly attacks. To back these statements, this study issued a survey to 200 cyber defence and security experts in order to collect data on their opinions concerning the current state of Active SA. Structural Equation Modelling (SEM) was then employed to analyse the data gathered from the survey. The results of the analysis revealed significant importance of Active Offensive Intelligence gathering in enhancing Cyber SA. The SEM showed there is a significant impact on SA Agility and Quality from Active Intelligence gathering activities. Further to this, the SEM results informed the design of the serious gaming environments utilised in this research to verify the SEM causality model. Also, the SEM informed the design of a SA assessment metric, where a behavioural anchor rating scale was used along with ground truth to measure participant SA performance. The results of this experiment revealed that there was 2 times better enhancement in cyber Situational awareness among those who did utilise active measures compared with participants who did not which mean almost double and this shows the importance of offensive intelligence gathering in enhancing cyber SA and speed up defender decision making and OODA loop. This research provided for the first time a novel theory for active cyber SA that is aligned with military doctrine. Also, a novel assessment framework and approaches for evaluating and quantifying cyber SA performance was developed in this research study. Finally, a serious gaming environment was developed for this research and used to evaluate the active SA theory which has an impact on training, techniques and practice Deception utilisation by Active groups revealed the importance of having deception capabilities as part of active tools that help operators to understand attackers’ intent and motive, and give operators more time to control the impact of cyber attacks. However, incorrect utilisation of deception capabilities during the experiment led operators to lose control over cyber attacks. Active defence is required for future cyber security. However, this trend towards the militarisation of cyberspace demands new or updated laws and regulations at an international level. Active intelligence methods define the principal capability at the core of the new active situational awareness model order in to deliver enhanced agility and quality in cyber SA.