Cyber
warfare is very similar in nature to the naval warfare. In
international water navy encounters enemy warships, large merchant
vessels, small merchant ships, fishing boats and guised surveillance
ship from all directions. There are no borders to clearly establish that
everything on other side belongs to enemy assets. Though there are
Sea-Lanes-of-Communication but two ports are actually on connectionless
service and no ship is bound to follow SLOC. In cyberspace IP address is
the flag which every asset on the Internet displays but ruse is not
uncommon. It is therefore necessary to identify the cyber assets
positively in any cyber-conflict before any aggressive response is
initiated. Wearing flag of convenience is common by sea vessels as well
as cyber assets.
Tallinn
Manual while drawing the rules for Cyber War has based the identity of
any cyber-asset on its territorial linkages. If Tallinn Manual is used
as start point for taking any decision on ‘Laws of Cyber Conflict’, then
geo-spatial tagging will be a critical in deciding whether an act by a
military leader amounts to war-crime or not. It is therefore necessary
that any attack or counterattack in any cyberwar should be focused
primarily using geospatial intelligence rather than general purpose
destructive force. That is why cyber weapons such as Stuxnet, Duqu and
Flame are geographically focused and are unlike other normal viruses and
malwares which are general purpose to infect every vulnerable system.
Advanced
Persistent Threats (APT) are selecting specific targets based on
location, similarly large data mining and analytic tools are also
focused to attack based on geospatial information. Operations Titan
Rains, Olympic Games, ATP1, Night Dragon, and Ghostnet are all pre-war
surveillance. Only Operation Orchard and Stuxnet can be called acts of
Cyberwar and both operations had target location mechanism built into
them. Therefore unlike other acts in cyberspace geolocation of a target
is critical.
There
are several techniques for IP- geolocation. Some of them are
host-dependent while other are independent of host and based purely on
IP address to get physical location. A brief on some of the techniques
used for IP-Geolocation are discussed below.
A. Global
Positioning System. Global Positioning System has become a standard fit
in most of the mobile devices and tablets. The GPS uses Doppler Effect
of satellites orbiting in the space. The accuracy which is achieved by
non-military GPS system is about to 2 meters, it can also provide
information related to altitude of the system. Most of the social-media
application such as twitter, Facebook, Instagram, has integrated
geolocation tagging for the images. Photographs taken by inbuilt GPS
devices also have the capability of IP- geolocation tagging with the
photographs. While gathering data from such device application by
twitter, Google, Microsoft, Facebook, and others that correlate the IP
address with geolocation of the device. In fact in a incident, where the
location of the INS Vikramaditya on her maiden passage to India got
compromised through social-media due to auto geolocation tagging of the
photographs. The GPS project was developed in 1973 is run by US
Department of Defense. Other similar systems such as Russian’s – Global
Navigation Satellite System (GLONASS) , European’s – Galileo , China’s –
Compass Navigation System and India’s – Indian Regional Navigation
Satellite system, though exist are not extensively used with the IP
enabled devices.
B. Wifi
Positioning system (WiPS). WiPS is used where GPS system is not
installed or switched off or signals are blocked. Each WiFi device in
the world is unique through the combination of its Service Set
Identification (SSID) and Media Access Control address (MAC address).
Various commercial companies such as Google, Infsoft, Navizon, AlterGeo,
Skyhook Wireless and Combain Mobile
provide the services of IP-geolocation through WiPS, the location of
the WiFi system is collated in the database while other geolocation
tools such as GPS are used on a device with enabled WiFi services. In
fact once the geolocation of a WiFi hotspot is fixed the location of the
computers using WiFi can also be found out remotely. Using signal
strength techniques accuracy less than 1 meter can be achieved.
C. Mobile
networks. The mobile phones using mobile networks of GSM or CDMA can
provide geolocation information of such devices even in absence of GPS
and WiFi receivers. The technique of geolocation in this based on the
delayed time between the mobile phones and the cell tower, whose
position is fixed and known. Accuracy through this technique is
reasonably course. In case these mobiles phones are using GPRS, 3G or 4G
services, then it automatically provides IP geolocation.
D. Anti-theft
hardware. Most of the motherboards of computers, laptops and mobile
devices have inbuilt features for remote activation for the anti-theft
mechanism. These anti-theft mechanisms keep continuously gathering
geolocation information of the host, as and when same is reflected in
any application. This collated information is then used to develop
reasonably accurate geolocation of the device. In addition, it can ping
back the mother-site through well-established geolocated servers, where
delayed times through various routes can provide reasonable accurate
IP-geolocation. The leading company providing such services is
Computrace.
E. Device
independent IP geolocation. There exists a reasonably high possibility
that computers may not be fitted with features such as GPS, GSM or CDMA.
There exist several client independent geolocation techniques to link
IP address with the physical location. One of such techniques is using
geolocation method at each step to improve the accuracy in an iterative
manner using time delay calculations in the following sequence:
- Harvest Geolocation on the web of well-known servers in an area.
- Geolocating primary servers of ISP.
- Geolocating last mile routers of ISP.
- Time delay between last mile router and the host.
F. Non-Technical – web based information.
a.
Traceroute – Traceroute fired from multiple locations to an IP address
can provide IP geolocation by calculating time delay between various
routes.
b.
The information provides in whois records can give a reasonable
accuracy of such servers. The whois records are publically available.
When compared with the location of such companies in many cases
geolocation at least up to Zipcode/ Pincode level can be established.
G. Non-Technical – Database of ISP
Stealing
or legally getting information from ISP of their registered user's
details can also provide a reasonable accurate geolocation.
Determining
the geographical location of an Internet Protocol host is valuable for
many Internet-based application including marketing and anti-fraud
activity. However, in planning and execution of Cyberwar, IP-Geolocation
has far more important value. Some of the applications of
IP-geolocation in Cyberwar are:
(a) Allocation or area of responsibility to Cyberwar Sector Commanders
(b) Implementation of Rules of Engagement
(c) Avoiding fratricide
(d) Avoiding over-concentration of fire power or leaving gaps in attacks
(e) Encirclement and isolation of heavily defended Cyber Targets.
(f) Minimizing collateral damages
(g) Simplify Battle Damage Analysis (BDA) of cyber-attack or real-world attack.
(h) Control intensity and pace of cyber conflict.
(i) Integrate HUMINT and kinetic (physical) weapon attack with cyber-attack.
And many more.
Cyberwar
in future may be launched independently or in the prelude to or in
support of real world conflict. An unstructured cyber-attack based on
opportune target methodology (as presently being practiced) can be
counter-productive to the objective of the mission. To properly control
the scope, pace and intensity of cyberwar, it is necessary to
IP-geolocate the target host. Therefore IP-geolocation of enemy targets
is a precondition for launching any effective cyber-offensive.
Disclaimer : Inputs for this post is drawn from various articles. This is a summary of those articles.
No comments:
Post a Comment