Industry attributes
Technology attributes
Other attributes
Similar to cybersecurity, which is often thought of as a defensive react-and-defend strategy to mitigate cyber threats, offensive cyber is, as the name suggests, an active and offensive strategy to cybersecurity using offensive cyber techniques to uncover advanced adversaries on a network. This is, in part, to combat more nuanced and advanced cyber attacks that are able to hide in the noise of networks and defeat reactive, rule-based cybersecurity defenses. Some of the advancements to defeat traditional cybersecurity include obfuscated malware, dynamic infrastructure, file-less malware, and hijacking of legitimate operating system functions.
Offensive cyber systems use automation, artificial intelligence, threat intelligence, threat analytics, and trained analysts to detect malicious threats with customized delivery models. However, in the military context, offensive cyber also stretches towards the use of cybersecurity and malicious techniques to develop cyber command and control, cyber reconnaissance, and the ability to enable cyber attacks on potential threats.
In the military context, various countries have developed cyber doctrines for the use of offensive cyber capabilities in military contexts. This includes the US military doctrine, which defines "cyberspace capability" as a device or computer program, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace.
The United Kingdom's National Cyber Force (NCF) is a joint venture through the Ministry of Defense and intelligence service GCHQ, which works to confront aggressive behavior from malign actors to protect people and help allies country cyber threats through the combination of intelligence, cyber and security personnel, and necessary technologies.
While in Australia, the Australian Strategic Policy Institute (ASPI) defines the country's military offensive cyber capabilities as having the resources, skills, knowledge, operational concepts, and procedures to be able to have an effect on cyberspace, with an operational emphasis on resources, skills, and knowledge rather than on the technology alone.
According to the US military doctrine, an offensive cyber operation is any operation intended to project power by the application of force in or through cyberspace. While the strategy developed by the Department of Defense has been anchored in the concept of defending forward, which works to conduct operations inside adversary networks in order to stop threats before they reach their targets with an emphasis on persistent engagement, further highlighting the continuous confrontational nature of cyber attacks and threats. This is also to help deny advantages to adversaries through cyberspace, while gaining operational advantages similar to those denied.
In terms of policy and practicality, the term cyberattack is often considered too broad to be useful, especially as cyberattacks vary in scope and relevance. It is helpful to distinguish among forms of attack and develop a descriptive classification of offensive cyber operations. Three forms of offensive cyber operations include the following: computer network exploitation, computer network attacks, and information operations.
This is essentially a new form of espionage that involves the penetration of a foreign computer network with the aim of extracting information from it, with a preference for the operator of the network remaining ignorant to the intrusion. Examples of this type of attack include a 2015 Chinese hacking operation that penetrated the US office of Personnel Management and was capable of stealing 21 million personnel records—which is very similar to the very old practice of espionage.
A computer network attack, while similar to a computer network exploitation, is better understood as a military-type operation that seeks to disrupt, damage, or destroy a foreign computer system or the data stored on that computer system. This area of attack has seen a rapid increase in militarization, with around thirty nations considered to possess offensive cyber capabilities. And while this is considered one of the most dangerous types of offensive cyber operation, it is also one of the most amenable.
These are better understood as cyber-enabled or cyber-enhanced missions of propaganda or psychological operations that aim to influence public opinion in a foreign state and in a manner to advance the interests of the state behind the operation. This is an insidious form of attack, argued to be more effective than traditional propaganda or psychological operations, in which some will see propaganda offered by a foreign state and others will see a freedom of expression; this often leads to a misunderstanding, or a lack of common understanding, of what an information operation is and what constitutes a threat to security and peace.
These five pillars are necessary to developing cyber capability proliferation, both for offensive cyber operations; and while developed in a military context and with an emphasis on military operations, many of these techniques, or pillars, can be used or adapted for cyber operations for a proactive defensive cybersecurity system. These pillars include vulnerability research and exploitation, malware payload development, technical command and control, operational management, and training and support.
This is the ability for an offensive cyber operation to discover a vulnerability and develop a software exploit in order to gain access or leverage in a targeted program or device. This is usually done in the context of a multistage operation, and includes the research done to find the vulnerability in a system, as well as disclosure programs and research organizations that can facilitate the proliferation of discovered vulnerabilities and written exploits.
In this case, a vulnerability refers to a flaw in a system's design, implementation, or operation and management that is capable of being exploited in order to violate the system's security policy. While the exploit is the specific code used to trigger an unexpected behavior through the vulnerability.
In the case of a malware-oriented campaign, the most common and important part is the malware itself. With malware being best understood as any malware or malware tool written or used by attackers in the undertaking of offensive cyber operations. These include offensive security and intrusion tools, or stalker ware, or even licensed or commercial spyware. Often, free intrusion tools can be found on code-sharing sites and are regularly developed in a cybersecurity community, although often these target older systems or exploit weaknesses resulting from common developers or user errors.
Technical command and control includes the provision of technologies for supporting operative aspects of offensive cyber capabilities, such as bulletproof hosting, domain name registration, server side command-and-control, virtual private network (VPN) services, and delivery accounts. These are required to communicate with malware payloads and exploits and the related software. As well, the initial delivery, the ability to develop command and control, and the final exfiltration of a payload all depend on the attacker's infrastructure. Often, and especially in the case of state-sponsored cases, legitimate internet technologies are abused to cover indicators of malicious activity and obfuscate the originator of the attack.
In order to develop the necessary research, exploits, malware, and infrastructure for successful offensive cyber attacks, operations management is necessary. This is the human-centric aspect of operations and includes strategic organization of resources and teams, initial targeting decisions, and other functions required to effectively manage the organization conducting cyber operations. This includes forming a strategic direction, organizational processes, relationships, and contingency plans required for an operation, and ensuring the people needed to develop these are available and being used.
In order to develop the necessary people to conduct offensive cyber operations, trained professionals are required. Especially in a military context, this makes it necessary to develop training programs or educational programs to develop the individuals necessary for the success of an offensive cyber operation. Any of those programs for training skilled offensive cyber teams fall under this pillar, including the training and supporting of operators, vulnerability researchers, and malware authors.