Cyber warfare is very similar in nature to the naval warfare.
In International Water Navy encounters enemy warships, large merchant vessels,
small merchant ships, fishing boats and guised surveillance ship from all
directions. There are no borders to clearly establish that everything on other
side belongs to enemy assets. Though there are Sea-Lanes-of-Communication but
two ports are actually on connection less service and no ship is bound to follow
SLOC. In cyberspace IP address is the flag which every asset on the Internet
displays but ruse is not uncommon. It is therefore necessary to identify
the cyber assets positively in any cyber-conflict before any aggressive
response is initiated. Wearing flag of convenience is common by sea vessels as
well as cyber assets.
Tallinn Manual while drawing the rules
for Cyber War has based the identity of any cyber-asset on its territorial
linkages. If Tallinn Manual is used as start point for taking any decision on
‘Laws of Cyber Conflict’, then geo-spatial tagging will be a critical in
deciding whether an act by a military leader amounts to war-crime or not. It is
therefore necessary that any attack or counterattack in any Cyber War should be
focused primarily using geo-spatial intelligence rather than general purpose
destructive force. That is why cyber weapons such as Stuxnet, Duqu and Flame
are geographically focused and are unlike other normal viruses and Malwares
which are general purpose to infect every vulnerable system.
Advanced Persistent Threats (APT) are
selecting specific targets based on location, similarly large data mining and
analytic tools are also focused to attack based on geo-spatial information.
Operations Titan Rains, Olympic Games, ATP1, Night Dragon, and Ghostnet are all
pre-war surveillance. Only Operation Orchard and Stuxnet can be called acts of
Cyberwar and both operations had target location mechanism built into them.
Therefore unlike other acts in cyberspace geo-location of a target is critical.
There are several techniques for IP-
geo-location. Some of them are host-dependent while other are independent of
host and based purely on IP address to get physical location. A brief on some
of the techniques used for IP-Geolocation are discussed below.
A. Global
Positioning System. Global Positioning System has become a standard fit in most
of the mobile devices and tablets. The GPS uses Doppler Effect of satellites
orbiting in the space. The accuracy which is achieved by non-military GPS
system is about to 2 meters, it can also provide information related to altitude
of the system. Most of the social-media application such as twitter, Facebook,
Instagram, has integrated geo-location tagging for the images. Photographs taken
by inbuilt GPS devices also have the capability of IP- geo-location tagging with
the photographs.
While gathering data from such device application by twitter,
Google, Microsoft, Facebook, and others that correlate the IP address with
geo-location of the device. In fact in a incident, where the location of the INS
Vikramaditya on her maiden passage to India got compromised through
social-media due to auto geo-location tagging of the photographs. The GPS
project was developed in 1973 is run by US Department of Defense. Other similar
systems such as Russian’s – Global Navigation Satellite System (GLONASS) ,
European’s – Galileo , China’s – Compass Navigation System and India’s – Indian
Regional Navigation Satellite system, though exist are not extensively used
with the IP enabled devices.
C. Mobile
networks. The mobile phones using mobile networks of GSM or CDMA can provide
geo-location information of such devices even in absence of GPS and WiFi
receivers. The technique of geo-location in this based on the delayed time
between the mobile phones and the cell tower, whose position is fixed and
known. Accuracy through this technique is reasonably course. In case these
mobiles phones are using GPRS, 3G or 4G services, then it automatically
provides IP geo-location.
D. Anti-theft
hardware. Most of the motherboards of computers, laptops and mobile devices
have inbuilt features for remote activation for the anti-theft mechanism. These
anti-theft mechanisms keep continuously gathering geo-location information of
the host, as and when same is reflected in any application. This collated
information is then used to develop reasonably accurate geo-location of the
device. In addition, it can ping back the mother-site through well-established
geo-located servers, where delayed times through various routes can provide
reasonable accurate IP-geo-location. The leading company providing such services
is Computrace.
E. Device
independent IP geo-location. There exists a reasonably high possibility that
computers may not be fitted with features such as GPS, GSM or CDMA. There exist
several client independent geo-location techniques to link IP address with the
physical location. One of such techniques is using geo-location method at each
step to improve the accuracy in an iterative manner using time delay
calculations in the following sequence:
1.
Harvest
Geo-location on the web of well-known servers in an area.
2.
Geo-locating
primary servers of ISP.
3.
Geo-locating
last mile routers of ISP.
4.
Time
delay between last mile router and the host.
F. Non-Technical
– web based information.
a. Trace route – Trace route fired
from multiple locations to an IP address can provide IP geo-location by
calculating time delay between various routes.
b. The information provides in
whois records can give a reasonable accuracy of such servers. The whois records
are publically available. When compared with the location of such companies in
many cases geo-location at least up to Zipcode/ Pincode level can be
established.
G. Non-Technical
– Database of ISP
Stealing or legally getting information
from ISP of their registered user's details can also provide a reasonable
accurate geo-location.
Determining the geographical location of
an Internet Protocol host is valuable for many Internet-based application
including marketing and anti-fraud activity. However, in planning and execution
of CyberWar, IP Geo-location has far more important value. Some of
the applications of IP geo-location in CyberWar are:
(a) Allocation or area of
responsibility to CyberWar Sector Commanders
(b) Implementation of Rules of Engagement
(c) Avoiding fratricide
(d) Avoiding over-concentration of
fire power or leaving gaps in attacks
(e) Encirclement and isolation of
heavily defended Cyber Targets.
(f) Minimizing collateral damages
(g) Simplify Battle Damage Analysis
(BDA) of cyber-attack or real-world attack.
(h) Control intensity and pace of
cyber conflict.
(i) Integrate HUMINT and kinetic
(physical) weapon attack with cyber-attack.
And many more.
CyberWar in future may be launched
independently or in the prelude to or in support of real world conflict. An
unstructured cyber-attack based on opportune target methodology (as presently
being practiced) can be counter-productive to the objective of the mission. To
properly control the scope, pace and intensity of CyberWar, it is necessary to
IP geo-locate the target host. Therefore IP geo-location of enemy targets
is a precondition for launching any effective cyber-offensive.
Disclaimer : Inputs for this post is drawn from various articles. This is a summary of those articles
No comments:
Post a Comment