Research Plan Old 2021 - korpisoturi/cyber_tactics GitHub Wiki
Purpose
The purpose of this research is to gain more insight into the cyber attacks carried out by military units. In order for a cyber defender to be able to build an effective defense, the defender must know the enemy.
The objective of the research is to describe and explain military cyber attacks. The idea is to identify the features of the cyber attack from the chosen cases and create theoretical models to describe the phenomena. Research is both theory-creating and theory-testing research. The research objective is gained by producing models about cyber attack with literature review, content analysis, and analogy and then test and improve the models with cyber attack case studies.
Cyber attacks are studied on tactical level of the warfare. Because the concept of the tactical lever differs, the meaning of the concept is defined in the research.
Exclusions
Research focuses on on military activity and does not look at the activities of criminals and other kinds of hackers, nor does the study comment on the legal issues of cyber attacks. The approach is technical and with the exception of cyberspace interfaces (human and physical), no attacks will be investigated outside cyberspace.
Schedule
| Time | Tasks | Comment |
|---|---|---|
| December, 2021 | Research plan | 2 d |
| January, 2022 | Models Attack 2.0 | 4 d |
| February, 2022 | Models, Tactics 2.0, Unit 2.0 | 3 d + 3 d |
| February, 2022 | Essee tuotteistaminen | - |
| March, 2022 | Research, CASE 1 | Stuxnet 5 d |
| March, 2022 | STY25A Tieteenfilosofia, I osa (1 op) | Lisätiedot 4.3.2022, 18.3;8.4 |
| April, 2022 | Research, CASE 2 | Industroyer 5 d |
| May, 2022 | Reporting | - |
Framework
The philosophical approach of the research has features from phenomenology and hermeneutics. It can be seen as phenomenology as the objective is to understand the cyber attack and to research it's characteristics and features. Additionally, it can be seen as hermeneutics research, as there is some knowledge available about cyber attacks and the research questions are clear.
Ontology
Cyber tactics are studied through technical attacks. The tactics are manifested in technical implementations.
Research questions
- What is a possible structure of the military cyber unit?
- What is a possible cyber attack structure?
- What kind of tactics can be used in cyber warfare?
Key Definitions
Tactics
Tactics is a multidimensional concept, which has different meanings depending on the user and usage. Pasi Kesseli (in Huttunen & Metteri, 13-14) presents two definitions used in Finnish tactics research, where tactics is defined to slightly differently:
- Tactics is planning, preparing, executing and leading a battle.
- Tactics is optimal planning, adapting and usage of the given resources to achieve desired objectives in battle. Tactics requires knowledge about the means and skills to implement them in practice.
The level of the research is tactical, but what is the tactical level of the warfare is not clearly defined. In this research it is seen the lowest level of the warfare, where tactical means are implemented in the battle.
In this research tactics are examined with three models:
- tactical unit
- attack phases of the tactical level
- tactics, tactical means and tactical subobjectives
Cyberspace
Environment, cyberspace, interfaces Computer Network Fire, movement and defence
Information as a target CIA
Entities of the information in the technical cyberspace **File **Process **Network packet
Methodology
Used research methodology is qualitative theory-creating and theory-testing. In the first phase of the research the models of the cyber attack are created with literature review and in the second phase models are tested and improved with case studies. The data analysis starts with data-driven data-analysis and changes to theory-driven data-analysis.
Literature review, data analysis and coding are used to create the initial models. Deep literature review about the topic is not possible as there is no public research about military cyber units.
Analogy between conventional warfare and cyber warfare is used to support modeling. Especially special operation forces (SOF) are used as a reference unit.
**Analogy and SOF as a reference are used in previous studies.
Iterative approach
An iterative approach was used in this study. The first models of the concepts to be studied were written briefly in the first round of iteration. the Models were constructed using a literature review to get basic understanding about the research concepts. Then the initiative models were tested with three cyber attack case studies for evaluation and further development.
The second round of iteration included an in-depth orientation to the subject of the study. In the second round, memos and technical hacking were used to support the study.
In the third round of iteration, a more detailed data collection and analysis plan was made. Models based on a literature review were turned into analysis tools for case studies.
Literature review to create initial models
Multiple sources were used to gain wide understanding about the concept. Finnish and English public documents were used as source material.:
- manuals
- research
- online documents and news
Data analysis At this phase data analysis was data-driven data-analysis. Elements of the models were identified and structured. At this point analogy between conventional warfare and cyber warfare was used. Especially special operations forces were used for reference. The use SOF and analogy has been used in other studies (Paul, Porche III & Axelband, 2).
Data-analysis produced thee models, which were used as data collection instruments and frameworks for the case studies.
- Cyber attack Unit
- Cyber attack
- Cyber tactics
Testing and improving cyber models with case studies
The chosen unit of analysis is a suspected military cyber attack. Defining the case contains the: timeline, objective and the size of the attack.
Criteria for choosing the cases are descripted below.
- validity criteria: suspected military unit, cyber attack, SOF objective like sabotage, not a series af campaigns
- reliability criteria: primary data available, non political motivation about the reporting
The cases were chosen from potential cyber attack cases.
The data collection instruments were defined in the literature review. Observation units were defined based on the models: organization feature, personnel feature, equipment, attack phase, situational awareness, command prosess, tactical mean, tactical subobjective.
The data was collected from several sources. Alienvault, scientific research, news. Code the data with collection instruments.
The data was analysed with data with models. Generalizations of individual observations were made by inductive reasoning. Abductive reasoning sought to explain the reasons behind the measures observed.
In the reporting phases, validated and developed abstract models were reported. The objective of the reporting was to give the answers to the research questions.
Data sources
For the literature review:
Finnish tactics research and manuals.
Public English SOF manuals and research.
Public and available US armed forces doctrines and Federation of American Scientists (FAS) material.
Historical SOF documentation.
IEEE cyber warfare articles for literature review.
Case studies: AlienVault OTX Related IEEE articles Technical threat reports as data.
Contribution
Answer to research questions contains three models.
Quality control
Quality of data collection and data analysis.
Reporting and dissemination
Reporting after each phase.
References
Huttunen M. & Metteri J. 2008. Ajatuksia operaatiotaidon ja taktiikan laadullisesta tutkimuksesta. Taktiikan laitos, Julkaisusarja 2 Nro 1/2008. ISBN 978-951-25-1925-5.
Paul C., Porche III I.R. & Axelband E. 2014. The Other Quiet Professionals - Lessons for Future Cyber Forces from the Evolution of Special Forces. Available: [https://www.rand.org/pubs/research_reports/RR780.html] Cited 28.12.2021