Cyber-Attack Attributes Mehdi Kadivar

Senior corporate executives, government officials, and academics have become aware that there are: i) serious financial and regulatory costs arising from cyber-attacks (Pearson, 2014; Sugarman, 2014; US Securities and Exchange Commission, 2014); ii) vulnerabilities in high-value assets such as supervisory-control and dataacquisition systems (Ashford, 2013; Crawford, 2014; Kovacs, 2014; Nicholson et al., 2012; Weiss, 2014); iii) concerns about the upcoming deployment of the “Internet of Things” (IoT) (NSTAC, 2014); and iv) few constraining mechanisms to inhibit malicious behaviours of threat actors (Castel, 2012; Jowitt, 2014, Scully, 2013; Sugarman, 2014; Weiss, 2014).

The urgency of research and development is underlined by the US National Security Telecommunications Security Advisory Committee (NSTAC, 2014): "There is a small -and rapidly closing -window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.If the country fails to do so, it will be coping with the consequences for generations."This state-of-affairs has parallels to the experience with supervisory control and data acquisition systems, though in that case the threat space evolved over time.With the Internet of Things, the NSTAC believes that the window of time in which we can take action will only be open for another three to five years.
Although the word "cyber-attack" is used frequently, its meaning remains obscure (Hathaway et al., 2012, Roscini, 2014).In this article, the approach to clarify what is meant by cyber-attack is similar to the approach researchers followed to clarify what was meant by "security" in the late 1990s (e.g., Baldwin, 1997;Buzan, 1998;Huysmans, 1998).Security researchers identified essential attributes to make explicit what was meant by security.They eliminated ambiguities and inconsistencies in the different uses of the security concept.Their objective was not to produce another one-sentence definition of security; they set out to identify the essential attributes of security.This article contributes a set of attributes of the cyberattack concept.It does so by examining various definitions published in the literature and information on ten high-profile cyber-attacks.The main motivation for identifying the attributes of cyber-attacks is to enable building the theory of cyber-attacks as a unity of intellectual frameworks beyond the disciplinary perspectives (i.e., a transdisciplinary theory).
Cyber-attacks threaten our ability to use the Internet safely, productively, and creatively worldwide and are at the core of many security concerns.The concept of cyber-attacks, however, remains underdeveloped in the academic literature.To advance theory, design and operate databases to support scholarly research, perform empirical observations, and compare different types of cyber-attacks, it is necessary to first clarify the attributes of the "concept of cyber-attack".In this article, attributes of cyber-attacks are identified by examining definitions of cyber-attacks from the literature and information on ten high-profile attacks.Although the article will be of interest to a broad community, it will be of particular interest to senior executives, government contractors, and researchers interested in contributing to the development of an interdisciplinary and global theory of cybersecurity.
The bottom line of security is survival, but it also reasonably includes a substantial range of concerns about the conditions of existence.

Mehdi Kadivar
The remainder of this article infers the essential attributes of the cyber-attack concept from definitions of cyber-attacks found in the literature, synthesizes information on ten high-profile cyber-attacks, and uses it to provide concrete examples of the attributes of cyber-attacks.

Attributes from Definitions of Cyber-Attacks
The journal articles published in the English language by organizations in North America and Europe were reviewed for the purpose of identifying definitions of "cyber-attack".The following six definitions of cyberattack were identified: 1. "Any action taken to undermine the functions of a computer network for a political or national security purpose."(Hathaway et al., 2012: p. 821) 2. "Use of deliberate actions -perhaps over an extended period of time -to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and/or programs resident in or transiting these systems or networks."(Owens et al., 2009: p. 10) 3. "Operations, whether in offence or defence, intended to alter, delete, corrupt, or deny access to computer data or software for the purposes of (a) propaganda or deception; and/or (b) partly or totally disrupting the functioning of the targeted computer, computer system or network, and related computer-operated physical infrastructure (if any); and/or (c) producing physical damage extrinsic to the computer, computer system or network."(Roscini, 2014: p. 17) 4. "An exploitation of cyberspace for the purpose of accessing unauthorized or secure information, spying, disabling of networks, and stealing both data and money."(Uma & Padmavathi, 2013 (Hathaway et al., 2012;Owens et al., 2009, Roscini, 2014;Waxman, 2011); computer-operated physical infrastructure (Roscini, 2014); and physical objects extrinsic to a computer, computer system, or network (Roscini, 2014).

Motivation:
The motivations for cyber-attacks include accessing unauthorized or secure information, spying, and stealing both data and money (Uma & Padmavathi, 2013); national security and political causes (Hathaway et al., 2012); and propaganda or deception (Roscini, 2014).
4. Effect on targeted assets: Cyber-attacks result in the alteration, deletion, corruption, deception, degradation, disablement, disruption, or destruction of assets (Owens, et al., 2009;Roscini, 2014;Uma & Padmavathi, 2013;Waxman, 2011) as well as denying access to assets (Roscini, 2014).Definitions of cyber-attacks identify logical, physical, and cognitive effects on assets.Denial of access to assets is an example of logical effects.Cognitive effects include deception, meaning the use of false information to convince an adversary that something is true.Destruction of capital assets is an example of physical effects.

Duration:
Only one definition of cyber-attacks mentions its intended duration.The definition by Owens, Dam, and Lin (2009) includes the possibility of a cyber-attack over an extended duration. www.timreview.ca

Examination of High-Profile Cyber-Attacks
Information on 10 high-profile cyber-attacks was examined for the purpose of i) collecting data for the five attributes identified from the definitions of cyber-attacks and ii) identifying additional attributes.A security expert who provided advice throughout this research helped select the 10 high-profile cyber-attacks that would result in the highest possible diversity of industries in which the target organizations operated.He also helped identify reliable online sources of information about these cyber-attacks.
The use of high-profile attacks was purposeful.The intent was to gather as much information as possible about an attack from reliable sources.Upfront, it was clear that the selection of high-profile cyber-attacks would prevent overgeneralizing findings to attacks that were not high profile.
For each high-profile cyber-attack, a scenario was developed.A cyber-attack scenario is a description of the sequence of events that results from the interactions among the individuals and organizations involved in a cybersecurity breach as well as their stakeholders.A cybersecurity breach refers to an event where an individual has obtained information on a protected computer that the individual lacks authorization to obtain by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.The main actors in a cyber-attack scenario are the "known target" and the "alleged attacker."

Attributes of High-Profile Cyber-Attacks
For each of the 10 cyber-attacks examined, Table 1 provides the information collected for the five attributes identified from the examination of the definitions of cyber-attacks.
Eight of the 10 cyber-attacks shown in Table 1 meet Damballa's (2010) definition of an advanced persistent threat: a cyber-attack that requires a high degree of stealthiness over a prolonged duration of operation in order to be successful.The two cyber-attacks in Table 1 that are not advanced persistent threats are (5) Cyber-Bunker's distributed denial-of-service attack on The Spamhaus Project and ( 9) Criminals who encrypt and decrypt data in users' computers.An advanced persistent threat attack is sophisticated and seeks to achieve ongoing access without discovery (Hashimoto et al., 2013).The duration of the advanced persistent threats ranged from 8 to 32 weeks.Four of the advanced persistent threats contained customized code specifically developed for the attack: the attacks that targeted (1) Google, (2) Iran, (6) Target Corporation, and (7) TJX Companies.
The examination of these 10 cyber-attacks suggested that at least six additional cyber-attack attributes exist: 1. Attack vector: The path or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome.An attack vector enables the exploitation of system vulnerabilities.Seven of the 10 cyber-attacks examined started with phishing or spear phishing (i.e., an email that appears to be from an individual or business that the user knows, but it is not).The cyber-attacks that started with phishing include those that targeted: (6) Target Corporation, (8) Bank customers, and (9) Computer owners.Those that started with spear phishing include: (1) Google, (3) New York Times, (4) Chemical and defence firms in United States, and (10) Gaming companies.
2. Vulnerability: Any form of weakness in a computing system or environment that can let attackers compromise a system's or environment's confidentiality, integrity, and availability (Foreman, 2009).A vulnerability is a weakness or gap in the efforts to protect an asset.A total of 18 vulnerabilities were exploited in the 10 cyber-attacks examined, and they can be organized into the five types specified in the United Kingdom's implementation of "ISO/IEC 27005: 2008: Hardware, Software, Network, Site and Personnel/Users (ISO, 2008).In our small sample, people and software account for 14 of the 18 vulnerabilities that attackers exploited.
3. Malicious software: Refers to software programs designed to damage or do other unwanted actions on a computer system.A variety of malicious software programs were used in the cyber-attacks examined.

Conclusion
Through the analysis of six definitions of the term cyber-attack and ten high-profile cases of cyber-attack, this article identified 11 important attributes of cyberattacks following an approach similar to the one that was used in the late 1990s to clarify what is meant by "security".In summary, these attributes are: Cyber-attack studies are at the core of cybersecurity studies.However, what is meant by "cyber-attack" is not clear and the field is underdeveloped.Definitions of cyberattack vary (Hathaway et al., 2012;Owens et al., 2009), and some are ambiguous.Ambiguous definitions of cyber-attacks hamper the prosecution of criminals (Whitehouse, 2014).
The analysis carried out opens up interesting areas for future research.For example, this study examined 10 instances of successful cyber-attacks; future studies can examine the attributes of cyber-attacks that failed or were only partially successful.The purpose of studying failed cyber-attacks or those that were partially successful is to identify missteps, symptoms, causes, and the reasons that attackers came and went.

About the Author
Mehdi Kadivar is completing his MASc in Technology Innovation Management at Carleton University in Ottawa, Canada.He holds a Bachelor of Science degree in Business Administration from the American University of Sharjah, Iran.Previously, he worked as a system maintenance expert at the Petrochemical Industries Design and Engineering company and as an intern at the Emirates National Bank of Dubai.
At least two actors are involved in each cyberattack: the owner of the asset that is targeted and an adversary (US Joint Chiefs of Staff, 2010).The definitions of cyber-attack are not concerned with the nature of the adversaries.The offensive and defensive operations can be carried out by nation states, companies, groups, collectives, or individuals.
6. "Efforts to alter, disrupt, or destroy computer systems or networks or the information or programs on them."(Waxman, 2011: p. 422) Each definition shown above addresses one or more of the following five questions: i) What types of assets do 2. Assets targeted: Five of the six definitions provided above identify the assets cyber-attacks target.These assets include: computer systems and networks (Hathaway et al., 2012; Owens et al., 2009; US Joint Chiefs of Staff, 2010; Waxman, 2011); information, programs, or functions resident in or transiting systems or networks

Table 1 .
Five attributes of high-profile cyber-attacks