Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners [Paperback]

"Cyber Warfare: Techniques, Tactics and Tools for the Security Practitioners" is a consolidation of the current thinking around the topic of cyber warfare; not the way you hear about in the media where everything is a war of some kind (War on drugs, War on Terrorism, etc) but a discussion about what it means to conduct warfare via cyberspace. This is a tough topic because there are so many opinions about what Cyber Warfare is that you could literally spend an entire book just covering the definitions. The authors deftly avoid that trap and manage to provide a coherent line of thinking around Computer Network Operations even when these kinds of activities bump up against other cyber space dangers like Cyber Crime, Cyber Hactavism, Cyber Espionage and Cyber Terrorism. This is a primer; a one stop shop to get you up to speed on the topic if you are new to it or a refresher even if you have been enmeshed in it for years.
'
The authors, Steve Winterfield and Jason Andress, cover everything you will want to consider when thinking about how to use cyberspace to conduct warfare operations. The primary concepts have been bouncing around US military circles for over a decade but they have never been collected into one tome before. Clarke and Knake's book, "Cyber War: The Next Threat to National Security and What to Do about It," discusses how weak the US network defenses are and offers suggestions about how to improve. Carr's book, "Inside Cyber Warfare: Maping the Cyber Underworld," presents threat examples and nation state capabilities. Libicki's book, "Cyberdeterrence and Cybrewar," attacks cyberwar from a policy viewpoint and does not really address operational considerations. Stiennon's book, "Surviving Cyberwar," is a good place to start if you are new to the subject and is almost a prerequisite for this book.

Full Disclosure: One of the authors, Steve Winterfield, used to work for me when he and I were both in the US Army wrestling with all of these ideas right after 9/11. I ran the Army Computer Emergency Response Team (ACERT) and Steve ran the Army's Southern Regional CERT (RCERT South). He and I have been friends ever since and he even quoted me in one of the back chapters.

Although the content has been around for a while, it is striking how little the main concepts have changed. In a world where new innovations completely alter the popular culture every eighteen months, the idea that Cyber Warfare's operational principals remain static year after year is counter-intuitive. After reading through the various issues within though, you begin to understand the glacial pace. These difficult concepts spawn intractable problems and the authors do a good job of explaining them.

I do have a slight issue with the subtitle though: "Techniques, Tactics and Tools for the Security Practitioners." The way I read this book, the general purpose (GP) Security Practitioner will not find this book very useful except as background information. Aside from the chapters on Logical Weapons, Social Networking and Computer Network Defense, most of the material has to do with how a nation state, mostly the US, prepares to fight in cyber space. There is overlap for the GP security practitioner, but this material is covered in more detail in other books.

The book is illustrated. Some of the graphics are right out of military manuals and have that PowerPoint Ranger look about them. Some are screenshots of the various tools presented. Others are pictures of different equipment. One graphic stood out for me in the Cyberspace Challenges chapter (14). The graphic in question is a neat Venn Diagram that encapsulates all of the Cyber Warfare issues mentioned in the book, categorizes the complexity of each issue and shows where they overlap in terms of Policy, Processes, Organization, Tech, People and Skills. My only ding on the diagram is that in the same chapter, the authors discuss how much each issue might cost to overcome. It would have been very easy to represent that information on the Venn diagram and make it more complete.

One last observation about the graphics that I really liked is the author's use of "Tip" and "Note" boxes throughout the book. Scattered throughout the chapters are grayed-out text boxes that talk about some technology or procedure that is related to the chapter information but not directly. For example, in the Social Engineering chapter (7), the authors placed a "Note" describing the various Phishing forms. You do not need the information to understand the chapter but having it nearby provides the reader with a nice example to solidify the main arguments. The book is full of these examples.

The first three chapters are my favorites. Winterfield and Andress do a good job of wrapping their heads around entangled concepts like the definition of cyber warfare, the look of a cyber battle space and the current doctrine's ideas about cyber warfare from the perspective of various nations. It is fascinating.

In the middle of the book, the authors take on the task of describing the Computer Network Operations (CNO) Spectrum; a spectrum that ranges from the very passive form of Computer Network Defense (CND) through the more active forms of Computer Network Exploitation (CNE) and Computer Network Attack (CNA). It is indeed a spectrum too because the delineation between where CND, CNE and CNA start and stop is not always clean and precise. There is overlap. And somewhere along that same spectrum is where law enforcement organizations and counter-intelligence groups operate. You can get lost fairly quickly without a guide and the authors provide that function admirably. The only thing missing from these chapters is a nice diagram that encapsulates the concept.

Along the way the reader gets a nice primer on the legal issues surrounding Cyber Warfare, the ethics that apply, what it takes to be a cyber warrior and a small glimpse over the horizon about what the future of Cyber Warfare might bring. In the end, Winterfield and Andress get high marks for encapsulating this complex material into an easy-to-understand manual; a foundational document that most military cyber warriors should have at their fingertips and a book that should reside on the shelf of anybody interested in the topic.

Nothing new. But worth the read. If you're a security consultant you should definitely have this on your shelf. The word "cyber" gives IT directors the heebie-jeebies.

This book is possibly unique in its choice of scope, apparently targeted at operational-level military cyber warfare professionals (though also seemingly attempting to broaden its audience to mid-level private-sector information security professionals). Since this is basically the exact audience I was hoping to target as an instructor for a course in operational cyber war, I had high hopes for this book, hoping to replace an array of texts each covering a slice of the subject matter. It helped that the authors appeared to have solid credentials. All in all, I was somewhat disappointed with the book, mostly with the lack of polish, though it's probably still worthwhile if you're looking for a book with this particular scope.

"Cyber Warfare" addresses the nature of the various threats in cyberspace, covering various actors, motives, methods, vulnerabilities, and potential effects. It does a good job of staying at a fairly high level without over-simplifying to the point of gross inaccuracy, though it does fall victim to the temptation of sensationalizing once in awhile.

The book doesn't go too far into the weeds with specific tools, only offering a basic familiarization with the purpose and functionality of some of the more well-known (and sometimes outdated) examples. You occasionally get a sense of "hey, look at this cool gee-whiz tool" with some of their selections, but in general, it serves as a good survey of potential inclusions in a security toolkit.

Operations are structured along the lines of military doctrine, addressing Computer Network Attack, Defense, and Exploitation with their own chapters. Personnel and training, as well as legal and ethical issues are also discussed at some length-- these are all good topics for a professional military education course, and not necessarily obvious inclusions, so kudos to the authors for that. That said, the legal section could probably use a bit more development in the arena of international law, as that would be the primary concern of true cyber warfare.

I didn't feel like the book did a good job addressing theory, though one could argue that this wasn't its focus (after all, the subtitle is "Techniques, Tactics, and Tools", leaving out the other "T"). I was almost ready to give up on the book after the first two chapters (largely due to the glaring lack of polish discussed below), but fortunately it eventually settles into a more comfortable rhythm.

Now, I have a lot of nit picks with the book, but I don't want to give the impression that it's trash. I'd probably give it 3.5 stars if the rating system had that level of fidelity.

The most obvious flaw is that the writers don't do a very good job of projecting credibility given the terrible writing in many places in the book. While there are very few clear factual errors (e.g., "the latest, at the time of this writing, microSDXC cards topping out at 2 terabytes of storage", the assertion that most companies protect critical servers to the same level as workstations), they're generally minor, but the entire book is littered with assorted mechanical errors and poor wording. Using "that" in place of "than" happens frequently, along with many other random typos/autocorrects that simple spellcheck can't catch, like "effeteness" in place of "effectiveness", and "reverses [the network]" in place of what I assume is "observes [the network]" (regarding government network monitoring). Many of their illustrations and diagrams are also either poor quality or useless/unilluminating. All in all, the book seems to lack polish, and at least one of the co-authors could really use extensive help from a good editor-- shame on Syngress for that one, since techies aren't often expected to be great writers.

Another issue I have with the book is that the authors don't seem to have a very good feel for realistic and meaningful military effects in the cyber domain. Many of their attack techniques focus on simple denial of service that is of little real usefulness to a military audience at any level. They include several "cute" tricks like directing /dev/zero to a file in order to fill up a file system. While I suppose those sorts of tactics could conceivably be applied as a kind of field expedient in some unlikely scenario, they're not really worth mentioning to the audience targeted by the book. In general, when they get specific with attack techniques, they're often rather unsophisticated. They'd be better off sticking to a more high-level approach centered around effects.

Along with the "look what I can do" sense of many of their attack techniques, the fact that they decide it's worthwhile to include the word "noob" multiple times in the book (along with other terms of debatable relevance) and bother to discuss "l33tsp34k" also seems like a strained attempt to seem up-to-date with the cool kids. It doesn't help that they reference Die Hard 4 with an apparently straight face.

Some of their other topic coverage seems a bit naïve and shallow as well. For example, they perpetuate the notion that cyber-terrorism (in the sense of network-based attacks on critical infrastructure to induce fear and chaos by non-state actors) is a serious threat, when in actuality, physical attack is much more effective and practical for terrorist groups' ends and means, and there has been little evidence that they've been seriously pursuing a cyber avenue of attack (they presumably discovered just how much specialized knowledge they'd have to develop in order to mount a meaningful attack). These mitigating factors aren't mentioned in their discussion.

Granted, if they don't want the book to balloon to unmanageable lengths, they can't go into depth with every topic, given the scope of the work. But this makes the inclusion of many questionably-relevant topics that much more puzzling. For example, the book includes discussion of lockpicking (and counters), interrogation techniques, and other purely physical security concerns, which, while in a sense relevant to information security, seem out of place in this particular book, at least to the level of treatment they receive.

Again, with all that said, this book does have substantial utility. I may still recommend its use in our next course offering (albeit wincing at its amateurish presentation) due to its rather unique scope and focus. A lot of work clearly went into putting it together, and they hit pretty much every topic you'd like to see in a book aimed at this audience, addressing them reasonably effectively. I'm hoping there's a second edition (maybe from a different publisher) that smoothes out the rough edges in presentation and includes more discussion of the recent Stuxnet worm that clearly has major relevance in this field.