Cyber security: targeting

targeting - lexicon image
“Only amateurs attack machines, professionals target people” Bruce Schneier

Targeting is the process by which targets are selected. Although the process is more traditionally associated with military activity it has its foundations in international humanitarian law. All hackers conduct targeting of some kind and although the level of rigour may differ between a nation state and a hacktivist, the playbook always begins with a targeting decision: who am I going to hack to achieve my objectives? Until we see AI integration with cyber attacks, computers don’t decide who to hack, humans do.

There’s a lot more to targeting than just aiming a weapon at someone.

There’s a lot more to targeting than just aiming a weapon at someone.

Discriminating targets from non-targets

While there are some recent and very public examples of indiscriminate cyber attacks, such as WannaCry, the most devastating attacks are usually those that target a specific organisation for a specific reason. Indiscriminate cyber attacks often use automated techniques to scan for weaknesses and deploy exploits without any human-in-the-loop to monitor the progress of the attack (and make refined decisions about progressing with the target). The deduction however is that if a purely technical means is being used to select you as a target, then the attack can be defeated using purely technical means, and usually quite easily. Whether you are actually a viable target or not is irrelevant, it’s how you present yourself to the adversary that counts.

Cost/benefit analysis

Targeting is a form of risk management and includes an analysis of: the expected advantage to be gained from conducting a particular attack; any risk mitigation to minimise the probability of detection; the probability of attribution; measures to preserve the attackers’ equity including any anonymising covert infrastructure (such as Tor, though well-funded hackers and nation states tend to build their own) to be employed on the way to the target, and; payloads to be used. The targeting solution may also go as far as selecting the type of cyber weapon to be used, though this itself presents another challenge: nations that abide by the Geneva Conventions are also supposed to apply the protocols of conventional warfare to cyber warfare and this can affect how targets are selected.

US Airforce cyber operations

The US Air Force treats the totality of the people, processes, information and technology that make up its offensive cyber operations capability as a formal ‘weapons system’ that is bound by the Protocols of the Geneva Conventions.

For example, Article 36 of the 1977 Additional Protocols to the Geneva Conventions declares that in the development of (cyber) weapons the developer (named as the High Contracting Party) must consider if use of the new weapon could break any existing International Humanitarian Law such as causing unnecessary suffering or be unable to discriminate between combatants and civilians. It is these types of ethical decisions that affect the targeting decisions of nations. The trouble begins when the belligerent has a low ethical threshold or is not a signatory to the Geneva Conventions (such as non-state actors, criminals or terrorist organisations).


“The devil doesn't come dressed in a red cape and pointy horns. He comes as everything you've ever wished for” Tucker Max

Why does nobody talk about cyber targeting outside of the military/intelligence community? It’s because there is a global industrial preoccupation with ‘beating the bits’ when ‘deceiving the hacker’ could be a useful complementary activity. This problem is manifested in most organisations by making cyber security an IT issue. It’s usually humans taking defensive decisions about how to protect against hackers, and by taking a ‘beat the bits’ approach, the defenders are often overwhelmed. You can’t try to defeat every attack and protect everything, all the time. Cyber defenders need to be lucky every time but hackers just need to be lucky just once.

Identity card

Operation Mincemeat in WW2 convinced the Germans that the Allied landings would occur in Sardinia instead of Sicily by planting false information on a drowned ‘Royal Marine’. Cyber deception can be a valid technique for distracting and delaying hackers while you prepare to remove them from your network.

Understanding cyber targeting is important because each step in the targeting process is usually made by a human and human decision making is fallible to deception. Deception, or at least a lack of information about a target, creates uncertainty and uncertainty reduces the likelihood of success of an attack. This can be done through delaying or disrupting hacker command and control, honeynets as part of your early warning system (though a modestly sophisticated hacker will spot these a mile off) or altering the way your network responds to traffic.

If you can create uncertainty in the mind of a hacker during their targeting process or even during an attack itself, you can buy your defenders more time and allow defence-in-depth tactics to degrade the effectiveness of an attack.

Deterrence as a strategy

In some cases, particularly those involving cyber crime, putting up a sufficiently credible defence for a long enough period of time may just raise the cost enough to make the attacker move on to easier targets.

There are lots of people involved in cyber crime and everyone wants their cut.

There are lots of people involved in cyber crime and everyone wants their cut. From NCSC report (2017): "Cyber crime: understanding the online business model".

The margin on each individual organised cyber crime hack are often relatively low and in crime, as much as the legitimate commercial world, everyone takes their slice. When the slices become too small (or negative) then the adversary will move away to someone easier.

Until next time.

Jeremy likes


Jeremy Jones.jpg

Jeremy Jones is Theta’s Head of Cyber Security.