Cyber terrorism, the next Cold War?
Throughout history, military organisation and strategy have undergone profound changes due to technological breakthroughs.
It is widely believed that cyber warfare will play a major role in future wars. Although cyber warfare requires huge resources, financial and in terms of manpower, a key aspect of attacks seen to date is that the identity of the perpetrators, though suspected, cannot be known with certainty.
The advantage ultimately lies with those who take the offensive. Cyber war has arrived, and governments and security professionals alike need to better understand it.
What the military refers to as the “battlespace” grows more difficult to define, and therefore more difficult to defend. Technological advances are usually evolutionary, but they can be revolutionary, too. Today, cyber attacks can target political leadership, military systems and average citizens anywhere in the world, and the attackers remain totally anonymous.
So says Kenneth Geers, cyber subject matter expert at NCIS (Naval Criminal Investigative Service), and speaker at the upcoming ITWeb Security Summit 2012, adding that the sophisticated security tools, readily available, mean that even Internet users who are not particularly tech-savvy can launch attacks against government entities.
He says cyber “weapons'” are incredibly flexible and can be used for propaganda, espionage, impersonation and even the destruction of critical infrastructure. He adds that human intelligence is starting to play a role again, and that it is no secret that military agencies around the globe are developing cyber warfare tools.
Geers cites the Stuxnet worm in 2010, which he believes accomplished what five years of United Nations Security Council resolutions could not, namely the disruption of Iran's pursuit of a nuclear bomb. In addition, he says the worm may well have been more effective than a conventional military attack and may have avoided a major international crisis over collateral damage.
According to Uri Rivner, head of New Technologies for Identity Protection at RSA, there have already been numerous attacks on critical infrastructure interests: Internet portals, banks, utilities. Estonia and Georgian Web sites and Internet-dependent systems were shut down by denial-of-service attacks a few years ago; several stock exchange markets were knocked off by similar means.
He says national patriots also claimed responsibility for mass-scale Web site defacing and recent hacking into digital certificate authorities. “However, these attacks are far from the doomsday scenarios of cyber terrorism. We are yet to see a significant cyber terror attack on a nation's critical infrastructure. The technical capability is certainly there; the desire to hit the West is also there; but a successful operation requires careful planning, a high degree of co-ordination, significant funding and relevant know-how. Otherwise it will be a fizzle.”
Rivner says another possible scenario is a low and slow form of cyber terrorism in which a series of pestering low-magnitude attacks are launched, with a combined effort of the public losing trust in Internet services. “Meanwhile, terrorists use cyber crime to fund activities such as flying recruits to insurgent training camps and supporting terror cells; a company I visited that specialises in monitoring Jihadist forums reports an open call for terrorists to engage in cyber crime.”
Costin Raiu, director, Global Research and Analysis Team at Kaspersky Lab, agrees, and says cyber terrorism is definitively gaining momentum and will probably become a serious problem in the next 10 years. This is due to the architecture of the Internet and due to the fact that many critical infrastructures rely on the Internet or can be controlled from the Internet. Hackers are already discovering such configurations and exploiting them as a proof of concept.
Unfortunately, says Raiu, there is no simple solution to this problem; a more secure Internet would require serious resources and international participation. It will probably take one serious incident before such initiatives will start taking place.
Raising awareness is important, just as education is, says Raiu. It is hard to justify investing money to defend against an enemy that cannot be seen face to face and instead exists only at a remote location, over the Internet. One thing every country must understand is that better security requires a better foundation, before anything else. Such better foundations include better cyber crime laws, co-operation with each other and organisations such as IMPACT and Interpol, and the private sector.
Rivner agrees: “The actual attacks and the wide publicity around these attacks are making countries treat them more seriously. No country can say they don't need to invest in cyber defences, and many governments or countries are under attack.”
[EMBEDDED]Targeted attacks that are designed to attack and breach a specific user, company or organisation are also on the rise, and remain a serious problem for the ICT security community.
Highly sophisticated targeted attacks will eventually succeed. This is why companies like Google, Adobe or RSA have become victims of targeted attacks in the past, despite top security procedures.
So says Raiu, and adds that targeted attacks are launched against all types of companies, without discrimination, as long as they have information that is interesting to the attackers. Such information can include source code, intellectual property in general or information about other companies. It's also important to point out that not only companies can be victims to targeted attacks, but also individuals (VIPs) and other entities such as political parties or media institutions.
Rivner agrees: “Sometimes smaller companies are attacked because they have unique intellectual property of interest, such as a medical device from a pharmaceutical company, or a business with mining rights in a specific geographical region. Sometimes a company will be attacked because it's part of the supply chain of a bigger victim, and it's easier to attack the main target by obtaining trusted access to the supply chain.”
He adds that as supply chain can be a strategic vendor or an outsourced company, these sorts of companies can be targeted by state-sponsored attacks as part of a bigger play. He cites the intelligence consultants working with the US federal government that were targeted by hacktivists as an example. There are also financially-motivated attacks that target smaller companies, such as the Nimkey gang that targeted specific employees trading in the carbon credits market and got away with millions of euros in CO2 emission permits. “Another example is the Qakbot Trojan, which is aimed at small to medium-sized enterprises - it infects one employee, spreads inside the local network, and waits until someone accesses the corporate banking account.”
The repercussions of targeted attacks can be far-reaching. They not only expose sensitive customer data, but also damage corporate reputations and incur potential lawsuits.
Raiu says defence against targeted attacks should include not only standard procedures, such as security software, but also measures that handle the situation once the attack has been successful. Backup, virtualisation, DLP and raising user awareness are some of the more modern answers when it comes to defence against targeted attacks.
Rivner adds that the conventional investment in perimeter security, in an attempt to prevent access into the network, fails to stop determined attackers. “Assume the intruder is already inside, and ask yourself: now what?”
He says identifying advanced, targeted attacks requires a combination of three elements: detection, situational awareness and intelligence. “We can use the following analogy: it's the middle of the night, and there is an intruder in your house. Detection means you woke up. Situational awareness allows you to quickly find out the full context of what's going on - how many intruders? Are they armed? If yes, surprising them may not be the best option. Intelligence means that you realise what you're actually seeing, and the right intelligence helps you find the best solution.”
So, continues Rivner, the combination of detection, investigation and intelligence lets the user know exactly how to respond to an attack.
Raiu says the majority of targeted attacks take advantage of a specific vulnerability or a set of vulnerabilities to succeed. For instance, the famous Aurora attack took advantage of vulnerability in Internet Explorer. The RSA attack took advantage of a vulnerability in Flash Player, exploited through an Excel document. These vulnerabilities generally imply remote code execution and buffer overflows.
How to protect against these? “One of the technologies we are recommending to our users, which is available in our latest corporate products, is whitelisting and default deny policies. Under such policies, unknown executables are not allowed to run by default. Hence, malware can't be downloaded and run on the system.”
In terms of what the industry is doing to prevent this sort of attack, Rivner says security companies are now spearheading an industry-wide effort to develop a new defence doctrine against advanced cyber attacks. There's a huge amount of innovation and investment, triggered by the dramatic growth in the threat landscape and the realisation that traditional perimeter security is insufficient.
“Promising directions include network intelligence systems to create situational awareness; big data advanced analytics for spotting abnormal behaviour inside the network; cyber intelligence capabilities and tools; virtualisation and sandboxing technologies to segregate data assets from the regular corporate network.”
Hacktivism is another growing issue, says Raiu. “Based on past incidents, such as the HBGary hack or the Stratfor incident from December 2011, we can say for sure that hacktivism can pose problems. Despite the recent crackdown on hackers from groups such as Lulzsec, their activities do not appear to have been halted and have become one of the four major types of cyber incidents, together with cyber espionage, cyber crime and cyber war.”
Although there are definitively strong reasons that hacktivists cite as being behind their actions, these normally do not fall into the ethics spectrum because they involve illegal data access, Raiu adds.
According to Rivner, hacktivism activities have a varying degree of ethics and can fall on any spot between fairly moral and hideously criminal. “In some cases, the hacktivists' ideal and cause is taken to the extreme, and in other cases we see attempts by hacktivists to correct injustice and serve as vigilantes. Take the WikiLeaks release of Syria's president Assad correspondence: you can view it as a criminal hacking of e-mail accounts, or 'the public needs to know who this person is' campaign in support of Syrian opposition to a tyrannical regime.”
He says these groups operate on their own version of idealism. “The fact that people are capable of pulling off these attacks signifies that they are definitely a serious force to be reckoned with. They are certainly a serious threat to their targets: attacks by these groups can affect companies financially or impact their reputation, and, in extreme cases, cripple small companies completely. The motivation among these groups is not to kill people, or even to topple government; their primary aim is to support a cause and make a statement.”
He believes these groups won't go to the extreme of cyber terrorism attacks because, at the end of the day, they enjoy some degree of public support. Another aspect of hacktivism is the ability of these groups to tap into the power of the masses, which is very interesting, and something to watch out for in the near future.
In terms of the evolution of hacktivism, Rivner believes that, in future, target selection will be more creative and dynamic, following global news closely and attempting to cater for 'mainstream' public opinion about entities that 'deserve' to be targeted.
“At the same time, we'll see splinter groups following less 'mainstream', more disturbing causes. We'll see a great focus on exposing sensitive data, as well as collecting and publishing personal information on executives (Doxing).”
Rivner says we should anticipate some attacks on mobile platforms such as spreading rogue apps, especially in the Android market, instead of 'traditional' Web servers, and also expect a high degree of disinformation in terms of attribution: hacktivism will be used to mask criminal or state-sponsored attacks.”
“With the police actively pursuing hacktivists, we expect such activities to become more risky,” continues Rivner. “Based on a simple evolutionary rule “survival of the strongest”, we can assume the hacktivists will become better at hiding their traces and staying away of law enforcement's arm. At the same time, they will concentrate on bigger targets instead of attacking at any single opportunity. As in the past, there will be various groups of hacktivists, of various skills, which will be active on the Internet. The 'elite' will focus on the big targets while the rest will continue to rely on DDoS tools and scripts to shut down Web sites and protest.”
Bevan Lane, director at Infosec Consulting, agrees that hacktivism is on the rise. He says this is concerning, as it's increasingly widespread, and it would seem that hacktivists have successfully accessed their targets. Lane, who will also be speaking at the upcoming ITWeb Security Summit 2012, says the vast majority of attacks appear to have been committed by groups that believe they have the moral high ground.
Although hacktivists are viewed by some as cult heroes, the organisation targeted by them can suffer serious financial and reputational repercussions, says Lane. “Organisations need to have plans in place. There's a need for security professionals, corporates and IT to join forces to prepare contingency plans to mitigate damage. We should be asking ourselves what would happen if we were attacked today, what information could they steal, and how could we avoid embarrassment.”