[ISN] Information warfare: The need to know your enemy
isn at c4i.org
Fri Jan 27 05:13:57 EST 2006
By William Jackson
When terrorists - or another nation - launch a cyberattack against the
U.S. infrastructure, it probably won't be with a zero-day exploit,
security experts say.
"There is enough low-hanging fruit already out there that works,"
security analyst Tom Parker said at the Black Hat Federal Briefings in
Alexandria, Va. There is no reason to expose a perfectly good new
vulnerability and exploit.
But just what the attack will look like is not clear.
"There isn't a whole lot of information out there on how nation-states
go about attacking each other," Parker said.
To IT security professionals, one attack looks pretty much like
another. They focus on the exploit being used. But Parker and Matthew
G. Devost, CEO of the Terrorism Research Center Inc., make the case
that we need to be able to identify our attackers more clearly if we
are to defend ourselves effectively.
"Obviously, nation-states have greater capacity to finance attacks,"
Devost said. "We need to ask ourselves, "Who are the threats," because
they all look the same in the exploit."
Effective risk management requires greater granularity in identifying
our attackers, their motives and their capabilities, Devost said.
Parker and Devost described a model for characterizing the motives and
capabilities of cyberadversaries. By feeding information about
political and cultural conditions, possible motivations of attackers
and the resources available to different groups, patterns could be
identified that would let analysts pull meaningful data from the noise
of IT system and event logs. This could be used to help prioritize
threats and responses.
Worries about the potential for cyberterrorism and information warfare
have existed for more than a decade, but there is little real-world
information about the actual nature of these threats.
"It obviously is something that is on the radar screen," Devost said.
"But we really can't predict whether it will be five or 10 years out"
before a serious attack actually occurs.
That is a real problem in a society where a three- to five-year
horizon is considered long term.
Researchers have identified some probable general characteristics of
an information warfare attack. The attack code is likely to be robust
and work across multiple platforms, and the payload will be precise
and efficient, executing only what is necessary to achieve its goal.
This would help the exploit avoid detection, as would the use of
sophisticated rootkit technology to burrow deep into the operating
system kernel or even the computer's firmware.
These traits also describe recent trends being observed as organized
crime turns toward computer hacking to steal and exploit valuable
data. Parker said the potential for cooperation between organized
crime, nation-states and terrorist organizations in developing
malicious code is a serious threat that already may be under way. He
said the value of malicious code is growing in underground markets,
with a robust Windows exploit now selling for $50,000, compared with
$25,000 two years ago. He did not say how he obtained this
Parker said cyberattacks are unlikely to replace proven physical
attacks used by existing terrorist organizations and are more likely
to be adopted by new and marginalized groups with limited resources to
carry out traditional attacks.
More information about the ISN