[ISN] Information warfare: The need to know your enemy

InfoSec News isn at c4i.org
Fri Jan 27 05:13:57 EST 2006


http://www.gcn.com/vol1_no1/daily-updates/38107-1.html

By William Jackson 
GCN Staff
01/26/06 

When terrorists - or another nation - launch a cyberattack against the 
U.S. infrastructure, it probably won't be with a zero-day exploit, 
security experts say. 

"There is enough low-hanging fruit already out there that works," 
security analyst Tom Parker said at the Black Hat Federal Briefings in 
Alexandria, Va. There is no reason to expose a perfectly good new 
vulnerability and exploit. 

But just what the attack will look like is not clear. 

"There isn't a whole lot of information out there on how nation-states 
go about attacking each other," Parker said. 

To IT security professionals, one attack looks pretty much like 
another. They focus on the exploit being used. But Parker and Matthew 
G. Devost, CEO of the Terrorism Research Center Inc., make the case 
that we need to be able to identify our attackers more clearly if we 
are to defend ourselves effectively. 

"Obviously, nation-states have greater capacity to finance attacks," 
Devost said. "We need to ask ourselves, "Who are the threats," because 
they all look the same in the exploit."

Effective risk management requires greater granularity in identifying 
our attackers, their motives and their capabilities, Devost said. 

Parker and Devost described a model for characterizing the motives and 
capabilities of cyberadversaries. By feeding information about 
political and cultural conditions, possible motivations of attackers 
and the resources available to different groups, patterns could be 
identified that would let analysts pull meaningful data from the noise 
of IT system and event logs. This could be used to help prioritize 
threats and responses. 

Worries about the potential for cyberterrorism and information warfare 
have existed for more than a decade, but there is little real-world 
information about the actual nature of these threats. 

"It obviously is something that is on the radar screen," Devost said. 
"But we really can't predict whether it will be five or 10 years out" 
before a serious attack actually occurs. 

That is a real problem in a society where a three- to five-year 
horizon is considered long term. 

Researchers have identified some probable general characteristics of 
an information warfare attack. The attack code is likely to be robust 
and work across multiple platforms, and the payload will be precise 
and efficient, executing only what is necessary to achieve its goal. 

This would help the exploit avoid detection, as would the use of 
sophisticated rootkit technology to burrow deep into the operating 
system kernel or even the computer's firmware. 

These traits also describe recent trends being observed as organized 
crime turns toward computer hacking to steal and exploit valuable 
data. Parker said the potential for cooperation between organized 
crime, nation-states and terrorist organizations in developing 
malicious code is a serious threat that already may be under way. He 
said the value of malicious code is growing in underground markets, 
with a robust Windows exploit now selling for $50,000, compared with 
$25,000 two years ago. He did not say how he obtained this 
information. 

Parker said cyberattacks are unlikely to replace proven physical 
attacks used by existing terrorist organizations and are more likely 
to be adopted by new and marginalized groups with limited resources to 
carry out traditional attacks. 





More information about the ISN mailing list