Cybertactix's Enterprise InfoSec Blog

June 11, 2013

Cyber War: It’s Real and It’s (Virtually) Here

Filed under: cyber_warfare — cybertactix @ 10:10 PM

Recently an article in Vanity Fair (http://www.vanityfair.com/culture/2013/07/new-cyberwar-victims-american-business) made a case for the supposition that the U.S. is engaged in a cyber war with Iran.   The U.S. government has, via the FBI investigation into the leaking of information regarding Stuxnet,  stopped just short of openly admitting to engaging in computer based attacks against Iranian targets, in particular the Iranian plants designed to process uranium into nuclear fuel, and although Iran has claimed that the Revolutionary Guard “controls” the fourth largest cyber army in the world the abilities and intentions of Iran are not nearly as well known.  While short on specific facts related to Iranian involvement the Vanity Fair article does lay out an interesting case for drawing the conclusion that Iran has supported, if not actively engaged in, cyber attacks against the U.S. economy.

One of the difficulties in many cyber attacks is attributing the attack to an individual or group unless someone comes forward and claims the attack. In contrast with physical attacks in the real world (a.k.a. meatspace) the clues left behind in a cyber attack are merely digital data and easily duplicated (unlike in the physical world where investigators rely on unique, difficult to duplicate, evidence like DNA) making it easy to leave behind forensic evidence meant to mis-direct investigations.  Software exploits can be copied by the attackee or another party, modified and then used to attack the original attacker or a third party.  Forensically the attack can be made to look identical to, or a variant of, the first attack and point a damning finger back at the original attacker.   In the cyber world it is seldom possible to say with absolute certainty the source of an “attack”, rather one has to gather all the evidence and then postulate as to the most likely source. 

Unlike conventional warfare where physical assets are attacked and destroyed the cyber warfare described in the article bears a closer resemblance to a “cold war” involving espionage, coalitions with other nations or groups, propaganda campaigns, and technology competitions as well as diplomatic and economic pressures.  While there is no direct evidence that Iran is engaging in cyber warfare against the U.S., there is no doubt that the U.S. has engaged in cyber attacks against Iranian assets, Cyber war is real.

What does the future hold?

With the likelihood that the U.S. will look to use cyber attacks as as part of its global policy arsenal in the future  ( http://www.telegraph.co.uk/news/worldnews/barackobama/10107614/Barack-Obama-orders-up-list-of-cyberwar-targets.html?goback=%2Egde_1836487_member_247981046) and the most likely response will be cyber counter attack, the ability to definitively attribute attacks to a specific actor(s) is the next major challenge for information security analysts I both the public and private sector.  Rather than relying only on technical skills the new breed of information security analysts will need to be a hybrid mix of technologist and intelligence analyst, capable of understanding complex computer technologies and interpreting large volumes of evidence to uncover patterns in order to attribute attacks to specific actors or nations.   In the near term “kill chain” analysis and big data correlation will likely become the primary tools of the security analyst trying to fend off and identify cyber attackers.  It will no longer be enough to merely deploy technology in the hopes of protecting information and assets, it will be necessary for defenders to be able to “know” and understand the motivation and tactics of attackers or groups in order to try stay ahead of strikes in the high stakes chess game that will be cyber information security and warfare.

The U.S. is not only looking to be able to use cyber attacks as a part of its global policy, it is expecting that the U.S. will be a target for cyber terrorists/warriors.  In addition to buying exploits in underground markets the Department of Homeland Security is looking to be able to share information about these exploits with “critical infrastructure” providers in order to protect the infrastructure from attackers.  Unlike conventional physical weapons that have to be duplicated in the real world (which takes time and resources) and have a virtually unlimited shelf life, digital weapons can be duplicated and sold to multiple buyers instantly but once known by defenders have a very limited shelf life.  If the U.S. government makes knowledge of zero-day exploits available to high value targets in the U.S. the next arms race may not be the race to discover new digital vulnerabilities and create exploits, it may be the race to patch against them.

Create a free website or blog at WordPress.com.