Information warfare: The need to know your enemy
- By William Jackson
- Jan 26, 2006
When terrorists'or another nation'launch a cyberattack against the U.S. infrastructure, it probably won't be with a zero-day exploit, security experts say.
'There is enough low-hanging fruit already out there that works,' security analyst Tom Parker said at the Black Hat Federal Briefings in Alexandria, Va. There is no reason to expose a perfectly good new vulnerability and exploit.
But just what the attack will look like is not clear.
'There isn't a whole lot of information out there on how nation-states go about attacking each other,' Parker said.
To IT security professionals, one attack looks pretty much like another. They focus on the exploit being used. But Parker and Matthew G. Devost, CEO of the Terrorism Research Center Inc., make the case that we need to be able to identify our attackers more clearly if we are to defend ourselves effectively.
'Obviously, nation-states have greater capacity to finance attacks,' Devost said. 'We need to ask ourselves, 'Who are the threats,' because they all look the same in the exploit.'
Effective risk management requires greater granularity in identifying our attackers, their motives and their capabilities, Devost said.
Parker and Devost described a model for characterizing the motives and capabilities of cyberadversaries. By feeding information about political and cultural conditions, possible motivations of attackers and the resources available to different groups, patterns could be identified that would let analysts pull meaningful data from the noise of IT system and event logs. This could be used to help prioritize threats and responses.
Worries about the potential for cyberterrorism and information warfare have existed for more than a decade, but there is little real-world information about the actual nature of these threats.
'It obviously is something that is on the radar screen,' Devost said. 'But we really can't predict whether it will be five or 10 years out' before a serious attack actually occurs.
That is a real problem in a society where a three- to five-year horizon is considered long term.
Researchers have identified some probable general characteristics of an information warfare attack. The attack code is likely to be robust and work across multiple platforms, and the payload will be precise and efficient, executing only what is necessary to achieve its goal.
This would help the exploit avoid detection, as would the use of sophisticated rootkit
technology to burrow deep into the operating system kernel or even the computer's firmware.
These traits also describe recent trends being observed as organized crime turns toward computer hacking to steal and exploit valuable data. Parker said the potential for cooperation between organized crime, nation-states and terrorist organizations in developing malicious code is a serious threat that already may be under way. He said the value of malicious code is growing in underground markets, with a robust Windows exploit now selling for $50,000, compared with $25,000 two years ago. He did not say how he obtained this information.
Parker said cyberattacks are unlikely to replace proven physical attacks used by existing terrorist organizations and are more likely to be adopted by new and marginalized groups with limited resources to carry out traditional attacks.
William Jackson is freelance writer and the author of the CyberEye blog.