Vulnerabilities / Threats

10:10 AM
Connect Directly

Looking Back and Thinking Ahead on Cyberwar, Nation-State Attacks

In the domain of cyber warfare, the effective strategies for fighting yesterday's cyberattacks will not work against tomorrow's, experts said.

BLACK HAT ASIA - Singapore – Nation-state threats dominated the themes of this week's keynotes at Black Hat Asia, where experts dug into past and current cyberattacks, efforts to mitigate nation-state attacks, and the broad and evolving realm of cyber warfare.

Bill Woodcock, executive director at Packet Clearing House, took attendees back to the 1980s and 1990s, when the Internet was a closed community of interests and hadn't yet gained popularity. At the time, cyberattacks were few and far between, he said in his day one keynote.

"We were doing it because it was fascinating," he said. "Nobody thought there was any money in it … and because there weren't a lot of security incidents back then, we had time to investigate." By the mid-1990s, he continued, nation-state attacks on Internet service providers started to appear, coming from the US and Russian military.

Over time, incidents continued to escalate with Russia attacking Estonia in 2007, for example, and the United States' 2009 Stuxnet attack against Iran. Cyber offensive military personnel adopted the strategy of buying zero-days and getting their lawyers to say nothing would go wrong. Their idea was to focus on offensive strategies at the expense of ignoring defense.

"We see it play out over and over," Woodcock explained: militaries thinking they're the smartest people in the room; believing they'll be able to use the attacks they purchased any nobody will ever put it on them. "But none of that works out the way they think," he added.

Nation-state attacks escalated, often with players targeting private-sector trust in tech vendors and the relationship between businesses and consumers. In the 2010 Flame attack, the US government impersonated a Microsoft certificate to claim a fake Windows update was legitimate. China's 2011 attack on RSA stole SecurID two-factor authentication tokens, he noted.

Woodcock pointed to the grave implications of cyberthreats in the physical world with the 2015-2016 power grid attack targeting Ukraine's critical infratstructure.

"It's the kind of thing that causes lives to be lost, through accident or poor preparation," he said. "As a modern society we're not prepared to live without power for extended periods of time … saying cyber has no consequence - it's a little late for that."

The rapid growth of back-and-forth cyber events drove efforts to curtail attacks. In 1998, Russia proposed a treaty on cyber conflict, which made people skeptical because Russia had been the principal instigator for the problem, Woodcock pointed out. Between 2004 and 2017, there were five efforts to come up with a consensus about how cyberattacks should be addressed. By 2017 it was recognized that nothing was working, and a handful of countries were to blame.

The problem, he explained, was there were three nations, maybe four or five with the additions of Israel and Iran, which value their ability to attack other parts of the Internet more highly than the safety and economic stability of the Internet in their home countries.

"The US, Russia, and China don't want to agree to any treaty that will limit their ability to conduct offensive cyber operations … because they would do it anyway, and then look bad for violating the treaty they signed," Woodcock said. It's tough to get countries to agree to a treaty, he continued, because they have to turn it into local law, which will be different in each place.

Changing the Game in Cyber Warfare

A reflection on past cyber operation efforts is interesting but does little to help build effective strategies for future attacks, said The Grugq, vice president of threat intelligence at Comae. "You can't expect that what worked last time is going to work the next time," he explained.

In his keynote on day two of Black Hat, the Grugq dug into the realm of cyber warfare, breaking several misconceptions people often have about fighting in cyberspace - for example, the idea that cyberwar is about skill. He compared cyber warfare with air warfare, noting how planes were created with maneuverability so skilled pilots could beat less-skilled pilots.

That's not the way you win, he said. The way you win is showing up with more adversaries and overwhelming the target. "It's not about skill. That doesn't actually matter," he emphasized.

Fighting cyberattacks is a team effort, said The Grugq, and teams should prioritize adaptability, agility, speed, creativity, and cohesion. It's more effective to operate in small teams than in large "megateams." Small teams provie a "range of capacity," from elite workers to whose who rely on simple offensive attacks like large-scale phishing campaigns.

"Adaptability is the ability to take a new technology and exploit it for cyber conflict," he explained, pointing to the example of Facebook as a weapon. "The US has proven itself as very good at developing new technologies, but they have been fairly poor at adapting those technologies for offensive purposes."

Agility is the ability to take your current situation and make it where you want to be. With respect to speed, the teams with fewer meetings will be the teams who get ahead. Creativity is the ability to create new attacks based on those that exist, and cohesion is the ability to collaborate. The Grugq framed these traits in the context of different nation-states.

The DPRK, for example, has low agility and adaptability; they typically use attacks used by others in the past. They're cohesive because they all do what their leader wants but they fall short on creativity by reusing the same attacks and copying others' attacks.

China is "complicated and changing," he continued. It has loose cohesion for security and deniability reasons, with low adaptability, medium speed, and mixed creativity.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.