On Cyber War
War is destruction and loss of lives. The term became powerless and meaningless with so much marketing hype from every vendor, blogger and their uncle’s dog. Throughout this book you will often read the term and such associated with it – just remember that things are really serious and if something bad hits the fan, it will really be devastating. We’ve seen examples of factories stopped, whole production lines destroyed, fuel pipes blown up, the electricity of entire countries disrupted (Pakistan and Turkey) – many of these were performed just as an exercise or as proving of a point between big players.
The (western) media is portraying China and Russia as the most active players on the cybercrime / cyberwar scene – when in reality the most active and effective cyber warfare actors are the Five Eyes Alliance countries (FVEY – Australia, Canada, New Zealand, the United Kingdom, and the United States, ref.: http://en.wikipedia.org/wiki/Five_Eyes ). Following them are China, Russia, France, Germany, Japan, South / North Korea – and a countless number of other state and non-state sponsored malicious code writers. Just for a sense of scale – the largest private intelligence organization has almost 200 000 employees and private contractors under its belt. I would like to emphasize that being active in this field does not necessarily means being evil or dangerous – everyone has the right to pursue their business and state objectives, to defend and seek information which would improve their nation’s wealth and security. The only downside for regular organizations is being caught in the crossfire between two or more large actors as collateral damage.
One of the strategies utilized by FVEY when a target is acquired is to exploit it via the already existing open links to the Internet. That includes any open website, primarily but not necessarily limited to sites based under their geographic control.
Once the victim has an established session with said website (think social networks, e-mail) – FVEY inserts their traffic into the stream – such as an exploit – and compromises the target.
Having this in mind – critical and sensitive systems should never open sessions outside of the fortress – and never establish sessions with the Internet unless inside an encrypted secure tunnel.
You don’t have to be on their list of targets to get hit or fall victim as collateral damage – your company’s network can become just a temporary storage or a tunnel for their operations. Then the weight of proving you were not involved will be on you – can you deal with that?
According to recently ‘leaked’ documents, the NSA considers using “fourth party” networks in their operations as normal and acceptable – that is, using your company or your network as a stepping stone during some operation, without your knowledge. The same policy most likely exists in other countries and although I can’t judge if it’s right or wrong – it can harm innocent parties.
While I am fully supportive for any activity which preserves the lives and peace of any sovereign nation, there are limits which should not be crossed. Such a limit is allowing unknown activities with unknown motives and unknown consequences to the “fourth party”. Since there is nobody who could enforce such fair behavior the weight of enforcing it lies within every organization desiring safety and independence.
Your objective is guarding your castle – and it does not matter who is the attacker and which geographical border they belong to – your network is your territory. If it can fall victim to one player, it can certainly fall victim to any other, using the same or another vulnerability.
Throughout this book I will mention quite a lot of techniques used by the NSA – not because they are necessarily evil, but because no other intelligence agency has been a victim of so many public leaks and as a result we have no other examples of how intelligence agencies work. Given the abundance of information about the NSA though, we can safely conclude others act in a similar way, as they all learn from each other on a constant basis.
We could all be thankful to the multitude of initiatives the NSA has taken upon itself – including distributing free guides on cyber security – they could have kept these for themselves like most other governments. In fact, many of these guides will be mentioned and used in this book – along with leaked information, which can now be assumed public and no longer ‘top secret’.
Private cyber-gangs and armies
Organized crime has long ago switched to cyber-crime – the low risks and tremendous returns were a no-brainer. If the NSA spends upwards of $25 000 000 per year on 0-day exploits, the total spent for 0-day exploits underground is definitely more – factoring the number of sellers and buyers and the number of malicious specimens released every day. This underground market has existed since at least 20 years. Think about Amazon – now realize that there are people dealing with selling and buying malicious code for decades, long before Amazon was even conceived.
The malicious software economy depends on a snowball effect: as users are being infected via various vectors (malicious ads on compromised ad networks, hacked websites, malicious software, viruses hidden in pirated software, etc), their data is being siphoned and sold and re-sold to multiple layers of buyers, who in turn monetize the information just to invest more money into more infections and more infection vectors and brand new exploits.
Executing an exploit against your branded network router / switch / appliance became as easy as sending it an inconspicuous packet, undetected by any IDS/IPS. Executing code at any computer in your network became as easy as sending an e-mail with a PDF inside – followed by a tunnel leaking all confidential information from that computer across the globe.
At this point it should be pretty obvious that your defense strategies need to change.
It does not matter which political side you are at or which country you operate from – the threats became so mixed up and global that we must act as if we are attacked from multiple sides, multiple nation states, multiple criminal vectors – all at the same time.
Is China your biggest enemy?
Or maybe it is Russia? Or Iran? Really, the media hype is for the masses, we are supposed to be smarter than that. First, let’s remember the existence of the Five Eyes Alliance. Just the US cyber army counts above 20 000 soldiers, trained in offensive and defensive skills. Now let’s think, are they really the only ones with the capability of building a cyber army? Because what is a cyber army? Just a number of people trained in offensive security techniques with a set of really expensive software and hardware tools. Then anyone capable of shelling a considerable amount of money is also capable of assembling a considerable amount of cyber arsenal and cyber warriors. This multiplies our list to almost any nation in existence.
And let’s not forget, there are criminal syndicates in possession of incredible amounts of money. They are not even slightly behind technologically – I would say they were there a very long time ago, waiting for us.
Then, there are the regular local gangs, dealing with power and information. The ones who would get orders from your competitors to infiltrate your organization and steal information for as little as 4-5 digit sums.
In this environment it is no longer forgivable to hide your head in the sand and pretend you are small and nobody will come after you. It’s no longer about someone coming after you. It is about everyone going after everyone at the same time –either you fight and survive (if you do it well) or you fall as a victim – there is no other option.