U.S. Defense Secretary Leon Panetta did his best to scare the pants off of the American people last week. In a briefing with reporters, he warned of the growing danger of cyberwarfare and its potential to cripple critical infrastructure in the United States. With the rise of so-called state-sponsored cyber attacks in recent months in the form of viruses called Flame, Mahdi, Stuxnet and now Shamoon, how much does the U.S. have to worry about malicious hackers terrorizing American infrastructure?
If you believe Panetta, the answer is a lot.
The Defense Secretary painted a very grim picture of the cyber threats that could do damage in the U.S. – leading to significant damage and loss of life. Panetta noted to reporters that, “cyber-actors are probing America’s critical infrastructure networks,” and are targeting control systems for electricity, water, transportation and chemical facilities.
Predicting fire and brimstone is probably in the job description of any Defense Secretary. That does not mean that Panetta is blowing hot air. The danger of significant damage to the U.S. critical infrastructure from cyberwarfare is very real.
Two Key Cyber Attack Vectors
Two distinct attack vectors have been seen in recent large-scale cyber attacks on governments and infrastructure. The first and potentially most damaging are viruses specifically targeted towards disabling computers and critical systems. The most prominent example of this was the Stuxnet virus that tortured Iran’s nuclear program. In that same vein, Shamoon disabled 30,000 computers at Aramco, Saudi Arabia’s national oil company, wiping the devices clean and shutting them down. The process attack caused irreparable harm to the company’s operations.
The second attack vector falls into the category of “cyber-espionage.” Viruses that have made headlines this year acting as spies include Mahdi and Flame, the latter considered to be one of the most complex viruses ever created. These viruses infiltrate target computers and hide, sending information back to command-and-control servers on communication activity, key strokes, important data and more. The breadth of these viruses has led many to believe that they were developed by government-run entities as specific weapons in cyberwarfare.
Multi-Layered Defenses Required
Defending against cyber threats requires a multi-layered approach. If we look at the history of recent viruses that have damaged infrastructure in the Middle East, the deployment mechanisms have been precisely targeted. In some cases, the viruses (such as Shamoon’s introduction into Aramco) have been attacks known in the security industry as “spear-phishing.” This type of attack generally comes through email to a critical employee’s inbox with the virus attached. Clever spear-phishers construct their attacks to make it difficult for the victim to tell the difference between an attack and a legitimate email. Once inside a target computer, the virus can spread to other systems in the network.
Viruses can also be introduced into systems manually, through a USB drive or some other storage device. This approach requires a human actor in the physical presence of target computers. Stuxnet was believed to be introduced into the Iranian nuclear program in this way.
In both cases, viruses were “let in” to the target environment by somebody within the organization. In one case it would be an actual employee unknowingly succumbing to spear-phishing, the other would be by circumventing the physical security teams responsible for securing buildings and critical systems. The most obvious way to fight these types of attacks would be to boost training and investment in cyber and physical security teams as well as employees to how they can avoid letting malicious actors into critical environments.
But even the best training may not be enough.
We have seen time and again that motivated hackers can find a way in to even the most heavily secured systems. State-sponsored hackers will likely be armed with original viruses that security companies know nothing about and thus have no signature in their databases with which to identify and stop the viruses. Zero Day attacks are, by nature, hard to detect because they exploit unknown vulnerabilities in software. It can be difficult to determine that critical systems have been infected when the virus is hiding in the background, biding its time and learning when and how to strike.
Advanced Persistent Threats
In the cyber security industry, attacks against infrastructure and large organizations are often referred to as “advanced persistent threats.” According to Aviv Raff, CTO of threat detection company Seculert (which helped discover the Shamoon virus), the best way to counteract such persistent viruses is to take a long view using a data-driven approach. The idea is to analyze data sets in organizations over time through the cloud, looking for irregularities in logs to assess if a malicious actor is present.
Secretary Panetta said that the Department of Defense will take an active role in helping protect U.S. private sector companies from cyberwarfare attacks. What exactly that means, isn’t entirely clear. It could mean anything from shutting down the Internet to the idea that the best defense is a good offense. (For more on this notion, see Brian Proffit’s New Cyberwar Rules Of Engagement: WIll The U.S. Draft Companies To Fight?)
The notion of a government-held “kill switch” to the Internet scares many people, but the alternative may too horrific to fathom.
Image courtesy of Shutterstock.