Tip

Surviving cyberwar: Preparing for APTs, Stuxnet malware-style attacks

The age of cyberwarfare has been formally announced to the world, via the public outing of the joint U.S.-Israel deployment of the Stuxnet malware against Iranian nuclear facilities, as recently reported by The New York Times.

Requires Free Membership to View

The new reality for political leaders and enterprises alike is that the cost of deploying a cyberattack, in terms of dollars, lives, and political fallout, is significantly less than a conventional war, yet cyberwarfare can accomplish many of the same objectives.

In a cyberwar, the disruption caused by collateral damage could ultimately prove to be more damaging for an enterprise than the specific attack.

Weighing the risk and reward involved with the scenario, using a cyberattack against the Iranian nuclear facilities with Stuxnet seems like an easy decision, though the potential dark side of the decision -- other nation-states using cyberweapons in retaliation -- has been mentioned by the likes of retired USAF general Michael Hayden and other prominent figures. For anyone discussing if and when the U.S. will become a target of cyberweapons such as Stuxnet, they should be reminded of the 2005 Titan Rain attacks. Other countries have been rumored or reported to already be engaging in these types of activities against the U.S. government and multinational corporations, so it would not be a surprise if such targeted cyberattacks have been occurring for even longer.

Enterprises must now prepare for the possibility of a major cyberwar breaking out among major nations, plus the reality that criminal organizations and nation-states are already engaging in industrial espionage via advanced persistent threats (APTs) that could result in the propagation of sophisticated, dangerous malware like Stuxnet.

In this tip, we’ll examine how enterprises can prepare for surviving cyberwar and APTs, monitor for ongoing developments related to possible cyberwar and APT attacks such as the Stuxnet malware, and how to feed the gathered information into their information security programs.

Cyberwar preparations

An enterprise that is concerned about collateral damage resulting from a cyberwar -- such as one involved with critical infrastructure, or with the financial industry, or is a generally high-profile firm -- should consider updating its business continuity plan in case that critical infrastructure is impacted. Since it takes time to put more proactive defensive measures in place, it makes sense to start with the reasonable worst-case scenarios and how to recover from them quickly. Collateral damage that an enterprise must consider preparing for includes extended power outages, Internet downtime, financial costs, and other disruptions.

Enterprises need to carefully assess what external systems (financial transactions, e-commerce, remote support of critical processes, and the like) are required for their organization to function and at what state. In a cyberwar event, the disruption caused by collateral damage could ultimately prove to be more damaging for an enterprise than the specific attack. Referring back to the Stuxnet example, it's likely no one in the private sector knew about its existence when it was launched against Iranian nuclear facilities, but when it, and the vulnerabilities it exploited, were repurposed by third parties to attack a broader range of targets, the stealthy malware was suddenly a major cause for concern because of the potential affect on an enterprise.

From the editors: More on cyberwar

Determine the threat to your enterprise from the Stuxnet-esque Duqu Trojan.

Flame malware leads to more discussion around the threat of cyberwar.

Monitoring for advanced attacks

As mentioned above, cyberwar often affects enterprises in the form of APT-style malware and attacks that exploit previously unknown software vulnerabilities, rendering many traditional malware detection and defensive mechanisms virtually useless. To increase the likelihood of early detection, enterprises can monitor for APT attacks using many different types of tools. There are a number of emerging technology options as well, but experienced analysts are the best and most effective way to properly analyze and correlate information across multiple tools, systems, networks, and even organizations to detect advanced attacks. Enterprises can also augment some common tools to increase their efforts in offensive information-security measures, such as deploying honeypots to engage attackers, in-depth analysis of an attacker’s network traffic, and analysis of binaries on systems. These efforts, however, may require a significant investment technology and training to find the haystack and then to find the needle; the investment may be necessary, just be prepared for it.

Let's discuss a hypothetical example of how to use a variety of tools to root out an advanced attack. A honeypot could first draw an attacker's attention. When the attacker subsequently accesses the system, an alert can trigger the incident response process for responding to an active attack. Once the network connection is made, an in-depth analysis of network traffic during the attack could start to identify as much as possible about the origin of the connection and what data is being sent and received. The data captured on the network or from forensic analysis of the compromised system could yield binaries or other files, which, when analyzed, could help determine what happened to the local system and what data the attacker was trying to identify. The binary could also be analyzed with fuzzy hashing to help identify if the binaries had been previously analyzed. The binary could be run in a sandbox to see what system calls, what network connections were made, or what changes were made to a system to be able to detect it.

Improving information security programs

Enterprises can use the published reports on cyberwar and APT attacks to identify what these types of advanced attacks typically try to accomplish or the potential preparations needed to adequately protect against these threats. Careful evaluation is needed to determine the potential for an attack against an individual organization and the appropriate resources deemed necessary to manage the risk. Enterprises should periodically reevaluate their information security programs to identify weaknesses, areas where the security control isn't cost-effective or is generally outdated, to improve their programs. Upon review, they might even be able to identify security controls that can be retired because they aren't stopping current attackers.

Finally, since enterprises must consider strategic and tactical changes to their security programs in order to defend against cyberwar campaigns, CIO or senior management sign-off is the first critical step. Management needs to understand enough about potential attackers and the risks they pose to the organization to authorize the significant investment necessary to protect the organization from these types of cyberattacks. To do this, perform a threat assessment and present a simplified library of the threat agents to senior management. This will help them understand the threat agents, their motives, and basic methods. They should also provide some direction and oversight to ensure the activities do not violate laws and the privacy culture of your organization.

Conclusion

Planning for incidents and having a strong incident response process is critical to minimizing the effects of cyberwars and APTs. Though most enterprises will not be directly impacted by a cyberwar or an APT attack, their operations might still experience disruptions due to the collateral damage resulting from such attacks. Enterprises that are periodically reevaluating their security programs and updating them based on emerging trends in advanced attacks will be able to improve their security programs as a result.

About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his master of science in information assurance from Norwich University in 2005 and telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and previously at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.

This was first published in July 2012

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.