Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:10 AM
Connect Directly

Looking Back and Thinking Ahead on Cyberwar, Nation-State Attacks

In the domain of cyber warfare, the effective strategies for fighting yesterday's cyberattacks will not work against tomorrow's, experts said.

BLACK HAT ASIA - Singapore – Nation-state threats dominated the themes of this week's keynotes at Black Hat Asia, where experts dug into past and current cyberattacks, efforts to mitigate nation-state attacks, and the broad and evolving realm of cyber warfare.

Bill Woodcock, executive director at Packet Clearing House, took attendees back to the 1980s and 1990s, when the Internet was a closed community of interests and hadn't yet gained popularity. At the time, cyberattacks were few and far between, he said in his day one keynote.

"We were doing it because it was fascinating," he said. "Nobody thought there was any money in it … and because there weren't a lot of security incidents back then, we had time to investigate." By the mid-1990s, he continued, nation-state attacks on Internet service providers started to appear, coming from the US and Russian military.

Over time, incidents continued to escalate with Russia attacking Estonia in 2007, for example, and the United States' 2009 Stuxnet attack against Iran. Cyber offensive military personnel adopted the strategy of buying zero-days and getting their lawyers to say nothing would go wrong. Their idea was to focus on offensive strategies at the expense of ignoring defense.

"We see it play out over and over," Woodcock explained: militaries thinking they're the smartest people in the room; believing they'll be able to use the attacks they purchased any nobody will ever put it on them. "But none of that works out the way they think," he added.

Nation-state attacks escalated, often with players targeting private-sector trust in tech vendors and the relationship between businesses and consumers. In the 2010 Flame attack, the US government impersonated a Microsoft certificate to claim a fake Windows update was legitimate. China's 2011 attack on RSA stole SecurID two-factor authentication tokens, he noted.

Woodcock pointed to the grave implications of cyberthreats in the physical world with the 2015-2016 power grid attack targeting Ukraine's critical infratstructure.

"It's the kind of thing that causes lives to be lost, through accident or poor preparation," he said. "As a modern society we're not prepared to live without power for extended periods of time … saying cyber has no consequence - it's a little late for that."

The rapid growth of back-and-forth cyber events drove efforts to curtail attacks. In 1998, Russia proposed a treaty on cyber conflict, which made people skeptical because Russia had been the principal instigator for the problem, Woodcock pointed out. Between 2004 and 2017, there were five efforts to come up with a consensus about how cyberattacks should be addressed. By 2017 it was recognized that nothing was working, and a handful of countries were to blame.

The problem, he explained, was there were three nations, maybe four or five with the additions of Israel and Iran, which value their ability to attack other parts of the Internet more highly than the safety and economic stability of the Internet in their home countries.

"The US, Russia, and China don't want to agree to any treaty that will limit their ability to conduct offensive cyber operations … because they would do it anyway, and then look bad for violating the treaty they signed," Woodcock said. It's tough to get countries to agree to a treaty, he continued, because they have to turn it into local law, which will be different in each place.

Changing the Game in Cyber Warfare

A reflection on past cyber operation efforts is interesting but does little to help build effective strategies for future attacks, said The Grugq, vice president of threat intelligence at Comae. "You can't expect that what worked last time is going to work the next time," he explained.

In his keynote on day two of Black Hat, the Grugq dug into the realm of cyber warfare, breaking several misconceptions people often have about fighting in cyberspace - for example, the idea that cyberwar is about skill. He compared cyber warfare with air warfare, noting how planes were created with maneuverability so skilled pilots could beat less-skilled pilots.

That's not the way you win, he said. The way you win is showing up with more adversaries and overwhelming the target. "It's not about skill. That doesn't actually matter," he emphasized.

Fighting cyberattacks is a team effort, said The Grugq, and teams should prioritize adaptability, agility, speed, creativity, and cohesion. It's more effective to operate in small teams than in large "megateams." Small teams provie a "range of capacity," from elite workers to whose who rely on simple offensive attacks like large-scale phishing campaigns.

"Adaptability is the ability to take a new technology and exploit it for cyber conflict," he explained, pointing to the example of Facebook as a weapon. "The US has proven itself as very good at developing new technologies, but they have been fairly poor at adapting those technologies for offensive purposes."

Agility is the ability to take your current situation and make it where you want to be. With respect to speed, the teams with fewer meetings will be the teams who get ahead. Creativity is the ability to create new attacks based on those that exist, and cohesion is the ability to collaborate. The Grugq framed these traits in the context of different nation-states.

The DPRK, for example, has low agility and adaptability; they typically use attacks used by others in the past. They're cohesive because they all do what their leader wants but they fall short on creativity by reusing the same attacks and copying others' attacks.

China is "complicated and changing," he continued. It has loose cohesion for security and deniability reasons, with low adaptability, medium speed, and mixed creativity.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...