Looking Back and Thinking Ahead on Cyberwar, Nation-State Attacks

BLACK HAT ASIA - Singapore – Nation-state threats dominated the themes of this week's keynotes at Black Hat Asia, where experts dug into past and current cyberattacks, efforts to mitigate nation-state attacks, and the broad and evolving realm of cyber warfare.

Bill Woodcock, executive director at Packet Clearing House, took attendees back to the 1980s and 1990s, when the Internet was a closed community of interests and hadn't yet gained popularity. At the time, cyberattacks were few and far between, he said in his day one keynote.

"We were doing it because it was fascinating," he said. "Nobody thought there was any money in it … and because there weren't a lot of security incidents back then, we had time to investigate." By the mid-1990s, he continued, nation-state attacks on Internet service providers started to appear, coming from the US and Russian military.

Over time, incidents continued to escalate with Russia attacking Estonia in 2007, for example, and the United States' 2009 Stuxnet attack against Iran. Cyber offensive military personnel adopted the strategy of buying zero-days and getting their lawyers to say nothing would go wrong. Their idea was to focus on offensive strategies at the expense of ignoring defense.

"We see it play out over and over," Woodcock explained: militaries thinking they're the smartest people in the room; believing they'll be able to use the attacks they purchased any nobody will ever put it on them. "But none of that works out the way they think," he added.

Nation-state attacks escalated, often with players targeting private-sector trust in tech vendors and the relationship between businesses and consumers. In the 2010 Flame attack, the US government impersonated a Microsoft certificate to claim a fake Windows update was legitimate. China's 2011 attack on RSA stole SecurID two-factor authentication tokens, he noted.

Woodcock pointed to the grave implications of cyberthreats in the physical world with the 2015-2016 power grid attack targeting Ukraine's critical infratstructure.

"It's the kind of thing that causes lives to be lost, through accident or poor preparation," he said. "As a modern society we're not prepared to live without power for extended periods of time … saying cyber has no consequence - it's a little late for that."

The rapid growth of back-and-forth cyber events drove efforts to curtail attacks. In 1998, Russia proposed a treaty on cyber conflict, which made people skeptical because Russia had been the principal instigator for the problem, Woodcock pointed out. Between 2004 and 2017, there were five efforts to come up with a consensus about how cyberattacks should be addressed. By 2017 it was recognized that nothing was working, and a handful of countries were to blame.

The problem, he explained, was there were three nations, maybe four or five with the additions of Israel and Iran, which value their ability to attack other parts of the Internet more highly than the safety and economic stability of the Internet in their home countries.

"The US, Russia, and China don't want to agree to any treaty that will limit their ability to conduct offensive cyber operations … because they would do it anyway, and then look bad for violating the treaty they signed," Woodcock said. It's tough to get countries to agree to a treaty, he continued, because they have to turn it into local law, which will be different in each place.

Changing the Game in Cyber Warfare

A reflection on past cyber operation efforts is interesting but does little to help build effective strategies for future attacks, said The Grugq, vice president of threat intelligence at Comae. "You can't expect that what worked last time is going to work the next time," he explained.

In his keynote on day two of Black Hat, the Grugq dug into the realm of cyber warfare, breaking several misconceptions people often have about fighting in cyberspace - for example, the idea that cyberwar is about skill. He compared cyber warfare with air warfare, noting how planes were created with maneuverability so skilled pilots could beat less-skilled pilots.

That's not the way you win, he said. The way you win is showing up with more adversaries and overwhelming the target. "It's not about skill. That doesn't actually matter," he emphasized.

Fighting cyberattacks is a team effort, said The Grugq, and teams should prioritize adaptability, agility, speed, creativity, and cohesion. It's more effective to operate in small teams than in large "megateams." Small teams provie a "range of capacity," from elite workers to whose who rely on simple offensive attacks like large-scale phishing campaigns.

"Adaptability is the ability to take a new technology and exploit it for cyber conflict," he explained, pointing to the example of Facebook as a weapon. "The US has proven itself as very good at developing new technologies, but they have been fairly poor at adapting those technologies for offensive purposes."

Agility is the ability to take your current situation and make it where you want to be. With respect to speed, the teams with fewer meetings will be the teams who get ahead. Creativity is the ability to create new attacks based on those that exist, and cohesion is the ability to collaborate. The Grugq framed these traits in the context of different nation-states.

The DPRK, for example, has low agility and adaptability; they typically use attacks used by others in the past. They're cohesive because they all do what their leader wants but they fall short on creativity by reusing the same attacks and copying others' attacks.

China is "complicated and changing," he continued. It has loose cohesion for security and deniability reasons, with low adaptability, medium speed, and mixed creativity.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.