Friday, February 13, 2015

ISIS as Cyber Threat?

CENTCOM-hacked-3In January of this year,the group known by the West as the Islamic State of Iraq and Greater Syria, or ISIS, made news by "hacking U.S. Central Command", taking control of CENTCOM's social media feeds, and posting internal documents [1].  In reality,someone sympathetic to ISIS' cause gained temporary control of the CENTCOM Twitter and YouTube accounts, probably after managers of those accounts fell victim to phishing emails and bad password practices, and posted documents that seem to have been readily available elsewhere online.   Why a sympathizer?  Do ISIS members call themselves ISIS?  And would they use as an avatar an image with the line "I love you isis"?  Seems more like the work of a fanboy than a terrorist.

The accounts were quickly taken offline and were back under the control of CENTCOM within a few hours, but not before creating a bit of an embarrassment for Central Command.
More recently, the ISIS splinter group calling itself the "Cyber Caliphate" launched a similar attack against a military spouses' group called Military Spouses of Strength and posted threats against several members [2].  This may have been a more successful campaign if their goal was to spread terror, as personal threats to military spouses could certainly result in someone looking over their shoulder.

Although these attacks seems to have been fairly low-level cyber vandalism, it does beg the question as to what sort of threat ISIS is from a cyber perspective.

ISIS has been particularly adept in their social media campaign, using sites such as Facebook, Twitter, and YouTube to disseminate video footage of executed hostages and to communicate their message to potential sympathizers.  This helps drive recruiting and fundraising, resulting in an estimated 20,000 - 30,000 fighters helping to expand their presence in the middle east. 

Despite their social media prowess, experts in and outside of the U.S. government are largely in agreement that ISIS doesn't post a significant cyber threat to the United States [3].  At least not yet.  A major attack on the U.S. might involve attacks on the energy industry or financial sector to cause large-scale power outages or financial crisis.  These sorts of attacks require significant infrastructure and a long-term campaign to infiltrate large numbers of computer systems within these respective sectors.  Such a campaign requires hard-core programmers that can create specialized software and a large, skilled team of cyber professionals working together from a facility with significant technological infrastructure.  There are currently a handful of nation-states that might meet this criteria, but terrorist groups like ISIS haven't demonstrated the capacity to do this yet.  Even if they could do this, it is not at all clear that such an effort would bring them closer to their goal of creating an Islamic Caliphate in the Middle East.  Instead, ISIS is focusing their energy on recruiting fighters and expanding their footholds in Syria and Iraq.





Monday, February 9, 2015

Is Attribution Important?

First, let me say that I am biased.  As a career Army officer, I have internalized, over 25+ years, the importance of threat intelligence.  It started when I was a young Lieutenant in Germany, facing off across the Fulda Gap against the Red Hoard.  After that was the first Gulf War, then on to peacekeeping operations in Bosnia and Kosovo, and finally Operations Iraqi Freedom and Enduring Freedom.  All of these different kinds of military operations (armored warfare, peacekeeping, counterinsurgency, and security force assistance) require a robust but tailored intelligence effort.  Cyber operations, whether in the public or private sector, are no different.  Network defense is by its nature adversarial.  You are defending against someone who wants to do harm to your organization, and to approach such a situation without some sort of intelligence on potential threats is likely doomed to failure.

An intelligence effort can have multiple components.  One important aspect, one that some don't consider to be part of the intelligence effort, is to know yourself.  The more you know, the better.  Having a full accounting of all of the devices on your network and what software is running on them, including versions and patch levels, is extremely helpful when a new vulnerability is announced.  This inventory helps your security team prioritize efforts when taking action to mitigate new threats.  Another potential component of a security intelligence apparatus is a "threat intelligence" capability.  Here you might keep the pulse of real-time threats and exposed vulnerabilities from various CERTs, ISACs, and other sources.  Any way you slice it, some level of intelligence collection and analysis is critical.

Attacker attribution is an intelligence effort that has recently garnered increased attention.  Like many cybersecurity topics, there are lots of opinions regarding its value, and even some diametrically opposed positions on the matter.  On one end of the spectrum is CrowdStrike, a company that has built a large part of its business on threat attribution and has provided these services to both public and private sector entities.  CrowStrike argues that threat attribution is essential.  Their tagline, "You Don't Have a Malware Problem, You Have an Adversary Problem," belies their assertion that once you know exactly who is attacking you, you can take defensive measure against that specific individual's or organization's known tactics, techniques, and procedures (TTP). 

Other end of the spectrum are Jack Daniel, Paul Asadoorian, and the crew at Security Weekly, who recently discussed threat attribution during episode 399 of their weekly podcast.  Jack devoted one of his "rants" to an eWeek article entitled "Best Defense Against a Cyber-Attack Is to Know Your Adversary", which describes the philosophy of Tom Chapman, director of cyber operations at EdgeWave Security (the article referenced in their show notes for episode 399 is an excerpt with the same title). Jack Daniel scoffs at this notion, arguing that knowing your adversary is of little value in network defense.  "You have to know your own sh*t," he says. 

During the 2014 National Science Foundation Cybersecurity Summit for Large Facilities and Cyberinfrastructure I moderated a panel on "Threat Profile for NSF Large Facilities and Cyberinfrastructure."  Among the panelists was Matthew Rosenquist, Cybersecurity Strategist for Intel Corporation, who had just given the keynote address.  Matt's talk on "Strategic Leadership for Managing Evolving Cybersecurity Risks" included prediction as a component of defense-in-depth.  He argued that predicting future attacks against your organization can come from an analysis of the most likely attackers, targets, and methods, something that threat attribution would certainly facilitate.  Matthew described a process by which threat actors are divided into "archetypes" with common attributes in terms of resources, skills, targets, tactics, etc.  Understanding who targeted you in the past helps in predicting which archetype is likely to target you in the future, and therefore informs your protective posture and helps you prioritize your approach to defense.  After all, it is difficult, some would say impossible, to completely protect everything in your network.

So, who's right?  I leave it up to you to decide whether threat attribution is relevant or not.  I'll state the obvious here: you must prioritize your intelligence effort according to the resources you can devote to it.  Of critical importance is knowing what hardware and software is on your network so that you know how new threats might impact you.  Next, subscribe to intelligence feeds necessary to know of new threats and vulnerabilities.  Analyze potential threat archetypes and keep track of those that you think would target you.  Finally, once you can do all that, begin to focus on threat attribution to refine your understand of who is targeting you and why.  

And I got through this without a single Sun Tzu quote . . .