Cyber threat

Thus far, there has been no confirmed retaliatory cyber strikes conducted by a victimized government against a suspected aggressor state.  There has been some speculation that after the Sony Pictures attack, the United States “knocked” North Korea off the Internet for a brief period of time, although this has never been corroborated.  Despite being a cyber power, the United States has demonstrated restraint in punishing against those transgressor states it believes to have been orchestrators of cyber attacks against its interests, preferring to level sanctions as a punitive alternative.

The question that governments ask is how to deter hostile acts in cyberspace?  And while an important question to raise, perhaps the reality is that there is no viable answer.  There is a reason why international efforts continually fail when trying to gain consensus on cyber norms, Internet governance, and the legalities and criteria of hacking back – there is lack of a fundamental desire to actually find a solution.  Governments willing to agree to the standards and principles of any of these issues are stating their willingness to abide by them, and while that may fit the current situation, the dynamism of cyberspace has proven unpredictable.  Being cuffed to such an agreement that no longer has relevance while other governments operate without constraints is not an ideal situation.  Therefore, without an agreement in place, the status quo remains.

Continue reading

Best Cybersecurity Books 2018

There are tons of books on our favorite topic, but it’s always impossible to squeeze them all into one cybersecurity book list. On top of that not all of them are good enough to feature them on CyberDB. We have created a list with the must-reads cybersecurity books 2018. Some of them are in print for years, but it’s never too late to read them now. If you think that we have missed something, feel free to contact us and share your recommendations! Without further delay and in no particular order here is our list:

Continue reading

Russian Flag Hacker

A recent interview of Russian President Vladimir Putin revealed insight into his – and by extension – Russia’s views concerning cyber attacks, and really the cyber domain, as a whole.  Made at a joint press briefing with France’s president, when asked about alleged interference in the 2016 U.S. presidential election, Putin remarked: “Action always causes reaction” and that “If one does not want to get a reaction he does not like, rules for actions need to be set.”  Putin pointed out that in the early days of nuclear weapons, governments had found a way to negotiate guidelines on their use, an effort that should be replicated in today’s political climate.  While not necessarily as catastrophic as nuclear weapons, the potential impact is similar in that the disruption and/or destruction of interconnected information technology can potentially impact millions of people.  The implication is certainly clear: an international understanding needs to be done sooner rather than later.

These public pronouncements of the Russian president are noteworthy as they provide insight into not only how Russia views the activities that transpire in cyberspace but express a potential avenue of engagement for world leaders to approach Russia on these issues.  Cyber norms and discussions of how states have been ongoing in international forums.  The preferred U.S. approach – via the United Nations Group of Experts in the Field of Information and Telecommunications in the Context of International Security (GGE) – notably stalled in June 2017, calling into question if this Western-preferred approach to establishing norms will succeed under this umbrella.

Continue reading

Cybersecurity podcast

In the past couple of years podcast are gaining popularity and are one of the easiest and most convenient way to learn the latest news and information.

Cybersecurity podcasts didn’t have a particular influence on the boom of podcast popularity as a whole, but there are still plenty of good shows that deserve your attention. Many IT people from simple observes to some of the biggest experts in the field have used this method to provide useful advices to the audience. Even some of the major enterprises are looking for the best cybersecurity podcasts to listen and take care for their IT infrastructure.

On CyberDB we have created a fresh list with some of the best podcasts related to cyber and information security. Check it out next time when you have some free time or even when you are stuck in traffic and want to learn something useful. These shows cover everything from simple endpoint and data security matters to comprehensive security operations and incidents. You are about to find a great range of topics, different opinions and anything that suits your listening needs. With so many great podcasts out there it’s impossible to feature them all in our list. Feel free to contact us if you want to share with us your favorite cybersecurity podcasts and include them in our list.

Continue reading

American Cyber Flag

In May 2018, the White House eliminated the position of National Cybersecurity Coordinator.  The move has been met with much pushback from some in the cybersecurity community and even politicians.  Democratic lawmakers were seeking to propose legislation to restore the position.  In a statement made by the National Security Council the move was to “streamline management in order to improve efficiency, reduce bureaucracy, and increase accountability.”  Nevertheless, given the fact that many security officials including the Director of National Intelligence have identified cyber threats as a national security priority, the removal of this position is largely considered a step backward and not forward.  However, this may be more of a kneejerk reaction than an honest assessment of the roles and responsibilities that have been undertaken by those individuals appointed to the position.

With roots starting as early as 1997, the position first emerged in 2009 and has had three individuals in the role of Cybersecurity Coordinator – Howard Schmidt (2009-2012), Michael Daniel (2012-2017), and Rob Joyce (2017-2018), who is looking to return to the National Security Agency (NSA).  The Cybersecurity Coordinator has been primarily a policy position lacking any day-to-day authority over any of the groups working on cyber security.  Critics have pointed out that while the Cyber Coordinator can make recommendations, the position has no direct authority as far as budgeting is concerned, nor can the position compel agencies to comply with guidelines.  This has been a systematic problem with the position – it can make all of the recommendations it wants, but if it cannot compel agencies to implement them within a specified amount of time, the title becomes largely ceremonial.  Government Accounting Office reports on government cybersecurity efforts consistently find shortcomings in the federal government’s approach to ensuring the security of federal information systems and cyber critical infrastructure.

Continue reading

cyber battle fatigue

There is much concern about the realities of “Cyber Battle Fatigue” – a condition resulting from a never-ending process of defending networks and sensitive information from an onslaught of cyber attacks conducted by cyber criminals, cyber espionage actors, and hacktivists. These attackers continue to use a wide variety of tactics, tools, and procedures that span from being unsophisticated to very sophisticated and continue to have more successes than failures. Two things are certain in a constantly-changing domain – that no business that operates online is immune to being targeted, and two, the cyber security talent pool is sparse, and is contributing to the cyber battle fatigue reality.

The numbers are staggering and continue to outperform previous activity. In 2017, ransomware attacks demonstrated how prolific just one type of attack was. The WannaCry outbreak impacted computers in more than 150 countries that cost approximately USD $ 4 billion. According to one U.S. IT Company, in 2017, some notable cybercrime statistics illustrate the challenges facing those network defenders:

Continue reading

Russian-hacker-group-pokemon-go

The online activities surrounding the 2016 U.S. Presidential election revealed a swath of suspicious postings on social media outlets that ranged from deliberate false information (e.g., one candidate running a child sex ring; another candidate’s followers making anti-Islam chants at a rally) to purchased ads on social media platforms like Facebook (e.g., promoting gay rights, issues related to the African-American community, immigration, to name just a few).  In some instances, candidates were attacked via purchased ads.  While there has been much furor about this, the truth is that this type of online content is nothing that people haven’t already seen.

During any campaign, negative print and media ads are often directed against political opponents, and the Internet is not bereft of millions of users willing to promote their viewpoints or engage in vociferous debate with people holding alternative or opposing viewpoints.  Social media has facilitated the ability for anyone with an Internet connection to express themselves and put forward a message to a widely dispersed audience within a specific geography.  People can either listen, ignore, support, or push back on what’s being transmitted.  The big fear that the mastermind behind all of these ads was intent on swaying constituents to vote for a particular candidate is a concern that has yet to be fully verified.

Continue reading

According to recent reporting, a suspected nation state hacker group with alleged ties to the Iranian government issued death threats to researchers that had detected their cyber espionage activity.  The researchers were checking a server that they believed to be associated with a specific data breach when they received the message “Stop!!! I Kill You Researcher.”  According to the same report, the server was apparently attached to the attackers’ command-and-control infrastructure.  Active since 2015, the group known as “MuddyWaters” has been observed targeting organizations in Georgia, India, Iraq, Pakistan, Saudi Arabia, Tajikistan, Turkey, and the United States.  Recently, MuddyWaters has been observed targeting oil and gas entities in the Middle East.  Notably, the group is believed to employ “false flag” operations – similar to what was believed to have been done during the recent Olympics – in which it adopted some of the tactics, techniques, and procedures (TTP) of suspected Chinese hackers to obfuscate the group’s true identity.

 

On the surface, the threat made against the researchers can be viewed as knee-jerk reaction to being tracked by the private sector.  But this does raise the possibility of what hostile actors may resort to in the future.  The private sector computer security has been aggressively investigating the activities of suspected nation states actors since 2004 when the first report published the activities of a Chinese state entity.  Since that time, several subsequent reports have been provided to the public detailing “advanced persistent threat” operations detailing TTPs and targeting that have ultimately been attributed to specific nation state actors.  While the standard public reaction of these governments has been to refute or deny the claims, citing the difficulties in providing adequate evidence that supports attribution, sanctions and alleged retaliatory strikes have been know to occur as a result of these accusations.

Continue reading

 

A cyber attack disrupted the recent opening Olympic Games ceremonies, which was confirmed by a spokesman for the Pyeongchang Organizing Committee.  The disruption took out Internet access and telecasts of non-critical machines, grounded broadcasters’ drones, shut down the Pyeongchang 2018 website, and prevented spectators from printing out reservations and attending the ceremony.

 

Per reports, the attackers gained access to approximately 300 computers, hacked routers, and distributed malware in the lead-up and during the event’s ceremonies.  Initial findings by at least one computer security company concluded that the attack had started a year in advance.  The attackers could have destroyed computers, according to the company’s researchers, but had restrained themselves, erasing only the backup files on Windows machines.  Conclusions were made that the attack was an attempt to send a political message.  As of this writing, the initial vector of attack has not been determined or at least not made public, although speculation is that prior access was gained and used to launch this attack.

 

According to one news source citing U.S. intelligence officials, Russian spies were behind the cyber attack with the purpose of retaliating for the Olympics suspension of Russia being allowed to compete in the games due to a doping scandal.  Of note, these officials believe that the attack was intended to be a “false-flag” operation as the attackers are alleged to have used North Korean IP addresses and other “tactics” to make it appear like North Korea was behind the attacks.  No evidence has been produced thus far by the government as it had done when supporting its claims of North Korea’s culpability in the Sony hack.

 

While there may very well be classified information that helps attribute this activity, motivation is largely the incriminating bit of evidence that points to Russian culpability.  Paying back the International Olympic Committee (IOC) for not allowing Russian athletes to compete under the national flag would be consistent with fervent Russian nationalism and its need to protect all aspects of its cultural identity.  Russian state or state-affiliated actors are alleged to have orchestrated previous cyber attacks against Olympic targets, notably the 2016 cyber attack against the World Anti-Doping Agency in which the attackers gained access to athlete data, including confidential medical data, and made it public.

 

If the motive is going to be the primary factor in attribution (note, malware analysis provided no clues incorporating traits of malware used by a variety of suspected state actors), at the time of the attack, only two governments were probable suspects – North Korea and Russia.  However, after tumultuous events over nuclear weapon development and missile firing, North Korea made grand diplomatic overtures to South Korea and ultimately marched with it under one flag.  It would seem improbable that it would want to detract from headway made via its Olympic diplomacy with a nuisance attack.

Still stinging from its inability to walk under its flag, Russia seems like the probable suspect behind the cyber attack, wanting to express its dissatisfaction toward the IOC.  If true, the fact that it could have and didn’t is testament that Russia wanted to register displeasure, not punish South Korea for the IOC’s decision.

 

However, what gives pause is the reason why – if reporting stands correct – that state actors of the Russian government were needed to conduct a false-flag attack to simply demonstrate its discontent with the IOC.  Simply, a false-flag operation is where an attacker tries to make their actions look as if it was the work of another known attacker.  In cyberspace such an endeavor is simple to achieve especially when the tactics, techniques, and procedures (TTP) that often include methods of operations, malware, command-and-control architecture are published for global consumption as Indicators of Compromise.  In this instance, the attack blended TTPs and the digital fingerprints of threat actors connected to North Korea, China, and Russia.

Cyber proxies such as non-state hacker groups are perfect agents for states wanting to send a signal to a government without committing its own resources.  There is a level – albeit shallow – of plausible deniability that an aggressor state can claim and still intimate to the victim of its tacit involvement in the attack.  Russia has at its disposal a capable cyber criminal underground, as well as nationalistic youth groups that could have achieved a similar effect.  This was evidenced in 2007 when one such group claimed responsibility for the cyber attacks against Estonia for the removal of a Soviet war memorial.

The use of state actors to commit a cyber equivalent of a tantrum raises eyebrows.  According to one source, the Russian state hackers behind this attack were the same that have been engaged in cyber attack against Ukraine.  Making a public statement doesn’t seem the type of operation an elite unit would be called upon to execute.

 

So why the false-flag?  There are a few possibilities.  One, Russia wanted to test using the TTPs of other nations in an operation to gauge how defenders would determine their findings.  Two, Russia may have “signaled” to nations like the United States – and those private sector companies following their alleged activities – that it would be implementing false-flags in future operations, essentially making technical indicators and digital and technical analysis for attribution, useless.  Three, maybe the Cyber attack achieved another objective in addition to expressing its anger.  Did another attack, perhaps more surreptitious, occur simultaneously against another target while all eyes were focused on this?

Russia’s cyber operations (including cyber attacks) have been described from anything from being sloppy to being among the most advanced actors in the world.  Perhaps the question that should be asked is why did Russia want a “false flag” operation to be so easily attributed?

Perhaps the answer lies with the simplest answer: that it was just the easiest path to take.  And in a world where there is no international consensus of state behavior in cyberspace, the landscape favors the attackers until the defenders figure out how to respond to them with enough conviction to alter attacker behavior.   No one looks to have that answer.

This is a guest post written by Emilio Iasiello

With the near-defeat of ISIS’ ground presence, speculation is that the group will rely more on cyberspace to maintain its relevancy.  This is unsurprising as ISIS has continuously demonstrated its proficiency on the Internet, particularly for propaganda and recruitment campaigns.  The group achieved considerable success in influencing target audiences, and at one time, was credited with being able to disseminate approximately 90,000 messages a day.  Many of the hacking incidents attributed to ISIS or its sympathizers focused on exploiting global news organizations, inserting pro-ISIS messages on websites and Twitter accounts.  Perhaps more impressively, individuals associated with the extremist organization were suspected of hacking the United States Central Command’s Twitter account, posting propaganda videos and threatening messages.

 

ISIS propaganda machine remains a cornerstone of the group’s resilience and survivability, making any attempts to eliminate individual accounts akin to what some have called “whack-a-mole” futility.  In 2017, ISIS supporters used more than 400 separate online platforms to pump out propaganda despite laudable efforts by social media platforms like Facebook and Twitter that actively search for and suspend suspected terrorist/extremist accounts.  Such hinderances have encouraged the development of technologies to assist in this effort.  The United Kingdom, for example, is leveraging software able to detect 94 percent of ISIS propaganda, scanning millions of video and audio files with a 99 percent accuracy rate.

 

While these efforts are very promising in reducing ISIS’ and other extremist groups’ presence in global social media platforms, they don’t address the root of the problem – the message itself.  This has been an ongoing problem for governments and one that has continually challenged U.S. counter-messaging strategies.  The lack of success by any government to mitigate the influence of ISIS propaganda has led some to conclude that perhaps governments’ tactics of trying to deny ISIS’ ability to use cyberspace may not be the key to success.

 

Indeed, these individuals have proven adept at using advanced technologies to such a degree that it may not be possible to truly mitigate their use of the Internet.  ISIS members and associates have been reported to use the latest and greatest  technologies including: anonymous-enabling communications, virtual private networks, encrypted e-mail services, and encrypted messengers, among others.  Short of trying to institute an authoritarian grip on all available technologies (which does not guarantee success), there are too many alternatives that are available or being developed to make denying use of cyber-related devices a credible course of action for the long term.

 

That leaves having the right message that can compete with the one being spread by ISIS and other extremist groups.  Thus far, nothing has proven effective in curbing recruitment or attracting lone-wolf actors to commit horrible acts of violence.  In order to understand why propaganda works, it’s necessary to understand its intended audience, the psychological effects of propaganda on the intended target, and the socio-political effects it will have both on the target and the surrounding environment.  Any counter-messaging strategy must take into account all of these considerations.  More importantly, there can be no “one size fits all” messaging, as any content needs to be tailored to address the unique diverse backgrounds and cultures of ISIS’ members and followers.  And that may be where previous efforts have fallen short.

 

There is an opportunity to investigate what causes people from different countries to respond to radical ideology, and to understand what in the message is attractive enough to unite different socio-cultural backgrounds under the banner of an extremist world view.   We must not be satisfied with having put ISIS on the run.  Instead, we should invest this time in interviewing the persons involved to get a better idea of why they committed to extremism in the hopes of preventing another group like ISIS to emerge.

This is a guest post written by Emilio Iasiello