I’m sure you’ve read about the recent cyber attack campaigns against financial institutions, and have probably wondered why and how they have been so successful? The reason is quite clear. The characteristics of cyber attack campaigns have fundamentally changed, but tactics to mitigate them as well as best practices employed by IT security organizations has not.
The fundamental change is the attack length – sounds simplistic, but it really isn’t.
As a matter of fact, if your organization has been targeted in a similar fashion to this year’s worldwide attack campaigns against stock exchanges and financial institutions in the U.S., then you are doomed to fail in protecting your site.
If your IT security department or your security service provider is without a well-trained “Cyber War Room” team to fight these attack campaigns, then your sites will more than likely break under today’s massive attack campaigns.
Evaluating or measuring the risk of each attack campaign involves the following main parameters:
• Attack length – measured in hours and days
• Vectors – number of different attacks, e.g., network based denial of service (DoS), application level DoS, low & slow stealthy application level attack, intrusion attack type etc. Each is considered a different attack vector.
• Source – Who is behind the attack? Professionals, novice attackers, volunteers etc. We define the most professional attacker or hackers as the “inner cycle” source.
The figure below shows some of the significant advancements that attack campaigns have made in only the last two years or so:
Why has a major fundamental change in attack characteristics left IT organizations unprepared?
Because for years, IT security organizations have been well-trained in only two operations:
• Pre- Attack security audit operations that include application vulnerability scanning, penetration tests, security procedures reviews etc.
• Post- Attack Forensics analysis operations that include analysis of security incidents that happened in the past in order to understand the attack (or enemy) and better prepare for the next time.
As there is no question that these are two very important capabilities that IT groups should continue to do, these best practices are only effective in cases where attacks are short-lived (seconds or minutes). The figure below illustrates this:
Both security audits and forensics analysis operations are done under the assumption that at the same time, the network resources are not under a massive attack campaign or any attack campaign. This is a reasonable assumption while attacks are really short live as can be seen above.
But, what happens when the attack length is 20 days incorporating multiple attack vectors that are changing and evolving all the time? Eventually these persistent attacks will always find a weak or blind spot and will penetrate the network. The result will be, for example, days in which the network will not be able to serve the company’s customers (denial of service) or present a very negative customer experience.
What will the IT security group do then? Will they wait until the attack ends to begin the forensics operation? Probably not, as they need to act immediately “under fire.” This means they may experience very tough and unfamiliar constrains they are not prepared to deal with.
The figure below illustrates the new attack conditions and the new capability that a security IT group should support which I call the “Cyber War Room” capability.
The required “Cyber War Room” capability can be defined as follows:
• A team that is capable of reacting 24/7 and during holidays, etc.
• The team must be made up of a set of security experts who are well trained through “Cyber War Games” to work “under-fire.”
• The team should have the capability to resist attacks over long periods for more than a few days. They should be able to smoothly shift responsibilities from one to another in order to maintain their resistant power for a long time.
• The team should be equipped with advanced tools that help its members to analyse the traffic and create new protections in real-time.
• The team must have the knowledge and control over network and application security devices as well the capability to control routers and switches of the network.
• Last but not least, they should have the expertise to develop “counter-attack” operations in order to try and defeat the attackers, or in other words, make them quit. More information about counter attack operations can be read in my previous column.
“War Room” is a term taken from real battlefields. Cyber attack campaigns present similar conditions and therefore must follow the same approach – either by the organization IT or by the security service provider.
“Cyber War Room” capabilities will become a new essential operation that IT should adapt very quickly. I can see how in the near future these “Cyber War Rooms” will need to cooperate between one another or even between different companies, in order to withstand the new breed of cyber attack campaigns.
Suggested Reading: Cyber Intelligence: Identifying the Threat and Understanding the Terrain in Cyberspace