Collateral Damage in Cyberspace
„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more.
Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons only make sense if they cannot be detected. Given the fact that Stuxnet, Duqu and Flame were discovered long after they had delivered their payload, there was no protection by signature-based security tools. Even if you disregard the advanced functions of the malware for a moment, the infection leaves hundreds or thousands of compromised systems behind. If you want to use these systems again, you will have to clean the infection. The payload and the offensive functions of the malware only increase the damage. There’s the argument that „cyberstrikes“ are very targeted, so there is no collateral damage. Again the reality looks very different. Targets may have links to suppliers, partner, government or non-government departments, maybe even ordinary citizens or local companies. This is easy to see when it comes to DDoS attacks, it is equally true for malicious software or „offensive hacking“.
What happens if you are caught in the middle between two warring factions or near the point(s) of impact? Well, you will be attacked as well, even if the malware needs some extra nodes for command and control or some additional resources. And this is important for companies. The Flame malware is a very sophisticated spy tool. This is where „cyberwar“ meets Advanced Persistent Threats (APTs). Gathering high-quality intelligence data is a goal of any military operation, cyber or not. This is the most crucial threat to businesses, and this is where you will be caught in the middle, either on purpose or by accident (coincidences apply where appropriate). No attacker will complain if the malicious probes gather some extra business secrets. Storage is cheap, extracted data will be post-processed, traces of attacks will be erased.
What to do? Apart from the standard recommendations everyone is talking about, you have to review your security measure in the context presented here. It won’t be enough to buy a security gadget, set it up and turn it on. There’s a lot more to do, and no everything has to do with technology. We’re currently talking to trainers in order to present useful courses in defensive security at DeepSec 2012. If you want to get a glimpse of the Big Picture, including APT and other threats, we recommend attending DeepINTEL in September.