Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.
Recently, I found out the hard way that cyberattacks aren’t relegated merely to high-profile businesses nor engaged in by shadowy foreign agents. They can happen right here in your town.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
That’s what happened to my teenagers’ school system at a town in Massachusetts when someone engaged in a distributed denial of service (DDoS) attack against the Wi-Fi network. It was so crippling and pervasive that the school system had to bring in cybersecurity experts to resolve the problem.
The consensus seemed to be that the attacker had an agenda to thwart the virtual learning the students were engaged in and apparently force all the kids back to school full time for whatever reason.
This criminal activity did not succeed, fortunately, and was brought to a halt without identifying the perpetrator(s), but it got me thinking about the concept of weaponizing cybersecurity in this manner to generate conflict.
I spoke with Michael Schenck, director of Security Services at Kaytuso, a cybersecurity service provider about the concept, and he told me about the term “cyberconflict.”
Scott Matteson: What is cyberconflict?
Michael Schenck: [Cyberconflict is] cyberattacks that have a background in international relations or bring about consequences that can escalate to a political and diplomatic level.
Cyberattacks on trust are more worrying than those intended to produce physical effects. Attackers find it easier, and perhaps more effective, to weaken the bonds of military alliance rather than go after fighter jets, or corrupt financial data rather than destroy banks’ computers.
Cyberattacks on trust and integrity have a much lower threshold, are harder to detect and deter, and can cascade through interconnected systems.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Scott Matteson: When does cyberconflict escalate?
Michael Schenck: Cyberconflict is more likely to arise for political, social, and economic reasons, rather than to physically destroy infrastructure. It’s more of a risk during significant political moments, such as voting times/elections.
Impulsive action, confused decision-making, or any crossed signals can trigger unanticipated and unwanted cyberattack escalations.
For example, cyberconflict escalated when the US killed Iran’s Qassem Soleimani in early January. The week following Soleimani’s death, there were around 35 organizations attacked by cyber offensives “specifically traced” to Iran’s state-sponsored hacking groups. Around 17% of those targets were in the US.
Scott Matteson: How does it affect consumers and businesses?
Michael Schenck: Cyberconflict creates greater risk for corporate information and financial information to be stolen, as well as theft of money and disruption of trading stocks. The biggest things companies worry about is the damage to their reputation if this happens and the loss of trust their customers would have with them.
There are a lot of legal consequences businesses can face from this, too (such as fines and regulatory sanctions).
When Iran/US tensions were high, there were genuine concerns that a state-sponsored attack might be mounted against critical infrastructure (energy, transportation, finance) but also that a raft of commercial organizations in the US would see concerted attacks on data and systems, to steal or destroy.
With the elevation of these tensions, businesses and consumers need to prepare for cyber disruptions, suspicious emails, and network delays. This can come in any form of a digital attempt to access private information (from individuals, companies, and government agencies).
In January 2020, Texas Gov. Greg Abbott said state agencies had seen 10,000 attempted attacks from Iran per minute in the span of 48 hours.
Scott Matteson: What should companies be doing differently to protect against cyberconflict?
Michael Schenck: If your company doesn’t already have a CISO, hire a firm that offers virtual CISO (vCISO) services. This is a high-level consultant that can speak to stakeholders about the real risk to your business. They also can advise on where you currently stand on cybersecurity and where you should be. Beyond that, I can’t speak to what companies should be doing differently, as some already may be following a standard of best practices provided by NIST, ISO, GIAC, or the Center for Internet Security.
Some other things I recommend that most companies we’ve worked with don’t have is a security information and events management (SIEM) or network threat monitoring such as Cisco Talos intelligence-based network threat detection (like the Meraki advanced security license), Cisco Firepower for ASA firewalls, or Palo Alto SourceFire for next-gen firewalls. Larger companies may also be interested in solutions from FireEye.
Another big area that seems to be lacking is effective business continuity planning and response procedures. Just take a look at what’s happening globally right now without a cyber event due to COVID-19. Companies need to ask themselves what would happen if key infrastructure like power or internet was disrupted? Are your vendors and service providers addressing those concerns as well? CISOs, vCISOs, and cyber teams should constantly be thinking through their plans and response procedures for cyberattacks.
SEE: Disaster recovery and business continuity plan (TechRepublic Premium)
Scott Matteson: Are there any measures that should be taken right after a political, social, or economic incident (e.g. temporarily increase logging detail)?
Michael Schenck: Vigilance should certainly be higher before planned political events (scheduled protests, elections, etc.). The best thing to do is remind everyone to exercise reasonable doubt with what they see online or receive in their email. If you have a network threat detection service, you should verify with your account representative or service provider that they are keeping up with real-time intelligence. The same goes for SIEM appliances or managed detection and response service providers.
Scott Matteson: Who are some of the key players in this space, both from a “good” and “bad” perspective?
Michael Schenck: I previously mentioned some of the key enterprise vendors with solutions that help protect against cyberconflict (Cisco, Palo Alto SourceFire, Fireye, etc.). The “good guys” are also the usual suspects—Western intelligence and security services like the FBI. There are also big IT companies that show a focus on security including Microsoft, ESET, Cylance, Cisco, and FireEye.
As for the “bad guys,” state-sponsored hackers from Russia, Iran, China, Syria, and North Korea are key players. State-sponsored hackers demonstrate the extent to which nation-states continue to leverage cyberattacks as a tool to gain intelligence or influence geopolitics. In 2019, Microsoft notified close to 10,000 people that they had been targeted by state-sponsored hackers. In many of these cases, victims were either targeted or compromised by hackers working for a foreign government.
Freelance hacktivists are also key players in this space from a “bad” perspective. Motivated by civil disobedience, hacktivists seek to spread ideologies and create total anarchy. They typically see themselves as vigilantes who use hacking to enact social justice and policy changes, but they employ the same malicious tools and tactics as typical hackers.
Scott Matteson: What are the most prevalent types of threats and activities?
SEE: Identity theft protection policy (TechRepublic Premium)
Michael Scheck: The biggest risk is people. Whether it be intentional or accidental, the insider is the biggest threat because we have to give some trust to our workforce. The threat remains similar to what we’ve seen over the years—emails with malicious attachments or links. At Kaytuso, we’ve actually seen a significant uptick in malware being spread by email via attachment. The hackers writing these viruses are getting better at hiding from scanners. Some of these techniques include not doing anything if the malware believes it’s running in a sandbox—a virtual machine that executes and opens the attachments to see if it identifies anything malicious. This means that there’s greater success in the distribution of malware. With the technology that’s preventing and blocking malware being less than perfect, people are the biggest risk for clicking on that link or opening an attachment.
Scott Matteson: How should governments work together in order to prevent or curtail cyberconflict?
Michael Schenck: That’s the tricky question, especially when talking about international politics and security. In that scope, it is always double-edged. Protection improvements can also make intelligence efforts more difficult, making it harder to protect against tomorrow’s attacks. The best method here would be for more transparency from the government and revealing flaws to security vendors sooner. For example, if Microsoft had been informed about the EternalBlue vulnerability sooner, they would have been able to patch it even earlier and limit the damage from the ransomware attacks in 2017.
Scott Matteson: What are some subjective examples of cyberconflict attacks?
We’ve seen some examples over the years including schools and cities being locked out of their systems. There have been reports that Stuxnet and Flame malware were products of Western intelligence. Another example stems from Russia and their ongoing cyberwarfare against the US.
From a commercial business standpoint, hacktivism is a prime example of cyberconflict. I briefly mentioned hacktivism before, but it’s a mix of hacking and activism, where foreign hackers are using the internet to push political agendas or social change. Economic espionage is also very real. Hackers target the theft of critical economic intelligence such as trade secrets and intellectual property in a number of areas (technology, finance, government policy).
Scott Matteson: What was the impact/result?
Michael Scheck: The result of these types of cyberconflict attacks has been increased geopolitical tensions, millions in losses, theft of sensitive intellectual property, and physical damage to industrial equipment.