In an ever-growing virtual environment known as cyberspace, individuals can communicate with one another or search for knowledge to broaden their own horizons. Traversing cyberspace is a new way of life, a way of life for all social classes to experience. Unfortunately, some individuals use cyberspace for their own devious actions, targeting unsuspecting individuals for their own enjoyment or for profit.
Known as cyber-attacks, this coined term can deal massive amounts of damage to individuals or on a larger scale, companies or government establishments. It does not stop there though, when government establishments or military establishments are attacked through cyber methods, it is a whole new kind of attack known as cyberwarfare or cyberterrorism. This is on a grand scale; whole sovereign nations can be affected and weakened by something that is not physically tangible
Emergency Response Team (ERT), actively monitors and mitigates attacks in real-time, identify trends to educate the security community. For actionable intelligence to detect and mitigate threats that plague organization’s infrastructure:
Understand weak points of server-based botnets that represent a new and powerful order in the DDoS environment
They define how to stop sophisticated attack campaigns with an Advanced Persistent Threat (APT) score, which ranks attacks by severity based on attack duration, number of attack vectors, and attack complexity
They find out why encrypted-layer attacks are often detected too late
See how adopting a three-phase (pre, during, post) security approach removes a vulnerable blind spot that attackers exploit to their advantage
Cyberwarfare utilizes techniques of defending and attacking information and computer networks that inhabit cyberspace. It denies an opponent’s ability to do the same, while employing technological instruments of war to attack an opponent’s critical computer systems.
Paralleling this idea of cyberwarfare, cyberterrorism is “the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population.”
That means the end result of both cyberwarfare and cyberterrorism is the same, to damage critical infrastructures and computer systems linked together within the confines of cyberspace.
Three Basic Factors for Cyber-Attacks
In cyberwarfare we must understand the basics as to why cyber-attacks are launched against a state or an individual. There are three factors that contribute to this reasoning, the fear factor, spectacular factor, and the vulnerability factor.
The most common, fear factor, a cyberterrorist will create fear amongst individuals, groups, or societies. The bombing of a Bali nightclub in 2002 created fear amongst the foreign tourists who frequently visited the venue. Once the bomb went off and casualties ensued, the influx of tourists to Bali significantly reduced due to fear of death.
With spectacular factors, it is the actual damage of the attack, meaning the attacks created direct losses and gained negative publicity. In 1999, a denial of service attack rendered Amazon.com unusable. Amazon experienced losses because of suspended trading and it was publicized worldwide.
Increasingly, U.S. banking institutions are reluctant to acknowledge – much less discuss – the ongoing distributed-denial-of-service attacks against their online services. Perhaps that’s because they’re concerned that consumers will panic or that revealing too much about the attacks could give hacktivists information they could use to enhance their DDoS abilities.
But in recent regulatory statements, the nation’s largest banks are candid about DDoS attacks and their impact. In their annual 10-K earnings reports, filed with the Securities and Exchange Commission, seven of the nation’s top 10 financial services institutions provide new details about the DDoS attacks they suffered in 2012. In its report, Citigroup even acknowledges that DDoS attacks have led to unspecified losses. Citigroup , which filed its 10-K report March 1, notes: “In 2012, Citi and other U.S. financial institutions experienced distributed-denial-of-service attacks which were intended to disrupt consumer online banking services. While Citi’s monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber-incidents.” The bank also points out that these attacks are being waged by powerful adversaries. “Citi’s computer systems, software and networks are subject to ongoing cyber-incidents, such as unauthorized access; loss or destruction of data (including confidential client information); account takeovers; unavailability of service; computer viruses or other malicious code; cyber-attacks; and other events,” Citi states. “Additional challenges are posed by external extremist parties, including foreign state actors, in some circumstances as a means to promote political ends.” When contacted by BankInfoSecurity , Citi and other institutions did not comment further about DDoS attacks or the information in the 10-K reports.
These banks, as well as other U.S. financial institutions, are now in the midst of the third wave of DDoS attacks attributed to the hacktivist group Izz ad-Din al-Qassam Cyber Fighters – a group that has claimed since September that its attacks are being waged to protest a YouTube movie trailer deemed offensive to Muslims. ‘Technically Sophisticated’ In their 10-K reports, Citi, as well as JPMorgan Chase & Co. , Bank of America , Goldman Sachs Group , U.S. Bancorp , HSBC North America and Capital One acknowledge suffering from increased cyber-activity, with some specifically calling out DDoS as an emerging and ongoing threat. HSBC North America, in its 10-K report filed March 4, notes the global impact of DDoS on its customer base. “
During 2012, HSBC was subjected to several ‘denial of service’ attacks on our external facing websites across Latin America, Asia and North America,” the bank states. “One of these attacks affected several geographical regions for a number of hours; there was limited effect from the other attacks with services maintained. We did not experience any loss of data as a result of these attacks.” And U.S. Bank, in its 10-K filed Jan. 15, describes DDoS attacks as “technically sophisticated and well-resourced.”
“The company and several other financial institutions in the United States have recently experienced attacks from technically sophisticated and well-resourced third parties that were intended to disrupt normal business activities by making internet banking systems inaccessible to customers for extended periods,” U.S. Bank reports. “These ‘denial-of-service’ attacks have not breached the company’s data security systems, but require substantial resources to defend and may affect customer satisfaction and behavior.” U.S. Bank reports no specific losses attributed to DDoS, but it states: “Attack attempts on the company’s computer systems are increasing, and the company continues to develop and enhance its controls and processes to protect against these attempts.” Other DDoS Comments Here is what the other institutions reported about DDoS attacks suffered in 2012: Chase: “The firm and several other U.S. financial institutions continue to experience significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which are intended to disrupt consumer online banking services. The firm has also experienced other attempts to breach the security of the firm’s systems and data. These cyber-attacks have not, to date, resulted in any material disruption of the firm’s operations, material harm to the firm’s customers, and have not had a material adverse effect on the firm’s results of operations.” BofA: “Our websites have been subject to a series of distributed denial of service cybersecurity incidents. Although these incidents have not had a material impact on Bank of America, nor have they resulted in unauthorized access to our or our customers’ confidential, proprietary or other information, because of our prominence, we believe that such incidents may continue. Although to date we have not experienced any material losses relating to cyber-attacks or other information security breaches, there can be no assurance that we will not suffer such losses in the future.
” CapOne: “Capital One and other U.S. financial services providers were targeted recently on several occasions with distributed denial-of-service attacks from sophisticated third parties. On at least one occasion, these attacks successfully disrupted consumer online banking services for a period of time. If these attacks are successful, or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services online. In addition, a breach or attack affecting one of our third-party service providers or partners could impact us through no fault of our own. Because the methods and techniques employed by perpetrators of fraud and others to attack, disable, degrade or sabotage platforms, systems and applications change frequently and often are not fully recognized or understood until after they have been launched, we and our third-party service providers and partners may be unable to anticipate certain attack methods in order to implement effective preventative measures. Should a cyber-attack against us succeed on any material scale, market perception of the effectiveness of our security measures could be harmed, and we could face the aforementioned risks. Though we have insurance against some cyber-risks and attacks, it may not be sufficient to offset the impact of a material loss event.”
No Mentions of Attacks Among the top 10, the only institutions that do not specifically reference DDoS in their 10-K reports are Morgan Stanley, Bank of NY Mellon and Wells Fargo , a bank that has recently suffered significant online outages. Wells Fargo spokeswoman Sara Hawkins tells BankInfoSecurity that the bank’s online and mobile-banking channels were inaccessible for portions of the day on April 4, when it saw “an unusually high volume of website and mobile traffic … which we believe is a denial of service attack.” Reporting Protocol Doug Johnson , who oversees risk management policy for the American Bankers Association, says banking institutions are required to report all suspicious cyber-activity either through their filings with the SEC or in the Suspicious Activity Reports to the Financial Crimes Enforcement Network , a bureau of the U.S. Department of the Treasury. All financial institutions, regardless of size, must report SARs to FinCEN, an agency that collects, analyzes and shares financial intelligence. However, only companies with more than $10 million in assets are required to file reports with the SEC. Banking institutions are required to report cyber-attacks in their SEC filings, Johnson says.
“Online banking platforms, obviously, are extremely important to banking retail consumers, and so that would be one of those systems which would be very important to report on a suspicious activity report,” Johnson says. “One thing that is also very important to do is to go and have that conversation with your primary federal regulator, at the field level, to find out what you would do, as an institution, for generalized security breach reporting.” Breach reporting requirements vary from state to state, Johnson adds.
Vulnerability factor exploits how easy an organization or government establishment is vulnerable to cyber-attacks. An organization can easily be vulnerable to a denial of service attack or a government establishment can be defaced on a web page. A computer network attack disrupts the integrity or authenticity of data, usually through malicious code that alters program logic that controls data, leading to errors in output.
Professional Hackers to Cyberterrorists
Professional hackers either working on their own or employed by the government or military service can find computer systems with vulnerabilities lacking the appropriate security software. Once found, they can infect systems with malicious code and then remotely control the system or computer by sending commands to view content or to disrupt other computers. There needs to be a pre-existing system flaw within the computer such as no antivirus protection or faulty system configuration for the viral code to work. Many professional hackers will promote themselves to cyberterrorists where a new set of rules govern their actions. Cyberterrorists have premeditated plans and their attacks are not born of rage. They need to develop their plans step-by-step and acquire the appropriate software to carry out an attack. They usually have political agendas, targeting political structures. Cyber terrorists are hackers with a political motivation, their attacks can impact political structure through this corruption and destruction.
They also target civilians, civilian interests and civilian installations. As previously stated cyberterrorists attack persons or property and cause enough harm to generate fear.
Syntactic Attacks and Semantic Attacks
In detail, there are a number of techniques to utilize in cyber-attacks and a variety of ways to administer them to individuals or establishments on a broader scale. Attacks are broken down into two categories, Syntactic attacks and Semantic attacks. Syntactic attacks are straight forward; it is considered malicious software which includes viruses, worms, and Trojan horses.
Viruses are a self-replicating program that can attach itself to another program or file in order to reproduce. The virus can hide in unlikely locations in the memory of a computer system and attach itself to whatever file it sees fit to execute its code. It can also change its digital footprint each time it reproduces making it even harder to track down in the computer.
Worms do not need another file or program to copy itself; it is a self-sustaining running program. Worms replicate over a network using protocols. The latest incarnation of worms make use of known vulnerabilities in systems to penetrate, execute their code, and replicate to other systems such as the Code Red II worm that infected more than 259 000 systems in less than 14 hours. On a much larger scale, worms can be designed for industrial espionage to monitor and collect server and traffic activities then transmit it back to its creator.
On July 12, 2001, a new worm began propagating across the internet. Although the worm did not yet have a name, it was the first incarnation of what was to become known as the “Code Red” worm . This initial version of the worm is commonly referred to as CRv1. On July 19, another variant of the worm, which shared nearly all its code with the first version of the worm, began to spread even more rapidly than its predecessor a week before. The new variant of the Code Red worm was reported to have infected more than 250,000 systems in just nine hours . This variant of the worm is now commonly referred to as CRv2.
The worm scanned the internet, identified vulnerable systems and infected these systems by installing itself. The rate of scanning grew rapidly because each newly installed worm joined others already in existence. Not only did the worm result in defaced web pages on the systems it infected, but its uncontrolled growth in scanning resulted in a decrease of speed across the internet—a denial of service attack—and led to widespread outages among all types of systems, not just the Microsoft Internet Information Server (IIS) systems it infected directly. On August 4, a new worm exploited the same vulnerability in Microsoft IIS web server as the original Code Red worm . Even though it shared almost no code with the first two versions of the original worm, it was named Code Red II simply because it contained the name in its source code and exploited the same vulnerability in the IIS indexing service. In addition to the original Code Red and the Code Red II worms, there are other possible variants of the worm.
Code Red’s Affect in Both Private Industry and the Government
As a result of the Code Red worm’s rapid spread across the internet, businesses and individuals worldwide experienced disruptions of their internet service. Qwest, the Denver-based telecommunications corporation, which provides DSL services to approximately 360,000 customers throughout the western and midwestern U.S., is being asked to refund fees to customers as a result of service interruptions due to the denial of service caused by the Code Red worm. In addition, the Washington state Attorney General has asked Qwest to pay these customers, some of whom claim the outage cost them thousands of dollars in lost sales. However, Qwest says it has no plans at this time to credit customers who were afflicted by the Code Red worm
Previously released worms have required at least several hours to spread and become known, giving system and network administrators sufficient time to recognize the potential threat and take measures to mitigate the damage. Imagine a worm that could attack—not just in a matter of hours—but in a matter of minutes, as Nicholas C. Weaver from the University of California at Berkeley Computer Science Department suggests in his scenario and analysis entitled “Warhol Worms,” based on Andy Warhol’s statement that everyone will have 15 minutes of fame
A Trojan horse is designed to perform legitimate tasks but it also performs unknown and unwanted activity. It can be the basis of many viruses and worms installing onto the computer as keyboard loggers and backdoor software. In a commercial sense, Trojans can be imbedded in trial versions of software and can gather additional intelligence about the target without the person even knowing it happening. All three of these are likely to attack an individual and establishment through emails, web browsers, chat clients, remote software, and updates.Semantic attack is the modification and dissemination of correct and incorrect information. Information modified could have been done without the use computers even though new opportunities can be found by using them. To set someone into the wrong direction or to cover your tracks, the dissemination of incorrect information can be utilized.There were two such instances between India and Pakistan and Israel and Palestine that involved cyberspace conflicts. India and Pakistan were engaged in a long-term dispute over Kashmir which moved into cyberspace. Pro-Pakistan hackers repeatedly attacked computers in India. The number of attacks has grown yearly: 45 in 1999, 133 in 2000, 275 by the end of August 2001 In the Israel-Palestine conflict cyber attacks were conducted in October 2000 when Israeli teenagers launched DOS attacks on computers owned by Palestinian terrorist organizations Hezbollah and Hamas. Anti-Israel hackers responded by crashing several Israeli web sites by flooding them with bogus traffic.
DDOS- Biggest Cyber Attack In History
Hundreds of thousands of Britons are unsuspecting participants in one of the internet’s biggest cyber-attacks ever – because their broadband router has been subverted.
Spamhaus, which operates a filtering service used to weed out spam emails, has been under attack since 18 March after adding a Dutch hosting organisation called Cyberbunker to its list of unwelcome internet sites. The service has “made plenty of enemies”, said one expert, and the cyber-attack appeared to be retaliation.
A collateral effect of the attack is that internet users accustomed to high-speed connections may have seen those slow down, said James Blessing, a member of the UK Internet Service Providers’ Association (ISPA) council.
“It varies depending on where you are and what site you’re trying to get to,” he said. “Those who are used to it being really quick will notice.” Some people accessing the online streaming site Netflix reported a slowdown.
Spamhaus offers a checking service for companies and organisations, listing internet addresses it thinks generate spam, or which host content linked to spam, such as sites selling pills touted in junk email. Use of the service is optional, but thousands of organisations use it millions of times a day in deciding whether to accept incoming email from the internet.
Cyberbunker offers hosting for any sort of content as long, it says, as it is not child pornography or linked to terrorism. But in mid-March Spamhaus added its internet addresses to its blacklist.
In retaliation, the hosting company and a number of eastern European gangs apparently enlisted hackers who have in turn put together huge “botnets” of computers, and also exploited home and business broadband routers, to try to knock out the Spamhaus system.
“Spamhaus has made plenty of enemies over the years. Spammers aren’t always the most lovable of individuals, and Spamhaus has been threatened, sued and [attacked] regularly,” noted Matthew Prince of Cloudflare, a hosting company that helped the London business survive the attack by diverting the traffic.
Rather than aiming floods of traffic directly at Spamhaus’s servers – a familiar tactic that is easily averted – the hackers exploited the internet’s domain name system (DNS) servers, which accept a human-readable address for a website (such as guardian.co.uk) and spit back a machine-readable one (188.8.131.52). The hackers “spoofed” requests for lookups to the DNS servers so they seemed to come from Spamhaus; the servers responded with huge floods of responses, all aimed back at Spamhaus.
Some of those requests will have been coming from UK users without their knowledge, said Blessing. “If somebody has a badly configured broadband modem or router, anybody in the outside world can use it to redirect traffic and attack the target – in this case, Spamhaus.”
Many routers in the UK provided by ISPs have settings enabled which let them be controlled remotely for servicing. That, together with so-called “open DNS” systems online which are known to be insecure helped the hackers to create a flood of traffic.
“British modems are certainly being used for this,” said Blessing, who said that the London Internet Exchange — which routes traffic in and out of the UK — had been helping to block nuisance traffic aimed at Spamhaus.
The use of the DNS attacks has experts worried. “The No 1 rule of the internet is that it has to work,” Dan Kaminsky, a security researcher who pointed out the inherent vulnerabilities of the DNS years ago, told AP.
“You can’t stop a DNS flood by shutting down those [DNS] servers because those machines have to be open and public by default. The only way to deal with this problem is to find the people doing it and arrest them.”
East vs West: China and United States
Within cyberwarfare, the individual must recognize the state actors involved in committing these cyber-attacks against one another. The two predominant players that will be discussed is the age-old comparison of East versus West, China’s cyber capabilities compared to United States’ capabilities. There are many other state and non-state actors involved in cyberwarfare, such as Russia, Iran, Iraq, and Al Qaeda; since China and the U.S. are leading the foreground in cyberwarfare capabilities, they will be the only two state actors discussed.
China’s People’s Liberation Army (PLA) has developed a strategy called “Integrated Network Electronic Warfare” which guides computer network operations and cyberwarfare tools. This strategy helps link together network warfare tools and electronic warfare weapons against an opponent’s information systems during conflict. They believe the fundamentals for achieving success is about seizing control of an opponent’s information flow and establishing information dominance. The Science of Military and The Science of Campaigns both identify enemy logistics systems networks as the highest priority for cyber-attacks and states that cyberwarfare must mark the start if a campaign, used properly, can enable overall operational success. Focusing on attacking the opponent’s infrastructure to disrupt transmissions and processes of information that dictate decision-making operations, the PLA would secure cyber dominance over their adversary. The predominant techniques that would be utilized during a conflict to gain the upper hand are as follows, the PLA would strike with electronic jammers, electronic deception and suppression techniques to interrupt the transfer processes of information. They would launch virus attacks or hacking techniques to sabotage information processes, all in the hopes of destroying enemy information platforms and facilities. The PLA’s Science of Campaigns noted that one role for cyberwarfare is to create windows of opportunity for other forces to operate without detection or with a lowered risk of counterattack by exploiting the enemy’s periods of “blindness,” “deafness” or “paralysis” created by cyber-attacks. That is one of the main focal points of cyberwarefare, to be able to weaken your enemy to the full extent possible so that your physical offensive will have a higher percentage of success.
The PLA conduct regular training exercises in a variety of environments emphasizing the use of cyberwarfare tactics and techniques in countering such tactics if it is employed against them. Faculty research has been focusing on designs for rootkit usage and detection for their Kylin Operating System which helps to further train these individuals’ cyberwarfare techniques. China perceives cyberwarfare as a deterrent to nuclear weapons, possessing the ability for greater precision, leaving fewer casualties, and allowing for long ranged attacks.
In the West, the United States provides a different “tone of voice” when cyberwarfare is on the tip of everyone’s tongue. The United States provides security plans strictly in the response to cyberwarfare, basically going on the defensive when they are being attacked by devious cyber methods. In the U.S., the responsibility of cybersecurity is divided between the Department of Homeland Security, the Federal Bureau of Investigation, and the Department of Defense. In recent years, a new department was created to specifically tend to cyber threats, this department is known as Cyber Command. Cyber Command is a military subcommand under US Strategic Command and is responsible for dealing with threats to the military cyber infrastructure. Cyber Command’s service elements include Army Forces Cyber Command, the Twenty-fourth Air Force, Fleet Cyber Command and Marine Forces Cyber Command. It ensures that the President can navigate and control information systems and that he also has military options available when defense of the nation needs to be enacted in cyberspace. Individuals at Cyber Command must pay attention to state and non-state actors who are developing cyberwarfare capabilities in conducting cyber espionage and other cyber-attacks against the nation and its allies. Cyber Command seeks to be a deterrence factor to dissuade potential adversaries from attacking the U.S., while being a multi-faceted department in conducting cyber operations of its own.
Three prominent events took place which may have been catalysts in the creation of the idea of Cyber Command. There was a failure of critical infrastructure reported by the CIA where malicious activities against information technology systems disrupted electrical power capabilities overseas. This resulted in multi-city power outages across multiple regions. The second event was the exploitation of global financial services. In November 2008, an international bank had a compromised payment processor that allowed fraudulent transactions to be made at more than 130 automated teller machines in 49 cities within a 30-minute period. The last event was the systemic loss of U.S. economic value when an industry in 2008 estimated $1 trillion in losses of intellectual property to data theft. Even though all these events were internal catastrophes, they were very real in nature, meaning nothing can stop state or non-state actors to do the same thing on an even grander scale. Other initiatives like the Cyber Training Advisory Council were created to improve the quality, efficiency, and sufficiency of training for computer network defense, attack, and exploitation of enemy cyber operations.
On both ends of the spectrum, East and West nations show a “sword and shield” contrast in ideals. The Chinese have a more offensive minded idea for cyberwarfare, trying to get the pre-emptive strike in the early stages of conflict to gain the upper-hand. In the U.S. there are more reactionary measures being taken at creating systems with impenetrable barriers to protect the nation and its civilians from cyber-attacks.
Infrastructures as Targets
Once a cyber-attack has been initiated, there are certain targets that need to be attacked to cripple the opponent. Certain infrastructures as targets have been highlighted as critical infrastructures in time of conflict that can severely cripple a nation. Control systems, energy resources, finance, telecommunications, transportation, and water facilities are seen as critical infrastructure targets during conflict. A new report on the industrial cybersecurity problems, produced by the British Columbia Institute of Technology, and the PA Consulting Group, using data from as far back as 1981, reportedly has found a 10-fold increase in the number of successful cyber-attacks on infrastructure Supervisory Control and Data Acquisition (SCADA) systems since 2000. This was just one example that shows how easy it is to attack a selected control systems infrastructure and that other infrastructures could be subject to countless cyber-attacks if the vulnerability and opportunity presented itself.
Control systems are responsible for activating and monitoring industrial or mechanical controls. Many devices are integrated with computer platforms to control valves and gates to certain physical infrastructures. Control systems are usually designed as remote telemetry devices that link to other physical devices through internet access or modems. Little security can be offered when dealing with these devices, enabling many hackers or cyberterrorists to seek out systematic vulnerabilities. Paul Blomgren, manager of sales engineering at cybersecurity firm explained how his people drove to a remote substation, saw a wireless network antenna and immediately plugged in their wireless LAN cards. They took out their laptops and connected to the system because it wasn’t using passwords. “Within 10 minutes, they had mapped every piece of equipment in the facility,” Blomgren said. “Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports. They never even left the vehicle.”This was done by simple civilians working at that company, given there was no password, if a cyberterrorist was able to break in and gain all the information, it would catastrophic.
Energy is seen as the second infrastructure that could be attacked. It is broken down into two categories, electricity and natural gas. Electricity also known as electric grids power cities, regions, and households; it powers machines and other mechanisms used in day-to-day life. Using U.S. as an example, in a conflict cyberterrorists can access data through the Daily Report of System Status that shows power flows throughout the system and can pinpoint the busiest sections of the grid. By shutting those grids down, they can cause mass hysteria, backlog, and confusion; also being able to locate critical areas of operation to further attacks in a more direct method. Cyberterrorists can access instructions on how to connect to the Bonneville Power Administration which helps direct them on how to not fault the system in the process. This is a major advantage that can be utilized when cyber-attacks are being made because foreign attackers with no prior knowledge of the system can attack with the highest accuracy without drawbacks. Cyber-attacks on natural gas installations go much the same way as it would with attacks on electrical grids. Cyberterrorists can shutdown these installations stopping the flow or they can even reroute gas flows to another section that can be occupied by one of their allies. There was a case in Russia with a gas supplier known as Gazprom, they lost control of their central switchboard which routes gas flow, after an inside operator and Trojan horse program bypassed security.
Financial infrastructures could be hit hard by cyber-attacks. There is constant money being exchanged in these institutions and if cyberterrorists were to attack and if transactions were rerouted and large amounts of money stolen, financial industries would collapse and civilians would be without jobs and security. Operations would stall from region to region causing nation-wide economical degradation. In the U.S. alone, the average daily volume of transactions hit $3 trillion and 99% of it is non-cash flow. To be able to disrupt that amount of money for one day or for a period of days can cause lasting damage making investors pull out of funding and erode public confidence.
Cyber-attacking telecommunication infrastructures have straightforward results. Telecommunication integration is becoming common practice, systems such as voice and IP networks are merging. Everything is being run through the internet because the speeds and storage capabilities are endless. Denial-of-service attacks can be administered as previously mentioned, but more complex attacks can be made on BGP routing protocols or DNS infrastructures. It is less likely that an attack would target or compromise the traditional telephony network of SS7 switches, or an attempted attack on physical devices such as microwave stations or satellite facilities. The ability would still be there to shut down those physical facilities to disrupt telephony networks. The whole idea on these cyber-attacks is to cut people off from one another, to disrupt communication, and by doing so, to impede critical information being sent and received. In cyberwarfare, this is a critical way of gaining the upper-hand in a conflict. By controlling the flow of information and communication, a nation can plan more accurate strikes and enact better counter-attack measures on their enemies.
Transportation infrastructure mirrors telecommunication facilities; by impeding transportation for individuals in a city or region, the economy will slightly degrade over time. Successful cyber-attacks can impact scheduling and accessibility, creating a disruption in the economic chain. Carrying methods will be impacted, making it hard for cargo to be sent from one place to another. In January 2003 during the “slammer” virus, Continental Airlines was forced to shut down flights due to computer problems. Cyberterrorists can target railroads by disrupting switches, target flight software to impede airplanes, and target road usage to impede more conventional transportation methods.
Water as an infrastructure could be one of the most critical infrastructures to be attacked. It is seen as one of the greatest security hazards among all of the computer-controlled systems. There is the potential to have massive amounts of water unleashed into an area which could be unprotected causing loss of life and property damage. It is not even water supplies that could be attacked; sewer systems can be compromised too. There was no calculation given to the cost of damages, but the estimated cost to replace critical water systems could be in the hundreds of billions of dollars. Most of these water infrastructures are well developed making it hard for cyber-attacks to cause any significant damage, at most, equipment failure can occur causing power outlets to be disrupted for a short time.
Preparing for the (Inevitable?) DDoS Attack
The current landscape of means, motives, and opportunities to execute distributed denial of service (DDoS) attacks makes any organization a more likely target than you might imagine.
Open-source attack tools are easy to find. Acquiring the capacity to execute a DDoS attack is almost a trivial concern for state-sponsored actors or criminals, who can lease an attack botnet or build their own through a malware distribution campaign. And it isn’t hard to recruit volunteers to coordinate attacks designed to protest pending legislation or social injustice.
Every organization today is a potential target, and it is essential for both technology and business leaders to consider how they would deal with a DDoS attack. Here are four key steps.
You may conclude that a nation-state could not benefit from disrupting your online operations, but could a crime gang decide that your company is a candidate for extortion? Do your products or services make you a potential target for hate or protest groups? Has your business attracted sufficient recent attention to make you a target for groups seeking notoriety?
If the answer is yes, you will need to assess the likelihood of your organization becoming a DDoS target. Guides like this Forrester whitepaper (commissioned by VeriSign) can help you calculate the probability of an attack, service disruption losses, and the costs of shoring your defenses and responding to an attack.
Develop an action plan
Once you have assessed the risks, consider gathering IT and other personnel to plan how to monitor, respond to, recover from, and make public disclosures about a DDoS attack. If you engage in social media, include parties responsible for your messaging. They are best positioned to monitor public opinion. They can help you distinguish between a DDoS attack and a traffic spike resulting from successful or opportune messaging. They are also the logical candidates to prepare (with legal counsel) and deliver any statements you may issue after an attack.
As you formulate an action plan, consider the forms of monitoring that will help you adopt an early response. Consider, too, how you will restore service or data. Determine what aspects of the plan you will take on yourself and what aspects will require aid from external parties.
The IETF paper RFC 4732 is a good place to start familiarizing yourself with DDoS techniques and mitigation approaches. SSAC advisories and global DDoS threat discussion threads are also valuable resources.
Talk to outside experts
If you’ve identified external parties to assist in your response and mitigation efforts, let them know in advance what you’d like them to do if you come under attack. Discuss what intelligence you will share, what you would like them to share, how you will exchange or transfer sensitive information, and what their assistance will cost. Discuss how and when you would contact law enforcement agencies, the press, or customers and what your disclosure process will entail. Exchange emergency and business contact information.
Hope for the best, plan for the worst
DDoS attacks have achieved sustained rates of 65 Gbit/s, so even the best preparations may not prevent a disruption of service. But preparing your defense strategy in advance will shorten your response time during the attack. After the attack, these preparations will help you collect information for a postmortem, so your team (and external parties) can learn from the event and adjust your response.
DDoS mitigation is challenging. There’s no shame in outsourcing. If you invest the time to research DDoS defense only to conclude it’s more than your organization can handle, the time you’ve invested is still worthwhile. It will help you make an informed, calm choice from among the available DDoS mitigation services.
An alternative to an on-premise treatment to DDoS protection is in-the-cloud services. An ISP, network operator, or a third-party provider with large-enough capacity can provide such a service.
Essentially, an in-the-cloud DDoS protection service means that packets destined for an
organization (in this case, the end customer of the service) is first sent through an Internet
scrubbing center, where bad traffic like DDoS packets is dropped and the cleansed traffic is then delivered.
Large attacks are a rare event, but dealing with them requires specialized skills, technology, and bandwidth — yet there is no competitive advantage in maintaining those capabilities in-house if they are available from a service provider. The in-the-cloud DDoS mitigation service admittedly needs a substantial infrastructure, with adequate bandwidth and capacity to deal with traffic from multiple customers. But once the infrastructure is built, the service provider can share the skills and capacity across many clients, without clients having to build out their on-premise capacity. There are several advantages performing DDoS mitigation in the cloud:
• The service provider has a broad view of the Internet traffic across multiple clients and
networks that it can learn from and apply mitigation to. For example, by looking across
multiple clients’ traffic, the service can quickly recognize malicious sources that participate
in DDoS activities. As a result, this type of DDoS detection is much more effective and
timely than any end user organization can do standalone.
• By virtue of sharing the service, the costs should be lower and the service better than a goit- alone effort.
• The end user organization need not invest any on-premise resources, either capital or
operational, to deal with traffic that is not wanted in the first place. The service requires only an ongoing service expense.
• The scrubbing center would typically have core Internet connectivity and therefore has a large capacity to deal with traffic, much larger than a typical enterprise network. This means that it can deal with attacks larger than any single user organization can handle.
• By virtue of being a service, the service provider can be easily swapped out for another if
the client’s needs change.
These attributes of an in-the-cloud DDoS service are a great example of the industry buzz around the concept of cloud computing or cloud services. DDoS mitigation in the cloud is a virtual extension of one’s enterprise infrastructure, which handles a particular networking and security function.