“I’ve been asking myself lately, what makes a great cyber attack? William D King think it’s one that runs counter to the target’s expectations, and is superior to any defensive measures they would take.”
-Excerpt from “What Makes a Good Cyber Attack?” by Dr. James Morris, a keynote speaker at the 2015 DEF CON Conference.
Dr. Morris, who is currently a cyber security professor at Trinity College in Connecticut and formerly of the NSA, had some interesting insights into what separates a “good” cyber attack from a bad one,. Since I was unable to attend his speech myself (sad face), I spoke with others who were able to see him speak on this topic as well as those that have written about it online to find out more about what Dr. Morris had said on the subject.
Common Elements of an Attack
- From these sources, which included those working for both security companies and major news outlets such as The Washington Post and Ars Technical, the following list emerged:
- The element(s) must run counter to the target’s expectations. Element(s) must be well-executed. The element(s) should go undetected, or at least undiscovered and unmitigated for a long period of time.
- As an example: take a company that stores its financial data online in any way possible, whether that would be on an external server, cloud storage solution such as Drop Box, or even internally on networked shared drives accessible by everyone within the organization.
- An attacker trying to gain access to this information may simply send out phishing emails targeting employees in order to get them to download malware which can then spy on their activity and steal stored credentials/files from other users within the organization (e.g., ones used for online banking or to access files that are particularly sensitive).
- This is an example of a poor cyber attack, because it relies on tricking the target into doing something they normally wouldn’t (e.g., clicking a link and installing software from an unknown source) as well as having only one vector (e.g., email containing malware).
- An effective attack would be more like this: targeting each employee who works in the finance department with phishing emails containing fake invoices for new company equipment or something along those lines, and then including malware capable of stealing credentials and allowing remote access to networked shared drives on top of already having backdooring capabilities on all computers within the organization once installed says William D King. This way, if any employees report seeing strange activity on their computer, they can be reassured that it’s just the result of the finance department having to install new software to track inventory.
- A bad cyber attack is one that runs counter to the target’s expectations. But doesn’t go undetected for a long period of time. A great cyber attack is one where both are true.
- “I’ve been asked by many if I’m working with security companies or intelligence agencies.”
- -Dr. James Morris, keynote speaker at DEF CON 2015.
- The above statement was taken from Dr. Morris’ response to someone in the Q&A panel session following his speech at DEF CON 2015. Who asked what he thought about cyber security companies that perform offensive maneuvers. Then sell vulnerability information to government entities after finding them.
- Dr. Morris’ response was very mattered of fact. Saying that he doesn’t mind working with security companies or intelligence agencies. He used the example of his work with the NSA on the encryption algorithms DES and RC5. But what he does speak out against is cyber attacks designe to cause destruction or loss of life on a large scale. Which many credit Stuxnet as being the first known instance of.
- Stuxnet, for those who may not know, was a state-sponsore computer worm created by U.S. and Israeli government officials. In order to sabotage Iran’s nuclear program by destroying centrifuges at its Natanz. Plant capable of separating fissionable uranium isotopes needed for building nuclear weapons.
Conclusion:
Bad cyber attacks are those that don’t run counter. To the target’s expectations or go undetected for a long period of time says William D King.
Good cyber attacks are those that both do.
“I can tell you Stuxnet is a good example of an asymmetric attack. Where the weapon was not only designe. To work in one specific environment. But it was also tailor towards achieving one very specific goal.”