-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The below points deal with the emerging cyber conflict tied the 11 Sept. 2001 terrorist attacks. At this point it is emerging only. I'm keeping my fingers crossed that this does not escalate further, but in case it does, here is what to look for and some points for consideration. If you see any traffic you believe is related to this, I'm very interested. - Ben Venzke What to Look For/How a Cyber Conflict Develops 1. Event Occurs 2. Email traffic among concerned individuals picks-up. 3. Discussion boards and chat rooms light up. 4. Purpose-built lists and online communities formed to discuss the event. 5. Intelligence collection and targeting. 6. Organized groups formed to carry out attacks. 7. Known tools deployed or slightly modified. 8. Public and private attack tracks begin. 9. Purpose-built attack tools released. 10. Dedicated perception management campaign launched. 11. More sophisticated attacks that required preparation time launched. 12. Additional groups and supporters from around the world rally to the cause. 13. Behind the scenes infrastructure targets and other indirectly connected organizations hit. 14. Continued evolution of attack tools and tactics. Points for Consideration - - The potential cyber conflict has the ability to escalate without the support of nation-state actors. - - Never before have nations had to deal with patriotic populations that have the ability to launch potentially damaging strikes against another country on their own initiative. This new development raises a significant number of issues that will continue to complicate international relations for the near future. What if a targeted country refuses to believe it's a 17-year-old kid and considers an attack an act of state-sponsored Information Warfare? How do you stop patriotic activists in your own country from launching attacks against a foreign country to right a perceived wrong? How does a country under cyber siege from another's citizens, not the government, respond? In the past, the fact that not everyone had an ICBM sitting in their living room or a B-2 bomber parked in their driveway prevented individual citizens from launching their own attacks. These same barriers don't exist in the cyber realm. - - A certain portion of the attackers will believe passionately in their cause while others will be involved just because it seems like a cool thing to do. - - Due to the context of these types of conflicts, some hackers and others that consider themselves to be "ethical" find justification for crossing lines they normally wouldn't, consequently enhancing the talent pool available to both sides. An individual might be unwilling to crack a system for criminal profit but avenging the death of a fellow countryman or launching a counterstrike falls into a different sphere. - - During periods like this, NOT ALL activity originating from either party and targeting the other necessarily has anything to do with the current tensions. - - The level of sophistication of the participants on both sides is likely to run the gauntlet from extremely skilled to knowing how to do no more than surf to a web page and click on a few buttons. - - Participants will range from organized groups to lone actors. - - Attackers with other motives (criminal profit, etc.) may try to launch attacks designed to be lost in the background noise generated by current tensions or direct suspicions to another party. - - We are going to continue to see more of this type of cyber-based protest/action/conflict in the future when tensions in the physical realm rise. Developments So Far - - Shortly after 11 Sept. terrorist attacks "US supporters" began posting messages on bulletin boards calling for attacks and posting target intelligence. The targets so far are Arab networks and sites specific to Muslim extremist groups. Lessons Learned from the Israeli-Palestinian Cyber Conflict - - There are two classes of targets. Targets of opportunity can include anything from non-profit organizations and mom-and-pop shops to multinational corporations and government agencies. If systems are vulnerable and picked up in a scan, problems can be expected. The second class of targets are made up of those that are specifically targeted either because they are high-profile, the attackers perception of what they represent, or services they provide to another organization. - - Targets range from web sites, DNS servers, chat rooms, bulletin boards, FTP sites, ISP infrastructure, closed databases, e-commerce servers and a wide range of others. - - While web page defacements and some other actions are public by their very nature, this does not mean that strikes are restricted to these types of attacks only. During the Israeli-Palestinian Cyber Conflict, groups would launch very public denial of service campaigns and defacements while behind the scenes working with skilled crackers to gain root access to targeted systems. It is important to understand the public actions and how they relate to your operations and then raise your vigilance to deal with the lone actor or silent group that is likely to attempt the more sophisticated attack. - -- ______________________ IntelCenter Voice (703) 370-2962 Fax (703) 370-1571 Email - informationat_private Web - http://www.intelcenter.com PGP Public Key - available upon request PO Box 22572 Alexandria, VA 22304-9257 USA -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBO5+lGv76H8QHdGcYEQLDFwCghX6FlaZp8QKpL3eCC51neRqcfGQAoPWd MRWPMDN91Scm1EwNkI14Q4hh =8Pyg -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 11:49:55 PDT