The U.S., like many other nations, is highly dependent upon information technology in everything from national security and intelligence activities, to commerce and business, to personal communications and social networking.
The Internet is one of the unifying fabrics driving globalization and political change at an increasingly accelerated pace. Information technology (IT) is vital to every major industry and economy in the world. Simply put, these technologies and associated network communications systems represent the greatest opportunity to enhance our productivity and to spread our system of values. Unfortunately, due to the dynamic nature of today's IT environments, these evolving technologies and modes of communication also represent one of our greatest threats. Therefore, it is not surprising that cyber security has become such an important economic and national security issue.
We are seeing the rapid evolution of the threat landscape, with more varied targets, and in many cases, more advanced technologies and tactics than ever before. This expansion in risk is threatening to erode trust in the digital commerce, communication and collaboration that we all take for granted today.
Evident is the sophistication of today's attackers in understanding the interconnections and interdependencies that organizations have in our networked world and how to exploit our inter-dependence to achieve their goals. In other words, we are seeing increases in attacks on one organization to be leveraged in an attack on another organization. No organization that embraces the Internet and information technology, whether public or private, is immune to cyber attacks.
Across the range of cyber adversaries it is clear that the preferred method of exploitation centers on people. Social engineering is now the number one avenue of attack, and the new security perimeter is the human being because related attacks easily evade traditional perimeter controls such as anti-virus software, firewalls and intrusion detection systems. Security professionals have long understood that IT users will click on links they shouldn't and unwittingly install malware hidden through simple ruses. Corporate IT departments deploy multiple controls to help deal with this threat. This process may work well for generic attacks, but not for sophisticated zero-day exploits. Consequently, because there is no way to prevent all people associated with organizations from making mistakes, organizations need to assume compromise is probable if not inevitable if they are to defend themselves thoroughly.
Understanding the Scope of the Cyber Threat
In the past 15 years, we've had an explosion of information, with it being created at an ever increasing rate and spreading further and faster than ever before.
Along with this growth has been a flood of productivity-enhancing web applications and personal-computing devices. Every one of us is both consuming new technologies from devices like iPads and Droid-based smartphones to social networks like LinkedIn and Facebook and trying to deal with their unprecedented entry into our organizations. Are organizations ceding more control of their IT environments to their users? Yes.
The Internet and all of its facets permeate every corner of our organizations and personal lives. Our situation is complicated and especially challenged by what can be called "degrees of openness." The number of parties with whom we do transactions and share information is skyrocketing and the velocity of those transactions and information sharing is increasing. The hyperextension of our enterprises and the wonders of more ubiquitous and simple online access are introducing new complexities, new vulnerabilities and new opportunities for the darker elements of the Internet. The attackers are exploiting those vulnerabilities – easily outflanking perimeter defenses.
To successfully defend against these attacks it is important to better understand the actors. The attackers can be categorized into three major classes of cyber adversaries: criminals, non-state actors, and nation states each with distinct motives and modus operandi but who may, at times, collaborate if their goals align.
Criminals
One class is the cyber criminal. Whether loosely affiliated or tightly organized, they are out to steal information assets that can be converted to cash. It's typical to see their "platform-based" crimeware and zero-day vulnerabilities auctioned on the black market to the highest bidder. A criminal group can buy a botnet kit for drive-bys, a spamming kit for spam runs, bulletproof hosting from an underground service provider, un-attributable domain registration, and on and on. As the criminal ecosystem matures, the cost of entry for cyber crime continues to fall.
Non-state Actors
This category of actors is made up of those who have a non-sovereign agenda and who are investing disproportionately with respect to any returns they might see. The category includes publicity seeking hackers (or so called "hacktivists") with political agendas. They are the ones who want to send you a very loud message and broadcast it to members of the media. Whether it is Web vulnerabilities, lack of general security controls, or the failure of the human firewall, these groups will find the holes in an organization's mythical security perimeter. They can be very sophisticated online hackers themselves or can work with or encourage insiders with access to important information.
This category also includes terrorists. With tools such as Stuxnet, now more available and accessible, the possibility of terrorists obtaining malware like this is increasing. In the future, their agendas could include combined physical attacks with cyber attacks on critical infrastructure.
Nation States
A third category of attacker is the nation state. Nation states typically are focused on: gaining strategic advantage through theft of government secrets and valuable intellectual property; ensuring competitive advantage for their domestic industries; or gaining intelligence on their own citizens or those of other nations who they believe present a risk to them. They also have the ability to combine physical attacks with cyber attacks on infrastructure.
Nation-sponsored attacks are often the most sophisticated and are carried out with stealth. The attack may start like any other – simple and under the radar with rudimentary malware and a variety of tools no different from the other groups. The real differences in sophistication are the concentration of resources behind the attack and efficiency with which these adversaries operate after gaining entry. They almost always do a lot of intelligence gathering – sometimes for months – in advance of the attack. They know which end users in corporations or government agencies possess the assets they want through social media and other means. They develop a solid mapping and inventory of the target network and security infrastructure over time. Experience tells them where the information they want resides (in critical databases, or file shares, for example). They almost always start with client-side attacks, with malware embedded in Flash files or PDF documents, including custom backdoors and rootkits. Advanced threats tend to incorporate malware produced hours or days before the attacks, so that traditional anti-virus tools have no signature by which to identify or block it. They compromise a directory of users, obtain access to local service accounts or take over domain administrator accounts.
Finally, they are also difficult to detect because very often they have compromised one company to be used in attacking another. Unlike cyber criminals, they want to remain inside an organization's network, so they go quiet, set up backup systems, and monitor incident response efforts to gauge defender responses, and alter their behavior accordingly.