Should a targeted country strike back at the cyber attackers? by Dancho Danchev

On a regular basis, political sentiments over the use of kinetic/nuclear weapons or offensive cyber warfare capabilities against cyber adversaries, reemerge internationally, as a desperate response to the threat, largely based on the outdated situational awareness of the person making them.

The situation becomes even worse when these people are either directly participating in the chain of command for a particular country, or have political bargaining power that can undermine the common sense brought in by those in the trenches of cyber operations.

Excluding the political sentiments, attempting to use a kinetic force against a physical targeted believed to be the location of the cyber attacker, as well as Denial of Service (DoS) attacks, is a very bad idea.

Let’s discuss some of the key trends in the market for offensive cyber warfare tools, as well as two fully realistic scenarios, undermining the the effectiveness of frontal cyber warfare engagement tactics.

The commercialization of offensive cyber warfare tools

Like in any other market, demand always meets supply. In the case of offensive cyber warfare, the supply is largely driven by a military principle known as the “necessity and proportionality“, combined with a particular government’s interest in doing the single most logical thing a targeted country thinks it should do – should it strike back at the cyber attackers, and what kind of tools should it rely on?

In 2004, a risk metrics company started promoting, perhaps for the first time ever, a commercial offensive cyber warfare solution, described as:

The first IT security solution that can both repel hostile attacks on enterprise networks and accurately identify the malicious attackers in order to plan and execute appropriate countermeasures – effectively fighting fire with fire. “While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system.

According to their press release, the product development was undertaken, following the anticipation of this emerging market segment. Years later, another vendor introduced a mainstream offensive cyber warfare platform. Rsignia’s CyWarfius CyberScope:

The CyWarfius CyberScope is an offensive capable cyber weapon specifically designed to address the unique requirements of the cyber warrior.  With the ability to conduct a surgical offensive strike on a specific target, the CyberScope is the first offensive tool of its kind to provide pseudo-kinetic countermeasures against cyber threats.

These commercial, off-the-shelf propositions, are a also a direct response to public statements, and comments made in regard to the use of kinetic/offensive made by U.S defense officials throughout the years.

With more countries showing interest in the practice, due to the high volume of cyber attacks hitting their infrastructures experience on a daily basis, it’s important to highlight some of the scenarios that have the power to undermine such offensive doctrines.

Compromised legitimate infrastructure acts as a “virtual human shield”

Assuming that a target country decides to strike back at the cyber attacker’s infrastructure used in the attack, the fact that it may well be striking back at legitimate infrastructure, is fully realistic one, since in 2009, 71 percent of the Web sites with malicious code were legitimate.

Moreover, throughout the entire 2009, cybercriminals once again demonstrated the same “virtual human shield” concept, by blending legitimate infrastructure into the malicious mix, with notable examples including the abuse of legitimate services such as, Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a backend.

The problem with striking this infrastructure, is that from a military perspective, it’s a civilian target. The use of “human shields” in this case a “virtual human shield”, has been a major legal and ethical consideration in every conventional military conflict where such tactics were used.

And even if the direct impact on a third country’s compromised infrastructure is legally considered as a collateral damage, the existence of this practice leads to the establishment of  the foundations for launching false flag cyber operations.

False flag cyber operations impersonating a particular country

Remember the infamous “On the Internet, nobody knows you’re a dog” cartoon? Or the War Games movie?

In the context of cyber warfare, in 2010 nobody knows you’re Burkina Faso online, and yes, even North Korea. In the wake of the Google-China cyber espionage saga, everyone put the spotlight on China due to its internationally recognized cyber espionage doctrine throughout the past couple of years.

However, no attention was brought to the fact, that the campaign, including many of the ones that were profiled at a larget stage, could have been false flag cyber operations, launched by another country, or even an individual/group of individuals, engineering cyber warfare tensions relying on the negative reputation of the “usual suspects”.

The concept of false flag cyber operations is anything but a new one. Since the early appearance of botnets, the people behind them realized that they could easily hijack a country’s online reputation, by exclusively using only infected hosts within that country for launching attacks, or anonymizing their activities by using them as “stepping stones“, a practice also known as “island hopping“.

In Google-China’s cyber espionage campaign, the smoking gun was a hacked server based in Taiwan, including several other based in the U.S. And even though there was to direct connection between the campaign and China’s infrastructure, the fact that as I’m posting this article, several hundred Chinese government subdomains are compromised, and serve client-side exploits to their visitors, easily turns them into playground’s for a foreign intelligence agency, or anyone else wanting to impersonate the country online.

From a CYBERINT (cyber intelligence) perspective, given that enough international cooperation is taking place, the Internet can be a pretty small place for every attacker or cybercriminal in general. However, in terms of attributing the real source of a cyber attack, the evidence obtained may be exactly the evidence a third-party may want you to see.

Therefore, attempting to launch offensive cyber warfare tactics, or increasing the political pressure against the adversary a particular country is tricked into believing is responsible for the attacks, is clearly what a third country may want to achieve.

Cyber warfare tactics undermining the offensive cyber warfare capabilities of the targeted country

Two of the many cyber warfare tactics made possible these due to the maturity of cybercrime concept into today’s Crimeware-as-a-Service (CaaS) business model, can easily turn offensive cyber warfare capabilities such as counter strike DDoS attacks, completely obsolete. For instance:

  • Country A (Russia) knows that country B (United States) would DDoS back anyone. It hates country C (China), so it rents bots within country C (China) to DDoS country B (United States). Ultimately, B (United States) DDoS-es C (China) – This tactic demonstrates the problem with publicly acknowledging your ambitions to strike back at cyber attackers,  theoretically even nuke them. And although, connections to known cybercrime-friendly groups were established for their participating in renting botnets to some of the high-profile cyber attacks (Russia vs Georgia as an example), the people behind these services closely monitor the attribution patterns applied by the community. This proactively monitoring of mitigation strategies, helped them embrace the so called “aggregate-and-forget” botnets, where a certain botnet is uniquely aggregated, in order to make harder, if not virtually impossible to trace it back to a particular group.
  • Country A (China) wants to undermine the offensive DDoS capabilities of country B (Russia). It DDoS-es from bots located within country B (Russia). If B (Russia) starts DDoS-ing back the cyber attackers, it would ultimately end up DDoS-ing its own infrastructure – One of the most interesting questions that this tactic leaves unanswered is – how is a targeted country going to respond to a large scale denial of service attack, which is coming from malware-infected hosts within the targeted country itself? One of the most recent examples of this concept, was the “Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites” campaign, which was so successful in terms of the internal traffic generated by the protesters, that discussions to stop the DoS attacks in order to allow the upload of user generated content started taking place. Basically, the Iranian government was heavily hit by the same tool that it was using to spread it’s own “version of the story”. Taking it offline in order to prevent the leak of disturbing material to the rest of world, means denying themselves the ability to influence foreign opinion as well.

@surflightroy

Flickr

More Photos