First, Dave Aitel’s presentation on Three Cyber War Fallacies explores some of the more common misconceptions about cyber attacks.
If you have anything do do with cyber – anything at all – you simply must read this presentation.
Get yourself a big cup of coffee, close the office door or put a towel over your cubicle and view it.
Aitel has created, quite simply, the best presentation that has been produced to date on the realities of contemporary attacks and defense. It synthesizes the best thinking on the cyber domain, and reaches practical, pragmatic, hype-free and applicable conclusions. Have I mentioned you should read it?
Second, I want to talk about the DHS guidance on Anonymous and the various hacking groups that have hit law enforcement recently. There are news reports after analysis after opinion atop punditry about the attacks themselves – including from us – and I’m not going there.
Where I am going with this can actually take a few random points from Aitel’s presentation as mood-setter:
- Law enforcement is most useful against attackers with financial motives.
- The attacking community is mature, self-organizing and highly motivated.
- Defenders consistently misunderestimate their opponents.
- Defenders have invested all their money in products that don’t work.
So in July, the DHS came out with an alert on Anonymous, and it’s been published on PublicIntelligence.net.
It is, in several places, stupid. I believe it is, overall, at least from the standpoint of law enforcement, misleading.
In it, the authors state (and let it be said that this appears to me and to others to comprise text which has been re-purposed from some earlier intelligence analysis) that
The actors who make up the hacker group “Anonymous” and several likely related offshoots like “LulzSec”, continue to harass public and private sector entities with rudimentary exploits and tactics, techniques, and procedures (TTPs) commonly associated with less skilled hackers referred to as “Script Kiddies” … So far, Anonymous has not demonstrated any capability to inflict damage to critical infrastructure, instead choosing to harass and embarrass its targets. However, some members of LulzSec have demonstrated moderately higher levels of skill and creativity, evidenced in attacks using combinations of methods and techniques to target multiple networks. To date, their attacks have largely resulted in the release of sensitive documents and personally identifiable information. These attacks have the potential to result in serious harm, particularly to Law Enforcement and other Federal, State and Local Government personnel who may be targeted as a result.
An uninitiated person reading these words might reasonably conclude that these are a bunch of kids which pose no major threat. From one standpoint – that of a federal government considering nation-state cyber attack against critical infrastructure – this might be a reasonable read (I don’t believe that it is in any way accurate, but I am saying that someone reading this might conclude that in the absence of other information).
From the law enforcement standpoint, this means that these hackers are extremely dangerous and must be taken seriously. What the report points out correctly is that the attacks against law enforcement networks have been relatively unsophisticated, using out-of-the-box exploits, and social engineering (pretexting) tactics that have been, in all fairness, like taking candy from a baby.
Cops have been so monumentally careless about their technology that they have created large and porous attack surfaces, making it easy for attackers.
The reason I say that these scriptkiddies are the more serious threat is that the more mature activist hackers – those launching attacks for example against large corporations for their support of a specific point of view (as we saw with the attacks against firms which cut off funding to the website WikiLeaks, for example) may possess a maturity and ethical compass that precludes them from acting rashly.
Younger members may be more rash, and less disciplined about their targets (that is, selecting easy ones) and about the consequences of their acts (that is, they may release information for reasons less about ethics and activism and more about fun, spite and publicity).
Which means this: don’t mistake a script kiddie for a harmless kid. A kid with a script is potentially as dangerous as a kid with an Uzi.
What do you think? Let us know below.