There will be more attacks like Stuxnet: ArcSight
US is concentrating on boosting SCADA system security says ArcSight CTO Public Sector
There will be more attacks on critical infrastructure, similar to the Stuxnet attack, across the globe, according to Dr Prescott B Winter, CTO Public Sector of security company ArcSight.
"There is a lot of concern in the US in protecting SCADA systems, which is what was attacked in [Stuxnet] are not very well protected and a lot of the companies that build those or use them in their infrastructure are working fairly feverishly now to tighten those up," said Winter.
The most significant thing about the Stuxnet attack and the thing that sets it apart, according to Winter, is that the whole thing came out into the open.
"One would be naïve to assume that is the only attack at that level of sophistication that has ever been tried. There are others like that I suspect, but I think that what is important here is that it had a particular intent and that is what people need to look at," said Winter.
"People have asked me if we are in a cyber-war, I am not sure I can answer that. We have Howard Schmidt in the US who is the President's cyber security advisor who is saying ‘no we are not in one' and it is ‘a stupid question and concept' and then we have Admiral Mike McConnell who is the director of National Intelligence and before that was the director of NSA saying ‘Yes we are in a cyber-war and we are losing'."
According to Winter, one of the questions about whether the globe is in a cyber war or not, is what the definition of war is, this question also brings into focus the question of who the adversary is and what authorities should be brought in to respond to attacks on critical infrastructure regardless of where it is.
To attribute any sophisticated cyber-attack to any particular entity is almost impossible as it is easy for the culprits to hide inside and behind a mass of servers.
"It is hard to tell who is perpetrating some of these things. With the use of deep insights, governments can sometimes figure out where these things come from, but even then it is not easy to discover the intent behind them. Some may be for intellectual property, but others may have more of a strategic national intent of some kind," said Winter.
What is more critical than discovering who is behind the attacks, is concentrating on securing an enterprise and its systems.
"The only way you are going to be able to respond to [attacks like Stuxnet], is to be able to have really deep insight as to what is in your network and what you are doing, who is in your network. If we think about Stuxnet, the bad code actually got into the machine controllers through USB keys; do you allow USB keys in and out of your enterprise? Do you even know when they are being used?" said Winter.
The use of USB keys contaminated with malware was also the cause of the cyber-attack on the Defence Department in Afghanistan in the Fall of 2008.
"It is possible to have every use and instance of USB key use flagged, do you do that and if you do it do you automatically put quarantine on the user and the machine? You can do that too, but the fact of the matter is even with something as well developed as Stuxnet, if you look at the series of events that took place, and you identify each of those as a part of a set of threat vectors, it is all part of being able to see what is happening in your network, see who is doing it, see what is contrary to policy and then figuring out how to stop it, because these attacks take a long time to roll out," said Winter.
Stuxnet was not instantaneous; it took months to get all of the necessary components in place before it could actually begin to affect the machinery.
But, as Winter pointed out, even something as sophisticated as Stuxnet does not happen by magic, it happens by real events which are identifiable in the networks and while some of that malware was extremely sophisticated, there are points in the sequence of events when ordinary insights would have allowed them to spot that attack.
However, spotting such cyber-attacks is becoming far more difficult as that become far more sophisticated, according to Winter.
"They [the attacks] are definitely getting cleverer and the interesting thing is that a lot of the sophistication is on the social engineering side. There was a long period of time when the attacks were just generic attacks aimed at anything out there and those are the kinds of attacks we can stop with signatures. What gets harder is the attacks that are designed to look normal, to look like friendly activity until they get inside the networks, that is why these phishing attacks are the attacks of choice today for most cases," said Winter.
These types of high-level phishing attacks allow the attacker to send something into the enterprise and get it past the firewalls and signature-based detectors by making it look friendly. The structure of many of the attacks today use vectors that look to be friendly, but once inside the enterprise, it becomes dangerous, according to Winter.
Once a phishing attack like this is inside an enterprise, it is too late and signature recognition and firewalls will not help.
"To identify the particular type of software that has come in, it think it is important to be aware of the software baselines to understand that a particular piece of software has been changed and identify who has changed it and why," said Winter.
ArcSight gave several instances of high-level attacks that have happened in the last six months, such as the attacks on RSA and HBGary, the one on the French Ministry of Finance, the attacks on the Canadian and British governments at very high levels, and recent attack on the Oakridge National Laboratory in the US, but Winter said that looking at all of these attacks he can see that there were gaps within the security systems that should not have been there.
"In most of these cases there are some basic things that in retrospect you realise they were not looking after and so it is a question of identifying who is in your network, what they are doing and knowing what the rules are; what are the security policies in that network and what are the activities of whoever is in your network contrary to policy?" he said.