By Martin Lee, Intelligence Manager at Alert Logic
Cyber war is often in the headlines. The hype centered on state sponsored malware means that the lines defining fact and fiction often become blurred leading to increasing fear bordering on hysteria. However, cyber weapons have a very specific weakness that means that they might be less effective than anticipated in the real world.
The discovery of Stuxnet in 2010 and the subsequent information leaks confirming that the trojan was indeed a state sponsored malware designed to damage the nuclear processing infrastructure of an independent nation showed that cyber weapons were no longer a theoretical issue. Developing such malware takes a lot of resources and skill. There are many stages in the life cycle of the malware that must be completed before any putative cyber weapon can be described as having successfully completed its mission. The target must first be researched to understand the strength of its defenses and any areas of weakness that may exist. A ‘weaponised’ exploit must then be created in order to deliver and install the malware on the target, and covert communications must be established back to the attacker in order to await further instructions, or capture data for exfiltration. The discovery of the exploit or malware during any of these phases means that defenses can be put in place disrupting the attack and preventing the mission from being completed.
Cyber defenses have improved to the point that once an attack has been identified, it can largely be blocked and defeated. Of course identifying an attack is not trivial, and diligent effort has to be undertaken to ensure that adequate detection is put in place so that an attacker cannot evade defenses. However, this does
tend to suggest that cyber weapons will be limited to a single use. Once they cause obvious damage and are discovered they are no longer useful since they can be expected to be detected and blocked from communicating back to their controllers. To be effective, cyber weapons must rely on stealth to remain hidden until the moment when they can be activated.
A similar issue affected the state of the art weaponry of the 1980’s. Cruise missiles stationed in Europe were intended to leave their bases and melt into the countryside where they could be stealthily hidden, safe from enemy action until the orders to launch their nuclear payload were received. However, this doctrine suffered from a major flaw. Protestors followed the cruise missile convoys whenever they left their bases. A network of observers reported the movement of the missiles along highways ensuring that they could never melt unseen into the countryside. This constant observation rendered the stealth required by the nature of weapons impossible to achieve.
Cyber weapons suffer from a similar problem. Although there is no cyber equivalent of the peace protests of the 1980’s, there is nevertheless a co-ordinated network of observers constantly seeking out cyber weapons. For any security researcher, identifying a cyber weapon, or any new sophisticated malware, is a career-defining moment. Adulation and kudos from peers flow to any individual who finds such an attack. This ensures that the most ambitious and skilled security researchers and network analysts are constantly searching for the traces left by cyber weapons. Indeed, venture capital funds are being invested in the development of new detection tools, to improve the discovery of these traces.
By their nature these cyber weapons require stealth, as soon as they are detected they are rendered useless. Yet, the interest that they generate means that they are the constantly being hunted. Similar to the cruise missile, cyber weapons can not be expected to melt into the background for long periods of time and remain undiscovered until they are ready to be activated. Any subtle change in the environment they reside in has the capacity to render them impotent and being high profile and highly sought after, they face an ever-growing risk of discovery.
Paradoxically, the stealth and capabilities of advanced malware means that they are far too interesting and attract far too much attention for their stealthiness to persist. For once, this might mean that fear and hype are actually helping to keep a genuine threat at bay.
visit Alert Logic’s site to see what they do: www.alertlogic.com