Home page logo

Security Incidents mailing list archives

Warning & Indicators - Cyber Conflict
From: "Ben N. Venzke" <bvenzke () tempestco com>
Date: Wed, 12 Sep 2001 14:10:21 -0400

Hash: SHA1

The below points deal with the emerging cyber conflict tied the 11 
Sept. 2001 terrorist attacks. At this point it is emerging only. I'm 
keeping my fingers crossed that this does not escalate further, but 
in case it does, here is what to look for and some points for 

If you see any traffic you believe is related to this, I'm very interested.

                        - Ben Venzke

What to Look For/How a Cyber Conflict Develops
1. Event Occurs
2. Email traffic among concerned individuals picks-up.
3. Discussion boards and chat rooms light up.
4. Purpose-built lists and online communities formed to discuss the event.
5. Intelligence collection and targeting.
6. Organized groups formed to carry out attacks.
7. Known tools deployed or slightly modified.
8. Public and private attack tracks begin.
9. Purpose-built attack tools released.
10. Dedicated perception management campaign launched.
11. More sophisticated attacks that required preparation time launched.
12. Additional groups and supporters from around the world rally to the cause.
13. Behind the scenes infrastructure targets and other indirectly 
connected organizations hit.
14. Continued evolution of attack tools and tactics.

Points for Consideration
- - The potential cyber conflict has the ability to escalate without 
the support of nation-state actors.
- - Never before have nations had to deal with patriotic populations 
that have the ability to launch potentially damaging strikes against 
another country on their own initiative. This new development raises 
a significant number of issues that will continue to complicate 
international relations for the near future. What if a targeted 
country refuses to believe it's a 17-year-old kid and considers an 
attack an act of state-sponsored Information Warfare? How do you stop 
patriotic activists in your own country from launching attacks 
against a foreign country to right a perceived wrong? How does a 
country under cyber siege from another's citizens, not the 
government, respond? In the past, the fact that not everyone had an 
ICBM sitting in their living room or a B-2 bomber parked in their 
driveway prevented individual citizens from launching their own 
attacks. These same barriers don't exist in the cyber realm.
- - A certain portion of the attackers will believe passionately in 
their cause while others will be involved just because it seems like 
a cool thing to do.
- - Due to the context of these types of conflicts, some hackers and 
others that consider themselves to be "ethical" find justification 
for crossing lines they normally wouldn't, consequently enhancing the 
talent pool available to both sides. An individual might be unwilling 
to crack a system for criminal profit but avenging the death of a 
fellow countryman or launching a counterstrike falls into a different 
- - During periods like this, NOT ALL activity originating from either 
party and targeting the other necessarily has anything to do with the 
current tensions.
- - The level of sophistication of the participants on both sides is 
likely to run the gauntlet from extremely skilled to knowing how to 
do no more than surf to a web page and click on a few buttons.
- - Participants will range from organized groups to lone actors.
- - Attackers with other motives (criminal profit, etc.) may try to 
launch attacks designed to be lost in the background noise generated 
by current tensions or direct suspicions to another party.
- - We are going to continue to see more of this type of cyber-based 
protest/action/conflict in the future when tensions in the physical 
realm rise.

Developments So Far
- - Shortly after 11 Sept. terrorist attacks "US supporters" began 
posting messages on bulletin boards calling for attacks and posting 
target intelligence. The targets so far are Arab networks and sites 
specific to Muslim extremist groups.

Lessons Learned from the Israeli-Palestinian Cyber Conflict
- - There are two classes of targets. Targets of opportunity can 
include anything from non-profit organizations and mom-and-pop shops 
to multinational corporations and government agencies. If systems are 
vulnerable and picked up in a scan, problems can be expected. The 
second class of targets are made up of those that are specifically 
targeted either because they are high-profile, the attackers 
perception of what they represent, or services they provide to 
another organization.
- - Targets range from web sites, DNS servers, chat rooms, bulletin 
boards, FTP sites, ISP infrastructure, closed databases, e-commerce 
servers and a wide range of others.
- - While web page defacements and some other actions are public by 
their very nature, this does not mean that strikes are restricted to 
these types of attacks only. During the Israeli-Palestinian Cyber 
Conflict, groups would launch very public denial of service campaigns 
and defacements while behind the scenes working with skilled crackers 
to gain root access to targeted systems. It is important to 
understand the public actions and how they relate to your operations 
and then raise your vigilance to deal with the lone actor or silent 
group that is likely to attempt the more sophisticated attack.
- -- 

Voice (703) 370-2962
Fax (703) 370-1571
Email - information () intelcenter com
Web - http://www.intelcenter.com
PGP Public Key - available upon request

PO Box 22572
Alexandria, VA 22304-9257

Version: PGP 6.5.2


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
  • Warning & Indicators - Cyber Conflict Ben N. Venzke (Sep 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]