mailing list archives
Warning & Indicators - Cyber Conflict
From: "Ben N. Venzke" <bvenzke () tempestco com>
Date: Wed, 12 Sep 2001 14:10:21 -0400
-----BEGIN PGP SIGNED MESSAGE-----
The below points deal with the emerging cyber conflict tied the 11
Sept. 2001 terrorist attacks. At this point it is emerging only. I'm
keeping my fingers crossed that this does not escalate further, but
in case it does, here is what to look for and some points for
If you see any traffic you believe is related to this, I'm very interested.
- Ben Venzke
What to Look For/How a Cyber Conflict Develops
1. Event Occurs
2. Email traffic among concerned individuals picks-up.
3. Discussion boards and chat rooms light up.
4. Purpose-built lists and online communities formed to discuss the event.
5. Intelligence collection and targeting.
6. Organized groups formed to carry out attacks.
7. Known tools deployed or slightly modified.
8. Public and private attack tracks begin.
9. Purpose-built attack tools released.
10. Dedicated perception management campaign launched.
11. More sophisticated attacks that required preparation time launched.
12. Additional groups and supporters from around the world rally to the cause.
13. Behind the scenes infrastructure targets and other indirectly
connected organizations hit.
14. Continued evolution of attack tools and tactics.
Points for Consideration
- - The potential cyber conflict has the ability to escalate without
the support of nation-state actors.
- - Never before have nations had to deal with patriotic populations
that have the ability to launch potentially damaging strikes against
another country on their own initiative. This new development raises
a significant number of issues that will continue to complicate
international relations for the near future. What if a targeted
country refuses to believe it's a 17-year-old kid and considers an
attack an act of state-sponsored Information Warfare? How do you stop
patriotic activists in your own country from launching attacks
against a foreign country to right a perceived wrong? How does a
country under cyber siege from another's citizens, not the
government, respond? In the past, the fact that not everyone had an
ICBM sitting in their living room or a B-2 bomber parked in their
driveway prevented individual citizens from launching their own
attacks. These same barriers don't exist in the cyber realm.
- - A certain portion of the attackers will believe passionately in
their cause while others will be involved just because it seems like
a cool thing to do.
- - Due to the context of these types of conflicts, some hackers and
others that consider themselves to be "ethical" find justification
for crossing lines they normally wouldn't, consequently enhancing the
talent pool available to both sides. An individual might be unwilling
to crack a system for criminal profit but avenging the death of a
fellow countryman or launching a counterstrike falls into a different
- - During periods like this, NOT ALL activity originating from either
party and targeting the other necessarily has anything to do with the
- - The level of sophistication of the participants on both sides is
likely to run the gauntlet from extremely skilled to knowing how to
do no more than surf to a web page and click on a few buttons.
- - Participants will range from organized groups to lone actors.
- - Attackers with other motives (criminal profit, etc.) may try to
launch attacks designed to be lost in the background noise generated
by current tensions or direct suspicions to another party.
- - We are going to continue to see more of this type of cyber-based
protest/action/conflict in the future when tensions in the physical
Developments So Far
- - Shortly after 11 Sept. terrorist attacks "US supporters" began
posting messages on bulletin boards calling for attacks and posting
target intelligence. The targets so far are Arab networks and sites
specific to Muslim extremist groups.
Lessons Learned from the Israeli-Palestinian Cyber Conflict
- - There are two classes of targets. Targets of opportunity can
include anything from non-profit organizations and mom-and-pop shops
to multinational corporations and government agencies. If systems are
vulnerable and picked up in a scan, problems can be expected. The
second class of targets are made up of those that are specifically
targeted either because they are high-profile, the attackers
perception of what they represent, or services they provide to
- - Targets range from web sites, DNS servers, chat rooms, bulletin
boards, FTP sites, ISP infrastructure, closed databases, e-commerce
servers and a wide range of others.
- - While web page defacements and some other actions are public by
their very nature, this does not mean that strikes are restricted to
these types of attacks only. During the Israeli-Palestinian Cyber
Conflict, groups would launch very public denial of service campaigns
and defacements while behind the scenes working with skilled crackers
to gain root access to targeted systems. It is important to
understand the public actions and how they relate to your operations
and then raise your vigilance to deal with the lone actor or silent
group that is likely to attempt the more sophisticated attack.
Voice (703) 370-2962
Fax (703) 370-1571
Email - information () intelcenter com
Web - http://www.intelcenter.com
PGP Public Key - available upon request
PO Box 22572
Alexandria, VA 22304-9257
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
-----END PGP SIGNATURE-----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Warning & Indicators - Cyber Conflict Ben N. Venzke (Sep 12)