• Save
Cyber Threat Summit 2012 - Pierluigi Paganini
Upcoming SlideShare
Loading in...5

Cyber Threat Summit 2012 - Pierluigi Paganini



The rise of cyber weapons and relative impact on cyber space

The rise of cyber weapons and relative impact on cyber space



Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.slashdocs.com 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Excellent, I want to download this presentation. Please allow
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Cyber Threat Summit 2012 - Pierluigi Paganini Cyber Threat Summit 2012 - Pierluigi Paganini Presentation Transcript

  • Security AffairsThe rise of cyber weapons and relative impact on cyber spaceDublin – September 20th & 21th 2012
  • Cyber warfare & cyber weaponImpact on cyberspaceA new role for hackersCyber Regulatory on cyber weapon useEconomic data on development ofcyber capabilities
  • Cyber Warfare – A global concern (1/3)• US military strategist John Boyd states: “War comprises acts of physical, biological, psychological, social, cultural and other destruction at all levels, for example, intrapsychic, interpersonal, intergroup, inter organizational, and international.”• Cyber warfare refers to politically motivated hacking to conduct sabotage and espionage. U.S. government security expert Richard A. Clarke, in his book Cyber War (May 2010), defines "cyberwarfare" as "actions by a nation-state to penetrate another nations computers or networks for the purposes of causing damage or disruption.“The cyberspace is considered a new domain of warfare. William J. Lynn, U.S.Deputy Secretary of Defense, states that "as a doctrinal matter, the Pentagon hasformally recognized cyberspace as a new domain in warfare . . . [which] has becomejust as critical to military operations as land, sea, air, and space.“
  • Cyber Warfare – A global concern (2/3)• Cyber warfare is combat in cyberspace and includes computers, the Internet and the “sphere of human thought” (Noosphere, Social Media).• Cyber operations can be – Kinetic - physical destruction – Non-Kinetic - attacks against computers, intellectual property, financial systems, and the realm of ideas, opinions, beliefs and feelings.• Cyber attacks that result in physical destruction of critical infrastructure or large loss of lives are considered acts of war/terrorism. Cyber attacks can originate or be triggered from anywhere.• Paradoxically, cyber warfare can, and already does, take place during “peacetime” periods when there is no conventional conflict occurring.
  • Cyber Warfare – A global concern (3/3)• In 2009, President Barack Obama declared Americas digital infrastructure to be a "strategic national asset,"• In May 2010 the Pentagon created a new U.S. Cyber Command (USCYBERCOM) with the primary mission of defend American military networks and to conduct full spectrum military cyberspace operations in order to enable actions in all domains.• US, China, Israel and Russia are the countries that mostly invest in building cyber warfare capabilities. Today other states such as North Korea are Iran are improving their presence in the cyber space.• At least 140 countries are developing cyber weapons and the number of cyber warfare operations has dramatically increased. It has been estimated that thousands of attacks are daily conducted against government systems around the world due to offensive foreign states … how many of them will be successful?
  • Cyber weapons- the need for a definition• Despite the high inflationary of the term "cyber weapon" today there is no formal and legal definition of the term.• The Dictionary of Military and Associated Terms of the Department of Defense, consisting of 550 pages of definitions for the defense sector, does not contain a specific definition of cyber weapon.• Since the discovery of the Stuxnet Virus it is fundamental to qualify under the legal perspective the concept of cyber weapon to evaluate the legal and politic responsibility of the aggressor and the real level of threat was made.• International law does not define in exhaustive mode what is meant for cyber weapon.
  • Why the use of a cyber weapon has proved a winner?(1/2)• Great efficacy – cyber weapons could have a dramatic impact against critical infrastructures.• Low noise - The disclosure of such agents is silenced for the nature of the vulnerabilities that are exploited. 0-day vulnerability provides a real advantage to those who attack and the related risks of failure of operations is minimal.• It is an escape from sanctions of the international community - The anonymous nature of the offense, allow to circumvent the approval by the world community to a military offensive.• Reduced Costs - The costs for developing and maintain a cyber weapon are relatively low compared to other conventional weapons.
  • Why the use of a cyber weapon has proved a winner?(2/2)• The preparation phase of a cyber weapon is covert – while trough intelligence researches is easiest to discover the building of a conventional weapon (e.g. missiles, drones, combat aircraft) meanwhile the development of a cyber weapon is hard to identify.• Use of cyber weapon is complementary to a conventional military strikes – Support to offensive operations destroying enemy defense infrastructures. – Probing the technological capabilities of the enemy evaluating the ability of an agent to infect enemy system.• A cyber weapon could allow minor states with reduced military and economical resources to compete with larger international powers attacking their critical infrastructures thanks to an excellent ‘cost-benefit’ ratio.
  • Which targets attack with a cyber weapons?The series is very wide in general a cyber weapon could hit every critical infrastructureand vital system of a country such as:• Industrial control systems, particular concern are those components that oversee the operation of such plant for energy production and delivery of services of various kinds, such as water utilities.• Electric power supply grids.• Systems for territory controls.• Hospitals and government controls.• Communications networks• Defence systems• Military air traffic and airspace control systems• Financial and banking systems
  • Cyber weapon - a definition for inferenceLet’s start form Wikipedia definition of a weapon “A weapon, arm, or armament is a tool or instrument used in order to inflict damage or harm to living beings—physical or mental—artificial structures, or systems. ”To qualify a weapon as a legal standpoint is necessary to identify the purpose of its use,the context in which it is used, the subject/object that offends and what is the target ofthe attack.Italian lawyer Stefano Mele, cyber warfare expert, in his publication "Cyberweapons -Legal and strategic aspects “ states: A cyber weapon is appliance, device or any set of computer instructions designed to unlawfully damage a computer or telecommunications system having the nature of critical infrastructure, its information, data or programs contained therein or pertaining there to, or to facilitate the interruption, total or partial, or alteration of its operation.
  • Cyber weapon – variations on a theme• The definition provided is complete and legally valid but according the opinion of several experts raises some reflections: In many jurisdictions are defined arms all those instruments whose natural destination is the offense against the person, so a cyber weapon could be defined as “an appliance, device or any set of computer instructions designed to offend the person through cyberspace.“• Under this perspective it is possible to distinguish the cases in which the cyber weapon is specifically designed to offend from those in which the improper use of tools originally designed for other functions could be adapted for offensive purpose.
  • Cyber espionage & Cyber weapon• One of the most debated issue it the possibility to define as ‘cyber weapon’ a cyber espionage tool that presents a modular structure that open malware to offensive use.• According the definition provided a cyber espionage toolkit is not considerable a cyber weapon due the absence of an offense to the person or the responsibility to cause serious damage to critical infrastructures.• The question has been raised for the findings of malware such as Duqu, Flame and Gauss that are mainly been designed to steal sensible information but that potentially could be used to attack a system, simply loading an appropriate payload.
  • Case Study – Stuxnet (1/2)Data reported in Symantec W32.Stuxnet Dossier Version 1.4 (February 2011)• Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant.• The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries• Stuxnet is a large, complex piece of malware with many different components and functionalities including zero-day exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface.
  • Case Study – Stuxnet (2/2) Approximately 60% of infected hosts are in Iran, the concentration of infections in the country likely indicates that this was the initial target and was where infections were initially seeded. Stuxnet aims to identify those hosts which have the Siemens Step 7 software installed. The following chart shows the percentage of infected hosts by country with the Siemens software installed. The use of a variety of propagation techniques has meant that Stuxnet has spread beyond the initial target. Further infections are considered unintentional “collateral damage” caused by promiscuous initial propagation methodology utilized.
  • Cyber conflict, real damage - Impact on citizens (1/3)In many cases a cyber attack could lead to the loss of human lives, following thepotential targets and possible damage:Electronic national defence systems – hacking a defense system of a country it ispossible to control its conventional weapon, let’s think to the possibility to launchmissile against the state itself or others nations.Hospitals - electronic systems present in hospitals and health centers could beexposed to cyber attacks that can compromise their functioning causing seriousconsequences.Control systems of critical facilities – a cyber attack could compromised themanagement system of a chemical plant or a nuclear site altering productionprocesses and exposing large areas to risk of destruction.
  • Cyber conflict, real damage - Impact on citizens (2/3)Water supply – water is an essential resource for population, interruption of thesupply might leave large areas without water, the alteration of control system but befunctional to a successive attack such as the water poisoning.Fully-automated transportation control systems and civil and military air trafficcontrols - for all those system do not require conductors or drivers or that give asensible aid to the conduction and control of transportation. Let’s image the effect ofan attack on train control systems or to air traffic management systemElectricity grid management systems – this targets represent vital system of acountry, attacking these system is possible to interrupt the electricity supply causingthe total block of the activities of a nation such as computers, trains, hospitals andtelecommunications services. The represent a privileged targets for a cyber attacksand are their defense is a fundamental in every cyber strategy.
  • Cyber conflict, real damage - Impact on citizens (3/3)Banking systems and financial platform – financial systems are critical assets for anation and their block could cause serious problem such as the block of the economicactivities of the targets. Despite it is not able to cause the direct loss of human lives ana cyber attack could comport the financial collapse of a nation.The scenario is worrying, if we think that the global finance today is strictly dependentfrom the economy of each single state, a cyber attack against a state could causeserious and unpredictable consequences to the entire economic system.A cyber attack could cause similar damage of a conventional attack and the casesshown demonstrated the serious impact on citizens."If your enemys pacemaker has an IP address" – and such devices already exist –"yeah, I think we can kill him," said Maj. Gen. Steven Smith head of the ArmysCyber Directorate
  • Cyber attacks, risks and “collateral damages” (1/2)• The fallout of large use of cyber weapons and warfare technology in general has great effect on security and privacy of citizens.• Different silent malware have been detected all over the world stealing data and destroying machines. Malware such as Stuxnet, Flame and Gauss are surely results of state sponsored projects that are infecting not only the real final target.• One of the most dangerous effect of the use of cyber weapon is the difficulty to predict its diffusion in the cyber space, and lets remind that cyber space has no boundaries.• Gen. John P. Casciano, a former Air Force director of intelligence, surveillance and reconnaissance, U.S. government declared “we will never have 100 percent assurance that a cyber offensive will work as planned”.
  • Cyber attacks, risks and “collateral damages” (2/2)• Today most governments motivate their operations with the consideration that their population have more to fear from adversaries than from unpredictable behavior of their cyber offensive. That is totally incorrect!• The ‘boomerang’ side effect - Many experts are convinced that an agent developed to attack enemy networks could also infect the systems of the country that has created it.• Possibility of a reverse engineering of the source code. Foreign governments could be able to detect, isolate and analyze the agents designing and spreading new cyber threats difficult to mitigate.
  • Cyber weapons in the wilde• What could happen if a malware designed for a specific target or for a specific area become uncontrollable?• These agents are difficult to be discovered and could operate silently for year like in the case of Gauss malware.• Malware undetectable for long period could cause serious damages to final target and also to other entities in the cyber space.• The risk of reverse enginering of the source code could arm ill- intentioned specialists: • Foreign governments • Group of hacktivists • Cyber criminals • Terrorists
  • Cyber warfare and citizen’s awareness• Most of people totally ignore the term «cyber warfare» and the impact on real world of cyber operations.• The leak of knowledge is considerable a factor that could advantage opponents in the on-going «cyber way».• COL Thomas Goss, chief of the command’s Strategic Initiatives Group declared: ”While technology plays an important role in the cyberspace domain, it is not technology that will win on the 21st century’s cyber battlefields,” “Time after time, in operations and in exercises, it is the people that will make the difference.”• The 2012 Army Strategic Planning Guidance calls for the service to continue to recruit, educate, train and retain cyber professionals, building a pipeline for both the next generation of cyber professionals.
  • Explosion of the 0-Days Exploits market - impact onthe hacking world (1/2)• An essential element of a «cyber weapon» is the exploit of unknown vulnerability raising the discussion on its commercial value.• The works of hackers are the subject of great interest, the discovery of unknown vulnerability for a widespread application may be a business opportunity for the hacker itself, for the manufacturer of the application compromised and for governments.• A fundamental factor in this new market is the “instantaneity” of any transactions involving vulnerability information.• In this sector would be desirable a regulation, but the problem is far from simple. Introduce controls on the negotiation of such exploits could hijack sales to areas difficult to monitor with dangerous consequences.
  • Explosion of the 0-Days Exploits market - impact onthe hacking world (2/2)• The commercialization of this information should lead us to serious reflection on the position of all governments in the transactions mentioned.• Governments are really interested to this hacks because they could use them for their cyber operations like cyber espionage or exploiting of target infrastructures.• NSA chief General Keith B. Alexander during last edition of Defcon Hacker Conference asked hackers for help securing cyberspace.
  • Cyber war era - conflict without rulesMain factors that expose population to risk of cyber attacks are:• Diffusion on large-scale of computer and communication networks.• Unmanaged and vulnerable interconnections between critical systems.• Rapid evolution of the technological landscape.• Lack of boundaries in cyber space.From regulatory view is essential to provide the following responses:• What is meant by the use of force in cyberspace?• When a cyber attack should be considered an armed attack?• What are the methods and levels of proportionate response to a cyberattack?• Which set of rules should apply to this kind of response?• How to establish the legal liability of the actors involved in cyber operations?• How to balance national security needs with the imperative need to protect individual freedoms of citizens.
  • Is an International Cyber Regulatory Agency Needed?“the cyber domain is just like the real world, and in the real world we have treatiesand oversight agencies to monitor adherence to them. It works for nuclear weapons,biological and chemical, so why not cyber? “ Eugene Kaspersky• The relative simplicity in the development of a cyber weapon and the race to cyber arms observed in recent years requires a regulatory globally recognized.• It is desirable a single agency representing all the states of the world to define a body of cyber rules and seeks to regulate the use of cyber weapons and other cyber tools in the cyber space .• There are obvious strengths by governments that in this critical moment don’t’ want to be limited their capabilities in cyber war.• Difficult to predict how the debate evolves
  • The Tallinn Manual on the International LawApplicable to Cyber Warfare• “The Tallinn Manual on the International Law Applicable to Cyber Warfare” was written by an independent ‘International Group of Experts’ to examine how extant international law norms apply to this ‘new’ form of warfare.• The manual tries to clarify the position of the states in the cyberspace defining jurisdiction, control and legal responsibilities. «A State bears international legal responsibility for cyber operation attributable to it and which constitutes a breach of an international obligation.»• It provides the following definition for cyber attack: «A cyber attack is cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects»• The manual provides detailed specification on targets highlighting the duty of care during attacks on dam, dykes and Nuclear Electrical Generating Stations and the needs to preserve children, journalists , medical and religious personnel.
  • The Tallinn Manual – Means and Methods of cyberwarfare• ‘Means’ of cyber warfare are cyber weapons and their associated cyber systems Cyber weapons are cyber means of warfare that are by design, use, or intended use capable of causing either injury to, or death of, persons• ‘Methods’ of cyber warfare are the cyber tactics, techniques and procedures, by which hostilities are conducted Example. In an DDoS attack conducted using a Botnet, the botnet is the ‘means’ of cyber warfare while the DDoS attack is the method.• It is prohibited to employ means or methods of cyber warfare that are of nature to cause superfluous (aggravates suffering without military advantage) or unnecessary suffering.• Every time means or methods of cyber war are used it is necessary a legal review to determine their technical description, nature of targets, effects on targets, precision and scope of intended effects.
  • On going projects … in daylight• Plan X is a project of the DARPA for development cyber warfare technologies.• Air Force Research Laboratory (AFRL) gave six firms contracts valued at up to $300 million under a program called Agile Cyber Technologies (ACT), to provide cyber weapons on- demand under a form of contracting known as Indefinite Delivery-Indefinite Quantity (IDIQ)• The Scandinavian nations Ministry of Defence aims to create malware and exploits to launch online counter-attacks to threats.• Taiwan investing in new cyberwarfare capabilities• The Russian Armed Forces in the “Information Environment :Principles, Rules, and Confidence-Building Measures” announce national need in the development and regulation of cyber weapons.• Chinese PLA is considered a heavy investor in cyberwarfare.
  • Improve the cyber capabilities NATO 2012 Upgrading the cyber defence capabilities and enable the NATO 58M € Computer Incident Response Capability (NCIRC) to achieve full operational capability by the end of 2012. 2013 - With a cyber budget of $1.54 billion from 2013 to 2017, DARPA will 1.54B $ 2017 focus increasingly on cyber-offence to meet military needs UK 2012 Extra Investment to develop deterrents to hostile viruses and hackers 650M £ Israel From Expense of more than $13 million in the coming years to develop 13M $ 2012 new technologies for cyber defence. China Estimating actual PLA military expenditures is difficult because of ? poor accounting transparency and China’s still incomplete transition from a command economy. Using 2011 prices and exchange rates, DoD estimates China’s total military-related spending for 2011 ranges between $120 billion and $180 billion. Chinas cyber security market will expand remarkably in the coming years, from a valuation of $1.8 billion in 2011 to $50 billion by 2020, representing a dramatic compound annual growth rate (CAGR) increase of 44.7% Iran 2012 On December Tehran announced an ambitious plan to improve its 1B $ cyber-warfare capabilities developing new technologies and creating new team of cyber experts.
  • Costs of cyber weapon (1/2)• It’s quite impossible to establish an exact cost for the development of a cyber weapon that depend by many variables.• The famous hacker Charlie Miller proposed some valid figures in the presentation «How to buil.d a cyber army to attack the U.S»• He hypothesized: – 592 people – $45.9 mil in annual salary • Average annual salary $77,534 – $3 mil in equipment
  • Costs of cyber weapon (2/2) – The armyJob Roles Units CostVulnerability Analysts 10 senior, 10 junior 2,900,000 USDExploit Developers 10 senior, 40 experienced, 20 junior, 7,300,000 USDBot Collectors 50 senior, 10 junior 4,150,000 USDBot maintainers 200 senior, 20 junior 12,900,000 USDOperators 50 senior, 10 junior 5,400,000 USDRemote personnel 10 senior, 10 junior 400,000 USDDevelopers 50 senior, 20 junior 2,850,000 USDTesters 10 senior, 5 junior 800,000 USDTechnical consultants 2,000,000 USDSys admins 500,000 USDManagers 52 6,200,000 USD
  • Understimate the threat – a dangerous approach• The concept of cyber weapon is too "abstract" and due this this reason experts understimate its hazard.• To date government cyber weapons affected a few thousand people.• All publicly-known cyber-weapons have far less firepower than is commonly assumed.• The principal benefit of cyber-weapons may be using them in conjunction with conventional military offensive, this implies benefit pay off of weaponised instruments of cyber-conflict may be far more questionable than generally assumed.Synthesizing ... cyber war would not actually be war because there arent loss ofhuman lives, same thought for cyber weapons.
  • Cyber security, hype or reality? “We Are All Connected On A vast Global Network And Whoever Controls The Network Controls The World”
  • About Pierluigi Paganini: Chief Information Security Officer, Security Evangelist, Security Analyst and Freelance Writer. Security expert with over 20 years experience in the field. Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led me to found the security blog "Security Affairs". Today I am CISO for Bit4id company, firm leader in identity management, and I work as a writer with some major publications in the security field such as Cyber ​War Zone, Infosec Island, The Hacker News, Hakin9, PenTesting Magazine, Audit & Standard Mag. and Independent of Malta Journal. Author of the incoming book «The Deep Dark Web»M.Eng. Pierluigi PaganiniChief Information Security OfficerBit4Id www.bit4id.comemail: ppa@bit4id.comFounder Security Affairshttp://securityaffairs.co/wordpressemail: pierluigi.paganini@securityaffairs.co