Of Sleepers and Warnings
When a security crisis takes place in the physical world some things are for sure: who is threatening whom, how and (most of the time) why. This is not the case for cyber-crises, as the hand pointing the gun can be hidden in the Dark Net and the gun itself may have been planted in the enemy's network years before.
A good example of a hidden cyber-gun is EternalRocks, the computer worm that infects Microsoft Windows machines using a few exploits originally developed by the United States NSA. Once landed on the victim’s machine, e.g. via a phishing email, EternalRocks’small infecting module (or carrier) installs Tor, the private network that conceals Internet traffic, to access its server. After a random "incubation period", the carrier uses Tor to connect to a remote server and downloads an entire Trojan horse that allows the remote attacker to control the victim machine and propagate on the networks it is connected to.
With respect to "civilian" threats like the WannaCry ransomware, which infected 230,000 computers in May 2017, EternalRocks does no immediate harm to its hosts. It just hides on a disk, renaming itself to escape detection, and then stays dormant for months, even for years, until the time comes for a “soft” attack aimed at collecting and stealing information stored on the host or for a generalized attack to clog the victim’s network.
Simple as it is, EternalRocks is the quintessential "sleeper" module. Experience has shown that putting up a cyber-wall once an enemy has installed hundreds of “sleepers” inside your defense perimeter is useless. Human engineers may well spend nights in front of screens showing network traffic, trying to detect the moment when sleepers are activated; but sleeper modules only generate traffic at random intervals, waiting for network activity bursts to hide their footprints. This makes traditional attacks identification techniques based on traffic patterns (“signatures”) useless against sleepers. Artificial Intelligence models like Recursive Neural Networks can be equipped with long-term memory to find, remember and correlate statistically rare events and zero-in on sleepers; but only few defenders have that type of capability.
There is a moment, though, when sleepers are easy to identify: when they are intentionally "burnt" by their controllers to deliver a retaliation attack. For attackers, depleting their fifth columns to deliver a message may or may not be a good idea, depending on how resourceful are defenders and how steady their nerves. Only time will tell.