Year 0 Begins ... Nations Prepare ... The Cyberware Timer Ticks

After years of spats in Cyberware, 2016 defines the proper start of Cyberware, and we should all be frighted, as a Cyber attack could damage a nation as much as a traditional attack. In a rather strange announcement, the US has said it will perform a high impact cyber attack against the Kremlin. This comes from acquisitions that there was interference in the 2016 US election.by the Kremlin:

“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process” reads the statement.

“We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing,” a senior administration official told AFP.

“The public should not assume that they will necessarily know what actions have been taken or what actions we will take.”

It seems strange to announce the attack, as it takes away from the normal secrecy around covert activity. At present, there is no definite proof that the Kremlin actually did the hack, and the motives are unclear, but some have said that the Kremlin favour Donald Trump (who praised Vladimir Putin). If you are interested, I am going to outline my investigation at:

Estonia thinking ahead

Just imagine if you woke up, and there had been a massive cyber attack on your country by a large nation state, and, within hours, all of the major governmental systems have been hacked, and the Internet infrastructure failed. For this the data used by your government could been destroyed. So, if your country has been progressive in its adoption of electronic services, the government would have no health care records, no birth certificates, no social care records, ... all of it would be gone!

The threat of cyber warfare is real, and it is a threat which is increasing. Small nations, especially, are particularly afraid of an attack from larger ones, especially where there is control of key critical infrastructure, such as the power network, and in the face of a massive denial of service attack.

Previously, in 2009, Estonia was hit by a suspected cyber attack from another nation state, and has now decided to proactively look at moving copies of its data to the UK, for protection. Currently they have been using data stores in their own embassies around the world to mirror their core governmental data, but this is the first move to formalise the storage of it outside the country. 

The data stored will include information related to their citizens, such as for birth records, and also government documents. For them the UK is seen as a relatively safe place against attack, with a proactive approach to data protection. Previously it was attack in 2009, and which took out their infrastructure for several days. 

Overall Estonia has embraced the Internet like few others, and have managed to put most of their government services on-line. This includes voting, paying taxes, and virtually everything else.

A fragile infrastructure?

Many strategists know that the most fragile part of the Internet infrastructure is the energy supply, and where networks will not survive if they cannot survive on back-up power for sustained time periods. For a fault, this might be a few hours, but on a Cyber attack, the attack may last for many days or weeks. The other area of robustness is the ability to cope with a sustained Distributed Denial of Service attack against the gateway elements of the UK network infrastructure.

While peak attacks are a worry, and have brought down sites like the BBC, a sustained attack can cause many problems as it often involves valid connections being dropped. Versign, for example, observed a sustained attack for over one month, and peaking at 125Gbps.

Within a Cyber Age are adversaries can come from many directions, including from Hackvists and from nation state activity. For serious Cyber warfare, the starting point would often be to trip the power stations which provide the electrical power to the data centers involved with the core routing elements of the network. As was seen with the BT outage, this is likely to cause a disruption on the network, as UPS's and back-up generators sometimes do not work as they are meant to. Even with back-up power, most systems only use the back-up power to survive for short time periods, and will eventually shut themselves off as a few hours.

Sustained attack against a nation?

Apart from tripping the power supplies for the key elements of the core network infrastructure, a focus for Cyber attackers is likely to be from Distributed Denial of Service attack against the main gateways of the country. For this, the Verisign Denial of Service Report for 2016 gives some fairly shocking high-level statistics:

• Number of Attacks: 111% increase (year on year).
• Peak Attack: 274 Gbps and 56 million packets per second.
• Average Peak Attack: 19.37Gbps (41% over 10Gbps).
• Typical type: 64% were UDP streams (21% for TCP, and 9% for IP fragmentation).

The rate of throttle has generally increased over the years, with increasing bandwidth on links, with 2016 seeing a majority of attacks being over 5Gbps:

and where the number of attacks have increased greatly within 2016:

One thing that is sure is that the speed of the attacks has increased over the years, where a large amount of the attacks within 2016 being throttled at a rate of over 10Gbps, and where over 87% were at a rate of over 1Gbps. Most of the attacks used a reflection attack, where DNS and NTP servers, which provide core services within the network, are used to swamp the internal network with traffic.

DNS is required for domain name resolution, and without it, the Internet just wouldn't work, as we would have no idea about the IP address of a destination server. It is, though a weak protocol from a security point-of-view, but is essential for the network to work.

On a cyber attack, the core servers become the focus of a reflection attack, where the clients request a domain lookup for a site, and then tell the DNS server to respond back to a targeted server. The traffic will then swamp network connections, and where it is almost impossible to filter them out, without bringing down the whole of the network:

Finger on the pulse of the Internet

Akamai Technologies provides content to the Internet, and is responsible for around 30% of all Web traffic. They thus have their finger on the pulse of the Internet, and have servers all over the world, providing fast content delivery to the requests. There is a good chance that you're receiving this page via one of Akamai's servers. So, basically if a user in Japan wants to access Facebook, then Akamai is likely to provide them with the page, located in their country.

So this week Akamai Technologies announced that Distributed Denial of Service attacks are the most worrying at the present time, and their level of sophistication increases by the day. They have even recently monitored a sustained attack of 363Gbps (57 million packets per second) against a media outlet. This is the type of attack which few companies, let alone a nation-state, could cope with for a sustained period. This main focus is the reflection attack, where valid servers are used to generate large amounts of traffic, and one the protocol which is most often used is DNS.

Gaming companies, such as Sony and Microsoft, and media organisation, such as the BBC, have all been recently hit by outages caused by DDoS. Even Pokemon GO was a target from a hacking group, and which took the game off-line for a considerable time:

Akamai report that the increasing number of botnets have made it difficult to stop DDoS and trace the source. The top sources of the DDoS come from Vietnam, Brazil and Columbia:

Largest throttle

Verisign outline that multi-vector attacks were often used, with a range of protocols involved, and which aim to completely exhaust the resources of the network infrastructure. For many companies the capacity of network links has moved up through 1Gbps (Gigabit Ethernet), and onto 10Gbps (Ten Gigabit) on the core network. New switched networks are now moving up to 40Gbps (40G) and even 100Gbps (100G). While must of the current spend is on 10G networks, the majority of spending with focus on 40G and 100G by 2020:

The largest volumetric focused on an attack using UDP, Internet Control Measure Protocol (ICMP) and TCP flood traffic (multi-vector attack), with a DNS and NTP reflection attack. At its peak it had rates of 274 Gbps, and used UDP ports 53 and 80, and was sustained for over five hours with a flow of more than 200 Gbps.

Sustained attacks

While peak attacks are a worry, a sustained attack can cause many problems as it often involves valid connections being dropped. Versign thus observed a sustained attack for over one month, and peaking at 125Gbps. It also used multiple methods such as DNS reflection, fragmented packet attacks, ICMP floods and various TCP floods (SYN flood, Connect flood, and so on). Along with this, they observed a Christmas Tree flood.

Common targets

Cloud systems, such as Amazon and Azure, along with IT providers are the most exposed for their systems, and they accounted for almost 32%, with the finance sector involved in 27% of the attacks. The highest average throughput was targeted at telecommunications providers (38Gbps) and media outlets (32Gbps average). Telecommunications providers are obviously exposed as they most often support the traffic flows.

Ability to decimate a country

With our increasing dependence on the Internet, an all-out attack against a country is likely to bring down its critical infrastructure, especially around energy supplies. Without power our data centers would crash, along with the control systems for our transport network. Few transport systems would still work on a large-scale cyber attack, and where the airlines would stop all their operations, and where disruptions of the traffic light infrastructure would bring deadlock within hours.

The former Secretary of Defense William Cohen sent a cold sweat down many leader's back, including industry leaders, when he outlined that a major outage on the power grid, would cause large-scale economic and social damage. At the core is the limited ability to run for short periods of time with UPS (uninterruptible power supply), and then on generators, in order to keep networked equipment and servers running, but a major outage would affect the core infrastructure, which often does not have the robustness of corporate systems. His feelings is that an outage on the grid would cause chaos and civil unrest throughout the country. 

Alarm bells have been ringing of a while with Janet Napolitano, former Department of Homeland Security Secretary, outlined that a cyber attack on the power grid focused on and where Dr. Peter Vincent Pry (Former senior CIA analyst defining that the US was unprepared for an attack on its electrical supply network and that it could:

take the lives of every nine out of ten Americans in the process.

The damage that a devastating EMP (Electromagnetic Pulse), such as from a nuclear explosion, has been well known, but many now think it is the complex nature of the interconnected components of the network and their control system infrastructure (typically known as SCADA - supervisory control and data acquisition) could be the major risk.

As the world becomes increasingly dependent on the Internet, we have created robustness in the ways that the devices connect to each other, and the multiple routes that packets can take. But basically no electrical power will often disable the core routing functionality.

In the US, Senator Joe Lieberman (I-CT) wrote a bill named "Protecting Cyberspace as a National Asset Act of 2010", and which was seen as the "Kill switch bill", where the President would have the power to take over parts of the Internet. 

How would a country cope with initial phases of a Cyber Attack?

Perhaps the recent coup in Turkey gives a hint on the type of scenario that we would see on a Cyber attack, and where internal control of the network would cause a disruption in service provision:

For this, as with many finance companies, countries need to invest in their 24x7 SOC (Security Operations Center) for critical infrastructure and which monitors the complete network and data infrastructure, and which can control and manage a potential attack:

On an attack it is likely that the Security Operations Center could take control of the internal network, and limit access to services. Five initial stages could be:

• Stage 1: take-over. So the first thing that the network and security engineers will have to do on a cyberware attack will thus be to take-over the control of the traffic, otherwise its own citizens will crash the internal infrastructure. The challenge in this phase is to control the internal forces, while dealing with external pressures. In these days, many of the services use Cloud systems, so throttling back on external traffic could also disrupt the network.
• Stage 2: Coping with the threat. As Stage 1 happens, security analysts are likely to be analysing the external threats, such as coping with a large-scale Distributed Denial of Service, and try and understand how they could cope with an external (or internal attack), without actually affecting the internal network. The plans would then have to be carefully intertwined to make sure that any control on the external threat does not affect the internal operation of the infrastructure. A large-scale crash would be almost impossible to cope with, as servers and service normally interconnection, and the who infrastructure would take a while to recreate itself. Like it or not, much of the infrastructure still requires a great deal of human intervention.
• Stage 3: Observation and large-scale control. At this stage we will see the Chernobyl Nuclear Power Plant effect where the most important alarm on the system was swamped by other less important ones. So at this stage alerts will be coming in on system crashes and problems, and thus plans will be in-place to filter these alerts so that only the most important ones will be fed to analysts, and who can then try and put in-place plans to overcome the problems before the infrastructure collapses. While many have tried to model the complex behavior of our network infrastructure, it is almost impossible to predict, so security and network analysts will have to cope with the large-scale disruption, and make decisions on how to keep the core infrastructure up-and-running. A key focus of this stage would be to make sure that military, transport, energy, health and law enforcement systems were given the highest priority, along with financial systems (as the shock wave of a disruption to the economic infrastructure of the country could be long lasting)
• Stage 4: Observation and fine-control. At this stage, we would move to a point that there was some stability, and where lesser alerts could be coped with. This might relate to services which were less important, but which need to be sustained. A key focus would be to protect the financial and commercial interests of the country.
• Stage 5: Coping and restoring. The final stage is likely to be the restoring of normality, and try to recover the systems, and which may be damaged in some way. On a cyber warfare event, this could be an extremely costly process, especially if the country has not coped well with the attack.

A failure to cope with the initial attack could make it extremely difficult to take control of the situation and also to recover from it.

The creation of a Cyber Generation in the UK

For Estonia it is a natural move to back-up their data into a safe harbour, and the UK is seen as a country which has both physical defences, such as fairly independent power supplies, and the electronic defences to cope with a Cyber attack. While a DDoS attack will always be The UK contains some of the best SOCs in the World, and places like London, Glasgow and Edinburgh now run 24x7 SOCs which monitor attacks against the banking and retail industry. With organisations, too, such as GCHQ, along with the NCA, promoting education at virtually every level, we see the evolution of the foundations of a country which takes Cyber Security seriously.

There is also a progressive approach to penetration testing, with GCHQ and the Bank of England pushing forward with the CBEST certification, where banks are probed for a range of threats. Lloyds, in fact, were one of the first to achieve the CBEST certification, and showcase the drive within the industry. Lloyds proactively pushed forward their security infrastructure, and moved beyond seeing security as just a compliance and auditing issue. Nation states, and governments around the world, could thus learn a great deal from the finance sector, and how it copes with cyber attacks.

The drive in the UK related to Cyber Security has been good, especially in the protection of our key market sectors, but it is a continual evaluation of the risks involved. And Estonia considering the UK as a safe base for their data, perhaps showcases that the data infrastructure now has developed in the UK to support a reliant infrastructure for data. In Edinburgh, for example, we perhaps have more SOCs per head of the population than most other cities in the world, as we have the core industry here which needs to be protected, and, hopefully, we can provide highly skilled security analysts.

Conclusions

While few countries could cope with a massive DDoS attack, without causing major outages, but in the UK the core data protection infrastructure is still strong. The US is one of the few countries who could cope with a large-scale attack as it has gateways distributed across its coasts, other countries do not have such a privileged infrastructure. Most countries now, hopefully, will be taking the risk of Cyber Warfare seriously.

I can only see nation states learning from the finance industry in the UK, and they need a vast investment in SOCs for the protection of their country, as the cost could be the loss of their nation. At present, the largest demand for our graduates is coming from SOC and security data analysis, so we've invested in our own training infrastructure, as we see scenario based training as the future to train those involved in how to cope with attacks, and thus cyber warfare.

The public cloud is certainly no place to store your nation's data, and you need 24x7 operations to guard it. So as countries look around the World look to find a safe place to protect their data in the face of a Cyber attack, there can be few places like the UK can match the infrastructure, the skills base, the natural physical qualities, and in its stability, and in the drive for an advancement in Cyber Security.

For the UK, with its increasing role within Cyber Security, the nation could become an even stronger place as a possible EU exit looms, and leaders must see the Cyber Security industry as one of the key economic drivers of the future. One thing it needs, is to continue to attract and keep the smartest people in Cyber Security from around the World, along with building its core educational and research infrastructure. In this way we both create a defensive ability, while building economic development.