BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles Q&A on the Book Cyber Warfare

Q&A on the Book Cyber Warfare

Key Takeaways

  • Attackers, including nation state level hackers, are moving "downstream"
  • Humans now derive their basis for decision-making off of interactions with digital means that they don't control and often have no means of actual validation of the material on which they base those decisions
  • Just like malware, deepfakes and the manipulation of social media will become standard low technical requirement attack vectors in the near future
  • Security is not about technology, it’s about strategy and realizing the space in which one operates
  • The way to be more secure is not by acquiring more technology, but rather by using the right solutions that meet the adversary where they operate.  Strategy is the key factor, not technology

The book Cyber Warfare by Dr. Chase Cunningham explores how organizations can defend themselves against cyber attacks. It provides examples of actual attacks together with defense techniques, tools, and strategies for cybersecurity.

InfoQ readers can download an extract from Cyber Warfare.

InfoQ interviewed Chase Cunningham about cyber warfare, advanced persistent threats, how attackers gain access to systems, why attackers are moving downstream from large corporations and government to smaller businesses, how social media can be used as a tool of cyber warfare, two-factor authorization, how we can test systems for weak points, and what we can do to detect cyber-warfare attacks as early as possible.

InfoQ: Why did you write this book?

Chase Cunningham: I spent so much time reading and analyzing the market and what I found was that no one had really talked about the hard truths around what has historically made security fail. So I took it upon myself to map out the best historical examples of where those failures came from and educate readers on what can and can't actually make a difference. I also wanted to be honest with readers about the historical examples that are related to cyberwarfare. Most folks think that this is all somehow "new”; it’s not. The medium and the motivations might be "new" or different, but the basics and general concepts have been applicable in warfare since the dawn of conflict.  

InfoQ: For whom is the book intended?

Cunningham: Mainly it’s for cyber security leadership and professionals who are engaged in the strategy and technology decision-making side of things. But I think almost anyone can get something out of the book, as I wrote it to speak to a broad audience. I have readers from all over the world who continually email me saying they got something out of the book. Honestly, mostly I am excited by the general everyday readers who seem to learn something new in the text. I also have quite a few very technical readers who haven't thought about the issues around drone security and autonomous vehicles who say they learned something new thanks to the book.

InfoQ: How would you define cyber warfare?

Cunningham: The use of digital means to impose one entity’s will on another via targeted exploitation operations. Most people think about cybercrime when they actually are talking about cyberwarfare. Cybercrime is basically just using electronic means to steal some other organization’s data or information. Cyberwarfare is when nation states and adversaries conduct coordinated actions using electronic mediums to achieve some sort of outcome. Cyberwarfare is a much "bigger" stage and has a potentially larger impact than cybercrime in my experience.

InfoQ: What are the characteristics of advanced persistent threats?

Cunningham: Mainly that they are patient and willing to work for years, if not decades to gain the upper hand in the digital battlefield. Advanced persistent threats (APT) are the dominant force in cyber warfare but it’s important to remember that this is the only battlefield in history that is always "livefire" and every person or device that touches the world wide web is transitioning through a conflict zone. The most pressing point to think about in reference to an APT is that they have the time, patience, and resources to conduct operations that may take years to come to fruition. Interestingly, most people think that they are active targets for APT operations. In reality most of the time the APT’s of the world, of which the US is one, aren’t interested in the typical business or user. They might use those accesses and resources as part of their bigger operation, but the average user or business is not the end objective for most APT operations. They are after larger targets.

InfoQ: What kind of targets are advanced persistent threats after?

Cunningham: This is a hard question. In truth, like I say in my book, APT’s don’t really "care" about the everyman organizations or the general citizen. They are aimed at national level imperatives and have the time and resources to do so. However, they will use low hanging fruit and easy targets that have communications and connections to the government organizations and bigger enterprises to gain access. So the answer is they are focused on big government and enterprise-level compromises, but they will use smaller organizations and basically anyone that they can get to in order to achieve their objective.

InfoQ: How do attackers gain access to systems, what techniques do they use?

Cunningham: The tactics haven’t really changed in over three decades. Bad passwords, phishing, weak authentication, stuff everyone has known for years. It’s not super amazing hacking that continues to plague organizations, it's bad basics and a lack of acceptance of the power that simple failures have in cyber warfare. Mainly this has continued because security tooling has been hard to implement and has been too impactful for users. If you think about it we have done the user a disservice by making security tooling something that only a security engineer would want to use. The moment a security solution causes a negative experience the first thing a user will do, is think "How do I get around this?" Which negates the benefit of that tool and increases the risk to that enterprise.

InfoQ: You mentioned in the book that attackers are moving downstream, from large corporations and government to smaller businesses. What's the reason for this?

Cunningham: It’s an easier target. More small businesses are now online and have had to connect into those larger entities to do business. So the bad guys follow that same trend because they know they can gain entry into a small firm easier than a large one due to the usual lack of funding and focused security operations.

InfoQ: How can social media be used as a tool of cyber warfare?

Cunningham: We all collectively interface with social media at some point, and influencers are now a dominant point of play in the market. All one has to do is manage to gain access to a powerful influencer and introduce a questionable thread of conversation into the social media stream and the effects can be profound. And with the proliferation and democratization of news as a globally distributed medium and with the right approach, the truth cycle can be manipulated at scale. Right now we are in a perfect scenario for this to take place. There has already been an example of a white supremacist organization exploiting a Twitter account’s password for a prominent member of the Black Lives Matter group and then using that account to spread false information to thousands of followers. Luckily, in that instance they noticed something was wrong and were able to act to counter that activity but it could have resulted in a riot and human loss of life if the wrong tweets were sent to the wrong people in this politically-charged time.

InfoQ: What's your view on two-factor authorization?

Cunningham: Must have, turn it on now! There are plenty of studies that show the efficacy of adding an additional step for authentication. Consider that when the gas stations added in the multi-factor authorization for credit card purchases, where you must add in your pin or zip code to buy gas, they saw a 97 percent reduction in fraud in five days nationally. That one thing is so powerful that it can be the difference between a hack and an end of days exploitation.

InfoQ: How can we test systems for weak points?

Cunningham: I think it’s needed for organizations to use virtual tooling to enable testing and get validation that things are configured optimally. You wouldn't build a bridge without a CAD design; why build an infrastructure with no virtual planning or testing? I mentioned one of the most focused tools for this type of approach in my book, Hyperqube. They have a very innovative way of using virtualization to make this possible. If you accept that this is needed, which it is, then you should consider leveraging a system like this to conduct this type of testing. And for the record, I am not talking about malware sandboxes; I am saying build, design, and test infrastructure for compromises at scale. There is a nuanced difference there.

InfoQ: What can we do to detect cyber-warfare attacks as early as possible?

Cunningham: Be proactive and monitor as much as possible with a focus on usable metrics. Not just analytics, that leads to analysis paralysis. Data should yield outcomes and metrics and anomalies should be able to prompt an action, not just inform one of problems. Personally I think this is where UEBA fits, User Entity Behavior Analytics. Using these types of systems you can see what users are doing and what they are accessing, and look for the normalities.  If you can do that then you can see what they are doing that is anomalous. Remember, it will be the users that get hacked, not a firewall. By observing what they are looking at and how they “act” on the net, you gain insight and can actually use those analytics to intersect a potential issue. 

About the Book Author

Dr. Chase Cunningham focuses on helping senior technology executives with their plans to leverage comprehensive security controls and the use of a variety of standards, frameworks, and tools to enable secure business operations. His work focuses on integrating security into operations; leveraging advanced security solutions; empowering operations through artificial intelligence and machine learning; and planning for future growth within secure systems.

 

Rate this Article

Adoption
Style

BT