Cyber collateral damage a concern for all, says Lancope

All organisations could be affected by cyber attack collateral damage, says network security firm Lancope

Not all organisations are targeted by cyber espionage or destructive cyber attacks sponsored by nation states, but all organisations could be affected by collateral damage, according to network security firm Lancope.

As global governments openly discuss offensive and defensive needs and capabilities, the issue of collateral damage is becoming increasingly important.

A good example of this is when hacktivist groups such as the Syrian Electronic Army (SEA) attack perceived enemies of those they support, said Tom Cross, director of security research at Lancope.

Several prominent Western media organisations were targeted in May by the SEA, which supports the government of Syrian president Bashar al-Assad.

“Organisations need to recognise that hacktivist blowback affects everyone in computer security – it is a reality rather than a hypothetical scenario,” he told Computer Weekly.

But not only are organisations hit by hacktivists the victims of collateral damage, other organisations may be targeted for their intellectual property that is valuable to competitors in other parts of the world.

Organisations need to recognise that hacktivist blowback affects everyone in computer security – it is a reality rather than a hypothetical scenario

Tom Cross, Lancope

This means that targets of sophisticated intrusion malware may not necessarily hold state secrets or be involved in government-related industries such as defence or suppliers of critical national infrastructure.

Sophisticated security threats demand advanced protection

According to Cross, there are differences in the nature of this kind of attacks that challenge the traditional approach that organisations take to protecting their computer networks.

“The traditional approach is fine for dealing with broadly targeted, financially motivated criminal organisations that mostly use known vulnerabilities to accomplish their goals,” he said.

However, Cross said in the context of nation-state activity, much more sophisticated targeted threats are involved because they are based on vulnerabilities that no-one else knows about.

“This means the whole strategy of protecting networks against known threats is not necessarily effective against sophisticated threat actors,” he said.

More on cyber weapons

Cross said this requires a different approach by organisations, which need to build the capability to find bad things going on in their networks that have not been seen before.

This involves focusing on incident response capabilities, he said, including their ability to understand what malware is doing on their network, what systems are affected and how it is communicated.

“It is only from a complete understanding of an incident that organisations can protect themselves from future incursions by attackers whose aim it is to maintain control of the target systems,” said Cross.

Ultimately, the concern in a post-Stuxnet era is that future attacks will be destructive, particularly for organisations that operate something that would be valuable to destroy, such as a power or water plant.

“This means organisations have to consider this as a possibility in their security strategy so that it is not just about protecting against run-of-the-mill malware,” said Cross.

Astonishingly, he said, there is an assumption that systems that run critical infrastructure are not connected to the internet.

“In practice, we find even if there are no direct connections, there are secondary connections that make it possible for malicious software exploits to get into these networks and affect how they operate,” he said.

Cross said the first step is becoming aware that this can happen and then looking at what steps can be taken to prevent it from happening in future.  

Defence strategy must consider collateral damage

Although Stuxnet was designed to limit collateral damage by affecting only particular kinds of control systems, organisations around the world were still infected by Stuxnet.

“I would argue that this is a type of collateral damage as there is a cost associated with that,” said Cross.

Malware writers make mistakes. Such mistakes could result in broader consequences of malware than its authors intend

Tom Cross, Lancope

The reality, he said, is that future malware of this nature could have collateral effects on a variety of different organisations because history has shown that malware writers make mistakes.

“Such mistakes could result in broader consequences of malware than its authors intend, which is something that needs to be considered by all organisations,” said Cross.

Another collateral effect of such kinds of malware is that they expose vulnerabilities that other malicious actors can exploit until a patch is released and all systems are patched, he said.

Pressure from businesses to enable information sharing often leads to networks not being segmented properly so that infections can be easily isolated and contained.

“Also organisations tend to be focus only on perimeter defences, and consequently they do not spend much time thinking about what happens after the perimeter is breached,” said Cross.

Typically, he said, such organisations do not have good visibility of the inside of their network, they do not have good internal segmentation, and they are not monitoring what is going on,” he said.

Cross said organisations need to recognise that sophisticated attackers will get past perimeter defences, and they need to ask themselves what is the next logical step in evolving their defence capability.

“Security professionals need to recognise that collateral damage is a reality that they are going to have to deal with and should therefore take into consideration in their defence strategies,” he said.  

Read more on Hackers and cybercrime prevention