Image via Wikimedia Commons
Interested in launching a cyberattack but not sure when to pencil it into your schedule? A new study released Monday might help you decide when an attack is likely to have the greatest impact.
In cyberwarfare, timing is more critical than it might be in conventional warfare, argue Robert Axelrod and Rumen Iliev, University of Michigan professors and developers of a new mathematical model that seeks to “analyze the optimal timing” of your various “cyber resources.”
The reason timing is everything (more than everything?) is twofold: Theoretically, a vulnerability should only be able to be exploited once before the exploited loophole is closed. Bombs are always going to be effective in warfare—Stuxnet, on the other hand, isn’t going to be effective against the Iranians anymore (whether it’s accidentally effective against, say, a Russian nuclear plant, is another story). There’s also the possibility that a vulnerability can be closed before you even launch your attack, making all your coding useless.
So why publish a scientific study that essentially amounts to a guide that could help people who want to launch a cyber attack? Is this the Anarchist's Codebook? The authors suggest in Monday's study, published in Proceedings of the National Academy of Sciences, that the results of their study are “equally relevant to a defender who wants to estimate how high the stakes have to be in order for the offense to exploit an unknown vulnerability.”
So, here’s what you should consider if you’re going to launch a cyber attack (it’s science, people), and what you should look out for if you’re expecting one against your servers.
Stealth: Is your worm sneaky? Is it going to immediately corrupt a computer or make itself obvious? Or is it going to persist for months and months, secretly recording people through their MacBook cameras without turning the little green light on? That’s one of the reasons why Stuxnet was so effective—it steadily sped up Iranian uranium enrichment centrifuges in order to slowly damage—but not immediately destroy—them. It also deleted itself after completing its mission. Tough to catch. If you’ve got a nice and stealthy worm, it’s better to launch it sooner rather than later, because there’s a higher chance of you being able to let it wreak havoc for a while without anyone noticing.
Persistence: Consider how easily the loophole you’re exploiting is plugged. If it can be done in a matter of minutes, you don’t have a very persistent worm. But if it’s going to take a team of programmers months to figure out, your worm can live a long and destructive life. That doesn’t mean that you should go ahead and use a highly persistent worm right away, the authors argue. Instead, you should use a low-persistence attack almost immediately, because “low Persistence implies that the resource has only a small chance of surviving until next time even if you do not use it now.” That means if you own a company, plug up your easy-to-fix holes right away.
Stakes: How mad are you? What are you going to gain from using this attack? Are you likely to gain more if you save it? Israel and the United States launched Stuxnet during the height of Iran-is-trying-to-get-nukes fever, so the stakes were sufficiently high to go for it. Conversely, in response to Stuxnet, Iran launched a series of attacks against Saudi Aramco, a Saudi oil company. The attacks didn’t do much damage, though, and Axelrod and Iliev hypothesize that the attack was launched quickly and sloppily because the Iranian stakes of retaliation were sufficiently high to push out a worm that wasn’t quite ready for primetime.
“Mistakes in the attacking program suggested that the attack was prepared in haste,” they write. “From the point of view of the stakes involved, the Iranians presumably felt that haste was needed to demonstrate to both domestic and international audiences that they were not passive.” So, if you want to retaliate, sometimes it’s worth it just to show the world you can punch back—even if you can’t.
Target: Maybe you don’t want to launch a cyber attack—maybe you just want to sell a zero-day exploit to Microsoft to let them know Internet Explorer is full of holes. Or maybe you want to sell it to someone who has more nefarious thoughts. If that’s the case, do it as soon as you discover the hole. There’s supply-and-demand effects at work here, people. As more and more people get into trying to discover zero-day exploits, the less companies (and cyber attackers) will pay for them. If you're attacking some little-known company or something without many other hackers looking for exploits, feel free to wait longer.
There you have it. You might want to launch your cyberattack the day you've discovered an exploit, but that's not always the smartest route—consider these few things and you might have some more success—not that that is what we or the authors of this study are at all suggesting that you do.
0 comments:
Post a Comment