On February 12, 2013,  President Obama issued an executive order intended to improve the cybersecurity of the United States. This is the second of the three strategic imperatives in the President’s executive order:

2) Enable Efficient Information Exchange by Identifying Baseline Data and Systems Requirements for the Federal Government

A secure, functioning, and resilient critical infrastructure requires the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure owners and operators. This must facilitate the timely exchange of threat and vulnerability information as well as information that allows for the development of a situational awareness capability during incidents. The goal is to enable efficient information exchange through the identification of requirements for data and information formats and accessibility, system interoperability, and redundant systems and alternate capabilities should there be a disruption in the primary systems.

Greater information sharing within the government and with the private sector can and must be done while respecting privacy and civil liberties. Federal departments and agencies shall ensure that all existing privacy principles, policies, and procedures are implemented consistent with applicable law and policy and shall include senior agency officials for privacy in their efforts to govern and oversee information sharing properly.

This information exchange principle is central to the cybersecurity strategy of the United States:

csirt coordinated incident management


The core of the CSIRT process is this cycle:

csirt process

D/A stands for a random Department of America.  ISAC stands for Information Sharing and Analysis Centers, which are sector specific.

Information sharing is very useful in defending against threats.  When vulnerabilities are discovered, defensive measures can be taken and damages minimized.  However, our adversaries have figured out the CSIRT model. As Dr. Frederick Chang, former NSA Director of Research, warns :

… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.

In cyberwarfare our adversaries are not using the same attack on numerous victims overtime, allowing victims to pool their knowledge and defend themselves.  In Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt, the New York Times reported on the ineffectiveness of security software in the face of ever-changing attacks. Attackers don’t send the same malware to successive victims, each victim is attacked with unique malware. Attackers don’t pump out fake email from an unchanging domain, awaiting the victims to find the attackers; attackers now send email from single use, throw-away domains.  Detection strategies all depend upon the discovery of anomalous behavior –so attackers go to great lengths to cover their tracks and avoid detection. While the CSIRT model is useful, cyberwarfare is more accurately described by this model from Carnegie Mellon University:

chasing whats alreaady gone

The black portion is from Carnegie Mellon University research.  We have added the red to show the role of spearphishing.  This model starts with the inevitable vulnerabilities that exist in systems. The upper branch from Vulnerability is the attacker’s process. Spearphishing is a common means used to introduce the malware into the targeted system. It is critical to note that the first mover in the attack is the adversary.  The adversary attacks and until that attack is discovered, the adversary is accomplishing its objectives.  This timeline from the same Carnegie Mellon University research details the attack phase:

attack timeline

In the case of the recently discovered Red October campaign, the attack went undetected for five years. Regrettably, as a recent attack on aerospace firms demonstrated, the time between the release of a patch and the completion of deployment can be quite long, leaving unpatched systems vulnerable to known attacks for long periods.

There is a critical asymmetry in the cyberwarfare model  –the attackers work in secret, the defenders work in the open.  Every time an exploit is discovered, the discovers publish their findings and a patch is released.  The attackers use this information as research to fashion their future attacks.

Having created a software exploit, the attacker needs to install the exploit on the targeted system. Email is used by attackers because email is ideally suited to facilitate infiltration.  As this video demonstrates, a person with technical expertise can quickly create and transmit a convincing deceptive email. Spearphishing, the use of deceptive emails to induce victims to compromise their systems, is an important tool in the cyberwarrior’s arsenal.  Spearphishing is the installation path of choice. Trend Micro estimates 91% of attacks come by email and of those, 94% use malicious attachments. Cybersecurity is at great risk from email based deception.

Iconix has released a new whitepaper, Email – Preventing Deception. In this whitepaper we discuss how spearphishing works, how the email interface is susceptible to manipulation by bad guys and how the patented Iconix technology prevents deception in email, thereby helping people defend their systems from attacks by other people. You can contact us at  408-727-6342 ,ext 3 or use our online form.


Comments are closed.