Inside Cyber Warfare - Jeffrey Carr [53]
Since states do not currently use active defenses, any decision to use them will be a controversial change to state practice. Like any proposal that changes the way states do business, it is bound to be met with criticism on a number of fronts. However, there is sound legal authority to use active defenses against states that violate their duty to prevent cyber attacks. States that violate this duty and refuse to change their practices should be held responsible for all further attacks originating from within their borders in accordance with the law of war. At a time when cyber attacks threaten global security and states are scrambling to find ways to improve their cyber defenses, there is no reason to shield sanctuary states from the lawful use of active defenses by victim-states, and every reason to enhance state defenses to cyber attacks by using them.
Chapter 5. The Intelligence Component to Cyber Warfare
There are various models of intelligence collection and analysis that are in use by the professionals employed within the 16 agencies that comprise the US intelligence community (IC). These legacy approaches served the government well while threats were emanating from the physical domain.
The advent of a netcentric world has changed the threat environment dramatically and, as a result, governments and private corporations need to reassess how they collect and analyze intelligence on the emerging threats that will impact them.
The recent and as yet unsourced attacks against US and South Korean government websites that began over the Independence Day weekend in July 2009 is an interesting case in point.
Another is the August 2009 DDoS attacks that were launched against one Georgian blogger and that knocked Twitter offline and substantially degraded access to Facebook and LiveJournal.
Project Grey Goose (PGG) investigators looked at both incidents, along with established Internet security companies, US-CERT, and the usual collection of government agencies charged with such tasks. This chapter focuses on how PGG research was done and the conclusions that were reached. It also presents the findings of other agencies and proposes some ideas about how and why radically different findings can emerge from the same set of facts.
Finally, this chapter suggests a new approach to conducting cyber intelligence that takes into account the unique problem set associated with cyberspace in general and cyber attacks in particular.
The Korean DDoS Attacks (July 2009)
The first set of information that came into the hands of Project Grey Goose investigators was the technical characteristics of the attacks. This information is typically shared between Internet security firms and is fairly objective and noncontroversial.
The best technical analysis came from the Vietnamese security firm BKIS. Figure 5-1 shows a breakdown of what was known about the attacks after BKIS gained control of two of the command and control (C&C) servers.
Figure 5-1. BKIS diagram of the MyDoom attack program
Thanks to information shared between KR CERT and AP CERT (of which BKIS is a member), BKIS researchers were able to gain access to two of the C&C servers and determined that the botnet was controlled by a total of eight C&C servers. The zombie PCs in this botnet were instructed to log onto a different, randomly chosen server every three minutes.
More importantly, the researchers discovered the existence of a yet another server, located in the UK, which acted as a master server by controlling the eight C&C servers. This prompted BKIS to name the UK as the source of the attacks.
If the South Korean government (ROK) had wished to retaliate against the botnet authors,