Tuesday, November 16, 2010

Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why? Stuxnet is ground zero for a new generation of digital infrastructure cyber weapons. Glenn Kessler from the Washington Post explains:

The Stuxnet computer worm that infiltrated industrial systems in Iran this fall may have been designed specifically to attack the country's nuclear program, potentially crippling centrifuges used to enrich uranium gas, according to new research.

In a blog post late last week, a Stuxnet researcher at Symantec wrote that the software firm had concluded that the worm targeted industrial systems with high frequency "converter drives" from two specific vendors, including one in Iran.

Independently, Langner Communications of Germany, a systems security firm, also announced over the weekend that another part of the worm's attack code was configured in a way to target a control system for steam turbines used in power plants, such as those installed at the Bushehr nuclear power plant in Iran. Langner also confirmed that the worm appeared to attack key components of centrifuges.

Ivanka Barzashka, a research associate at the Federation of American Scientists, said the Symantec findings "if true, are very significant."


The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets is passive mode. The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers.

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise. In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed? Just ask the people at Renesys:

Afghans headed to the polls today for parliamentary elections in a tense but hopeful atmosphere. If the Internet has a role to play this year in helping Afghanistan develop a peaceful civil society, it will probably turn on two key developments: cheap GPRS Internet delivered over mobile phones, and strong relationships with neighboring states to provide Internet transit.

In today's followup to last week's blog, we present the evidence we see in the global Internet routing tables for a strengthening technical relationship between the Tehran and Kabul governments. In Afghanistan, as in Iraq, Iran now sees an opportunity to export influence by exporting its technological infrastructure.


In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit" is alive and thriving. A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean"? It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.