QUESTION & ANSWER

Black Hat 2007: Lessons of the Estonian attacks

By Bill Brenner, Senior News Writer 26 Jul 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

What is the main message you'll want to get across to Black Hat attendees regarding the Estonian cyberattacks?
Gadi Evron: There hasn't been a lot of information about what happened in Estonia, but there has been a lot of commotion and discussion. Once I discuss what actually happened and how Estonia's CERT (Computer Emergency Response Team) responded to the incident, I'd like to try and address the strategic lessons learned. What worked for the defense and for the attackers? I'll discuss the impact and what could be replicated on the part of future attackers and defenders. This has been called the first Internet war. I'm not sure if that's true or an exaggeration, but I'd like to present the details as a case study with the different lessons we can take from it.

Originally there was talk that this was a coordinated effort by the Russians to attack Estonia over some controversy that erupted when Estonia decided to move a Soviet-era WW II memorial. But since then investigators have said it's more likely this was carried out by smaller, independent groups. What is your gut feeling?
Evron: The Internet was built for plausible deniability. We'll never be able to prove through technological means alone who the attacker is. This is one of the basics of information warfare. Although the attacks themselves came from Russian-speaking individuals, the way the attack was orchestrated and the way it changed and adapted to defenses suggests there was some sort of organization behind it, whether it was a seriously planned operation or some sort of ad hoc coordination between attackers, we may never know for sure. But indications are this was more than ad hoc.

DDoS attacks: Experts doubt Russian government launched DDoS attacks: Distributed denial-of-service attacks against Estonian computer systems probably originated from smaller groups in control of botnets rather than the Russian government, experts say. Can service providers prevent DDoS attacks? The results of a DDoS attack can be crippling, but what are service providers doing about the threat? In this SearchSecurity.com Q&A, Ed Skoudis explains how innovative ISPs are raising the bar -- and malicious hackers are jumping right over it. Network-based attacks: he second tip in our series, "How to assess and mitigate information security threats," excerpted from Chapter 3: The Life Cycle of Internet Access Protection Systems of the book The Shortcut Guide to Protecting Business Internet Usage. Will the botnet threat continue? Is the botnet threat here to stay? In this SearchSecurity.com Q&A, information security threat expert Ed Skoudis explains how these money-making machines will become a greater threat in 2007.

What were some of those indications?
Evron: The attackers kept adapting. They kept getting new information on how to attack and respond to defenses. There are tools used that made us believe there was some work done on this attack that were specific to Estonia.

If you are an IT security officer responsible for defending a private or government network, what are the lessons to be learned from this attack?
Evron: I'd say look at this as a country. We have to realize that the civilian infrastructure for business and private industry is as important if not more so for Internet engagement as what the military and other critical infrastructure like energy, transportation and air traffic [are managing]. What really worked in Estonia was how the CERT and [private entities] cooperated. They openly shared information and did not compete on security. Such coordination in Estonia was easier because it's a small country with only about a million people and the CERT knows everybody.

So this was good cooperation between the private sector and government?
Evron: I would say between the private businesses themselves, between those in the private sector. They shared information instead of competing on security and chose CERT as the main coordinator. Because they did incident response well and coordinated well they gained the upper hand.

I recently asked Howard Schmidt about the role of government vs. the private sector in dealing with cybersecurity and he told me the private sector has a bigger role to play, since the private sector controls a lot of the infrastructure. Do you share that view?
Evron: We all have a role. We are all connected. But while coordination in the private sector was important in the Estonia attacks, CERT was the leader. It is very difficult to coordinate in real time with several hundred or thousands of ISPs. Coordination and cooperation with a centralized incident response [organization] was critical.

Tags: Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary