News Stay informed about the latest enterprise technology news and product updates.

Black Hat 2007: Lessons of the Estonian attacks

Cooperation between Private groups and public agencies is essential in defending against cyberattacks, according to one security researcher. Gadi Evron, a security evangelist with Beyond Security, will present a case study at the Black Hat Briefings in Las Vegas, outlining some of the lessons learned by the recent coordinated cyberattacks against government and private computer networks in the Baltic nation of Estonia. He will also talk about who may be behind the onslaught and what went right on the part of the Estonians. In this Q&A, he offers a preview of his presentation.

What is the main message you'll want to get across to Black Hat attendees regarding the Estonian cyberattacks There hasn't been a lot of information about what happened in Estonia, but there has been a lot of commotion and discussion. Once I discuss what actually happened and how Estonia's CERT (Computer Emergency Response Team) responded to the incident, I'd like to try and address the strategic lessons learned. What worked for the defense and for the attackers? I'll discuss the impact and what could be replicated on the part of future attackers and defenders. This has been called the first Internet war. I'm not sure if that's true or an exaggeration, but I'd like to present the details as a case study with the different lessons we can take from it. Originally there was talk that this was a coordinated effort by the Russians to attack Estonia over some controversy that erupted when Estonia decided to move a Soviet-era WW II memorial. But since then investigators have said it's more likely this was carried out by smaller, independent groups. What is your gut feeling?
The Internet was built for plausible deniability. We'll never be able to prove through technological means alone who the attacker is. This is one of the basics of information warfare. Although the attacks themselves came from Russian-speaking individuals, the way the attack was orchestrated and the way it changed and adapted to defenses suggests there was some sort of organization behind it, whether it was a seriously planned operation or some sort of ad hoc coordination between attackers, we may never know for sure. But indications are this was more than ad hoc.
DDoS attacks:
Experts doubt Russian government launched DDoS attacks: Distributed denial-of-service attacks against Estonian computer systems probably originated from smaller groups in control of botnets rather than the Russian government, experts say.

Can service providers prevent DDoS attacks? The results of a DDoS attack can be crippling, but what are service providers doing about the threat? In this Q&A, Ed Skoudis explains how innovative ISPs are raising the bar -- and malicious hackers are jumping right over it.

Network-based attacks: he second tip in our series, "How to assess and mitigate information security threats," excerpted from Chapter 3: The Life Cycle of Internet Access Protection Systems of the book The Shortcut Guide to Protecting Business Internet Usage.

Will the botnet threat continue? Is the botnet threat here to stay? In this Q&A, information security threat expert Ed Skoudis explains how these money-making machines will become a greater threat in 2007.
What were some of those indications?
The attackers kept adapting. They kept getting new information on how to attack and respond to defenses. There are tools used that made us believe there was some work done on this attack that were specific to Estonia. If you are an IT security officer responsible for defending a private or government network, what are the lessons to be learned from this attack?
I'd say look at this as a country. We have to realize that the civilian infrastructure for business and private industry is as important if not more so for Internet engagement as what the military and other critical infrastructure like energy, transportation and air traffic [are managing]. What really worked in Estonia was how the CERT and [private entities] cooperated. They openly shared information and did not compete on security. Such coordination in Estonia was easier because it's a small country with only about a million people and the CERT knows everybody. So this was good cooperation between the private sector and government?
I would say between the private businesses themselves, between those in the private sector. They shared information instead of competing on security and chose CERT as the main coordinator. Because they did incident response well and coordinated well they gained the upper hand. I recently asked Howard Schmidt about the role of government vs. the private sector in dealing with cybersecurity We all have a role. We are all connected. But while coordination in the private sector was important in the Estonia attacks, CERT was the leader. It is very difficult to coordinate in real time with several hundred or thousands of ISPs. Coordination and cooperation with a centralized incident response [organization] was critical.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.