Every morning in Africa, a gazelle wakes up. It knows it must run faster than the fastest lion or it will be killed. Every morning a lion wakes up. It knows it must outrun the slowest gazelle or it will starve to death. In the African savanna, it doesn't matter whether you are a lion or a gazelle—when the sun comes up, you better start running.
- African Proverb
Military historians teach us that one of the key factors in the technological advancement of the human race is the military funding of science. It is a known fact that many of the technologies and products we use in our daily life originated from military projects and developments. Canned food, for example, was developed for the French army during the Napoleonic Wars. GPS, developed by the US Department of Defense, was authorized for civilian use by President Reagan. The Internet and the Onion Routing made their first steps in DARPA-funded labs. Many inventions from the fronts of four dimensions of warfare—land, air, sea, space—found their way to the private sector, affecting our lives.
In the last couple of years, the world was given a few glimpses behind the scenes of the fifth dimension of warfare: cyber.
According to a June 1 New York Times article, Stuxnet, a cyberweapon discovered in 2010 by a Belarusian antivirus company, was created for sabotage purposes. About a year later, another computer worm named Duqu was discovered. According to Symantec, Duqu was designed to gather intelligence from industrial infrastructure and systems manufacturers. It was created by the authors of Stuxnet or by authors who had access to the Stuxnet source code. The New York Times article, describing an intelligence operation called “Olympic Games,” was published only four days after the discovery of Flame (aka Flamer or sKyWIper), now considered the most complicated and sophisticated computer worm the world has ever seen.
Unlike Stuxnet, which aims to sabotage, Flame is an espionage tool, with abilities to exploit most of the hardware of the infected computers—taking screenshots, gathering information on network traffic from Wi-Fi and other network devices, recording keystrokes, using microphones as bugging devices, connecting to nearby Bluetooth devices and stealing information, downloading from storage devices and many other capabilities that have not yet been fully analyzed.
Security researchers agree that the complexity and the sophistication level of Stuxnet, Duqu and Flame indicate that they could only have been developed by government-supported entities.
When powerful cyberweapons such as these worms leave the state-level battlefield boundaries, they present new challenges to the information-security industry and to the private sector. It will not be long before global crime organizations invest in developing new malware, employing the same amount of resource as governments do. The risk maps of every major private sector organization—be they financial institutions, energy companies, pharmaceutical manufacturers or military contractors—are about to change dramatically in the near future. It is up to us, IT auditors and information-security experts, to think ahead and lead the way in responding to this new environment. We have to adjust our way of thinking and analyzing security and adapt quickly, embracing new methodologies.
In the face of sophisticated cyberweapons, the existing monitoring-and-signature-based detection-and-prevention systems are not sufficient. Information security will have to transform to the next phase—proactivity.
Staying vulnerable while waiting for a security patch from your software vendor is an anachronistic method that won’t survive this new world. The private sector will have to find creative ways to defend itself against this new level of threat, originated in the "special ops" world. Developing tools capable of dealing with zero-day exploitation is a necessary step, but it cannot stand on its own. Going after the malicious attackers before they are able to commit attacks is the desired approach, just as intelligence organizations are tracking the activities of terrorist cells, trying to stop them before they take action.
Cyberintelligence in the private sector is about applying counter-intelligence methods, both defensive and offensive, in order to protect organizations. While in the last decade the emphasis was on the defensive approach, we now see more and more information-security companies offering their services in gathering information on specific threats against organizations.
In a recent publication under the code name "#OPEatTheRich," there appeared a list of some of the largest luxury-goods companies in the world. The publication encouraged its readers to cause as much damage as they could to these companies, including getting their customer data, intellectual property, and emails, and performing DDoS attacks. Recognizing these kinds of threats in their early stages will provide crucial preparation time for organizations.
But why stop there?
Applying offensive counter-intelligence methodologies from the HUMINT (Human Intelligence) and SIGINT (Signal Intelligence) disciplines against specific threats enables organizations to subvert hostile attacks. Going after the attackers, infiltrating their ranks and sabotaging their resources, is the missing part of the information-security approach for the private sector.
It is time to stop running from the lion. It is time to equip the gazelle.
CEO, Security Compliance
ISACA Israeli Chapter Member
Continue the conversation…engage with your peers in the Cybersecurity section in ISACA’s Knowledge Center.
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.