While preventing ransomware attacks and data theft tend to be top priorities for corporate IT security teams, awareness is increasing of the growing threats posed by cyber warfare.

Cyber warfare attacks are designed to weaken, disrupt, or destroy the infrastructure of their victims. They tend to be mounted by nation states, state-sponsored groups, and so-called ‘hactivists’.

Such attacks have been evident for more than a decade and their sophistication and potential impact has been constantly increasing. High-profile examples include the StuxNet worm that appeared back in 2010, attacks designed to influence the US election in 2016, and ongoing attacks against Ukraine designed to cripple vital infrastructure such as power grids.

According to the Australian Cyber Security Centre, the agency received 67,500 cybercrime reports in the 2020-2021 financial year, up 13% on the previous year and equating to one report every eight minutes.  In order to combat the situation, Cyber Security Minister, Clare O’Neil has announced the establishment of 100-strong, standing cybercrime operation targeting hackers led by federal police and Australian Signals Directorate.

At the same time, to stay up to date with new and emerging cyber warfare techniques and threats, security teams need to make use of a range of information sources. These include everything from mainstream news websites to industry groups, the dark web, and even competitors. When it comes to battling against cyber warfare attacks, it is best to put aside traditional rivalries and share any data that is available.

Like other types of security threats, cyber warfare relies on the distribution of malware. If this code is successfully introduced into a target’s IT infrastructure, the potential for damage or disruption is significant.

Reverse engineering the threat

When a security team identifies suspicious malware, the first step is to observe how it behaves and its intended goals. Once this is understood, closer attention can be placed on understanding the mechanics of the code and the ways in which vital infrastructure can be protected.

Teams should also take advantage of threat reports regularly issued by IT security vendors. These reports will explain the risk being posed by the cyber warfare incident and the techniques being used.

The reports will also provide details of the likely indicators of compromise (IOCs) so that security teams will know for what they should be monitoring. IOCs can be added to an organisation’s security monitoring platform to provide additional oversight of the infrastructure.

US executive order boosts attention

Here in Australia, the Cyberwarfare Operations branch of Cyber and Electronic Warfare Division within the Department of Defence “undertakes the research and development of new and novel concepts, technologies and techniques in order to enable autonomous, resilient and effective cyber capabilities with an operational edge in the face of ubiquitous encryption, untrustworthy ICT and a highly dynamic and sophisticated threat environment.”*

In the US, the significant threats posed by cyber warfare attacks have been recently highlighted when US President Joe Biden issued an Executive Order.  The fact that he deemed it necessary to issue such an order emphasises the clear dangers that countries around the world are facing.

The Order highlights the fact that these threats cannot be countered just through government action. It is also important that potential victims take proactive steps to harden their security measures.

There are six key recommendations contained in the Order that organisations around the world should be taking. They are:

1. 1. Sharing information: Mechanisms should be put in place to allow the rapid sharing of threat information between organisations of all sizes. One option is to join a threat sharing group that can disseminate data as soon as it becomes available.

• Improving government cybersecurity: Governments at all levels need to take the steps necessary to improve their own levels of IT security. This could involve following a zero-trust strategy or taking advantage of secure cloud services.

• Enhancing software supply-chain security: Organisations also need to evaluate their existing software supply chains and identify any potential weaknesses.

• Developing standardised government IT security playbooks: This will ensure that, should a cyber warfare attack occur, security teams will know the steps that should be taken in response. Each playbook should be regularly reviewed and updated.

• Boosting vulnerability detection capabilities: Both public and private-sector organisations need to have the ability to detect and identify threats. There is a wide range of tools on the market that can help to achieve this.

• Improving investigative and remediation capabilities: Automating these tasks can significantly improve the security posture of an organisation. Security teams should consider deploying tools that collect event logs and can scan for suspicious traffic.   

In Australia, the government has recently legislated positive cybersecurity obligations for businesses deemed ‘critical infrastructure’, across 11 industries. The obligations require over 2,000 businesses to develop a risk management program to address cyber security. In addition, recent high-profile cyber breaches have also led to increased penalties for businesses that do not sufficiently protect customer data.

By undertaking the key recommendations contained within the US Executive Order and recommendations from the Australian Government, organisations can be much better placed to respond to a cyber warfare incident should one occur. Past incidents have shown the massive destruction and disruption that such attacks can cause and so taking preventative steps is invaluable. 

* https://www.dst.defence.gov.au/capability/cyberwarfare-operation