17 Apr 2017

Guarding against the rise in terrorist cyber skills


Cyber crime adds a powerful new weapon to the terrorists’ arsenal and it’s only a matter of time before they deploy it, argues cyber security expert Israel Barak, talking to defence writer Peter Jackson.

Israel Barak was there at the birth of the cyber attack and went on to see it grow and develop into a global threat.

Cyber crime adds a powerful weapon to the terrorists’ arsenal and it’s only a matter of time before they deploy it says cyber security expert Israel Barak.

Israel Barak

He started his career in cyber security some 20 years ago with the Israel Defence Forces where he served for about 12 years and where he founded and led the IDF’s Red Team unit.

This team focused on cyber offence to test various targets such as IP (internet protocol) enterprise networks, critical infrastructure and weapons systems. He then went on to work for the Israeli Government where he spent a couple of years doing similar work in the fields of intelligence and counter intelligence.

He subsequently left to build a private consulting firm specialising in cyber crime with a particular focus on Eastern Europe, Russia and China. Later he integrated that operation with Citigroup and he is now Chief Information Security Officer with Cybereason.

He says: “I’ve had my share of time looking at offensive, defensive and counter intelligence related cyber from different angles, both as it relates to nation state actors and terrorist groups as well as advanced cyber crime actors.’’

Cybereason is based in Boston with an R&D office in Tel Aviv and regional offices in London and Tokyo, and it has nearly 300 staff who focus on detecting and responding to advanced threats in networks. Its clients number large companies across a number of sectors, including defence contractors such as Lockheed Martin as well as players in the finance, health care and manufacturing sectors.

He explains: “Basically, we collect information from the network and try to identify those abnormal patterns that are indicative of what we refer to as a cyber operation. Usually these type of activities may take days, weeks or months in which the attacker carries out a significant set of activities.’’

Cybereason looks for behavourial indicators of certain stages of a cyber operation which enables them to build a ‘storyline’ of what happened.

An area of growing international concern in the cyber sphere is the terrorist threat.

“It’s an interesting ecosystem,’’ says Barak. “Traditionally terrorist organisations were considered to be low tech with very basic skills in relation to cyber and IT in general. But as those organisations grow and especially as they assume a semi-military structure and discipline, such as ISIS or Al Qaeda, they meet a growing need in their IT and cyber skills for multiple reasons.’’

These he summarises as: a need to streamline their internal operations with a more sophisticated infrastructure; a desire to make better use of online resources for propaganda and recruitment; and the need to maintain their own operational security.

Barak argues that this presents defence contractors with opportunities to develop and maintain cyber intelligence collection and lawful interception systems, particularly for gaining access to suspected devices and networks and also for the analysis of captured data.

Hitherto, none of these developments on the part of terrorists has constituted a specific cyber threat; but that, he believes, is about to change.

“As those organisations become more established they also look to expand their arsenal of asymmetric weapons and tactics that allow an organisation to inflict significant damage on its adversaries which is potentially far beyond what it can inflict in conventional military confrontation.’’

Using cyber, terrorists will select targets which will enable them to inflict significant physical or moral damage – this will include critical infrastructure such as energy production or communications.

“The assumption is that terror organisations are going to be able to cross that bar into launching cyber operations in the very short term,’’ says Barak.

He believes that the most significant resource that most terror organisations currently lack to carry out cyber operations is sufficiently skilled individuals, but – again – that is changing.

He explains: “Initially setting up a cyber operation entails just a couple of individuals with computers; and if those individuals know what they are doing, then over a relatively short amount of time they can establish a pretty high-impact cyber operation. So, I think that this shortage in their talent pool is something we can expect to change in the near future. We are seeing a global trend of significant proliferation of talent and knowhow from nation state actors into the private sector.’’

There are also a growing number of operators in the fields of cyber crime and industrial espionage who are developing their TTPs (Tool Techniques and Procedures) in operational security to a high level.

“There’s still a gap between a talented individual joining a cyber crime or industrial espionage group which, in most cases, is driven by personal gain; and joining a terrorist group which, in most cases, is driven, at least in part, by ideology,’’ says Barak.

“But those boundaries become greyer and greyer every day, especially as it relates to working for, or being recruited by, some of the more well-established terror groups.’’

There has also been a growing trend for radicalisation to lead people into sympathising with the goals of certain terror organisations. Furthermore, argues Barak, as nation states scale up their own cyber operations and train individuals to carry them out we can expect to see an accelerated proliferation of skilled operators.

Recruiting such individuals gets a terrorist group a long way down the road to mounting a cyber attack.

“It often doesn’t take a lot to create a high-impact cyber operation,’’ argues Barak. “Even among asymmetric weapons, it’s something that doesn’t require a lot of resources. If you have the right individual with a computer they can create the next generation of APT (Advanced Persistent Threat) [a network attack in which an unauthorised person gains access to a network and stays there undetected for a long period].”

Barak points out that is doesn’t need to be the same individual who gains access to a network as the one who pushes the button – or clicks the mouse – to launch the attack.

In the face of this growing threat he argues that nation states must concentrate more on protecting critical infrastructure, which he describes as the ‘soft underbelly’’ of any technologically developed society. This, he believes, is a significant area where defence contractors can contribute.

“Nation states invest heavily in protecting their classified networks and weapon systems; but, as it relates to critical infrastructure, it’s often done by private organisations. What we are seeing is that government regulation and guidance on it are partial and lacking in the majority of nation states while in other nation states they are almost non-existent.’’

Cybereason offers a defence against cyber attacks on an operational network of a facility. According to Barak, most organisations will have established security operations and networks but they find it hard to integrate an ability to detect and respond to such abnormalities. Cybereason’s software will collect data from devices supporting the OT (operational technology) network and analyse it on an ongoing basis to monitor for abnormalities that could indicate an attack.

“It puts most of them at a significant risk because essentially they are always protecting the perimeter from external access, but we all know how creative attackers can get in gaining access to a network – it can be as simple as plugging a USB drive into a machine. There are a wide array of creative ways to get past perimeter defence. And, in most OT networks, once you’re in, the security operations centre has limited to no visibility into what’s happening there.

“If you don’t have an ability to detect things that are happening inside your network and respond, then you can expect to be breached pretty easily. The first time the organisation is going to meet the attacker is when they’re causing the actual damage and not before that, which gives them slim to no opportunity to respond.’’

Recent events demonstrate a growing global cyber threat to which terrorism adds a new dimension – and it is one to which the whole defence industry must respond.

Barak concludes: “That’s a very interesting area that provides an opportunity for defence contractors and for critical infrastructure organisations to improve on.’’



If you would like to join our community and read more articles like this then please click here


The post Guarding against the rise in terrorist cyber skills appeared first on Defence Online.