James Hayes
SPONSORED FEATURE When military historians come to chronicle the first 15 months of the Russian invasion of Ukraine, they won't find any shortage of battlefront bulletins to inform their accounts.
From smartphone video grabs to satellite camera surveillance, almost every devastating engagement between the combatants has given actions both on and behind the frontlines high visibility across digitalised media.
Yet the Russo-Ukrainian conflict is also being fought on another, less evident frontline – that of cyber warfare. And while verifiable information about skirmishes and assaults across digital frontiers are proving largely impossible to verify, as hostilities enter their second year their effects are starting to resound ominously across global digital ecosystems.
The war has been described as the first to deploy significant – if largely immeasurable – levels of cyber operations by the belligerent parties. Despite the disparity in state size and military might, it's a contest in which both sides appear almost equally matched in terms of human and cyber resources; neither side, it seems, has established cyber dominance – yet.
As the hostilities commenced, Moscow seemed to take the first-strike advantage by launching what might have been 'the world's largest-ever salvo of destructive cyber attacks' against multiple Ukrainian networks, according to the Carnegie Endowment for International Peace.
"Russia notably disrupted the Viasat satellite communications network just before its armed forces crossed the border, which is thought to have slowed Ukraine's defence of Kyiv," says Jon Bateman, Senior Fellow at the CEIP, "but no subsequent Russian cyber attack has had visible effects of comparable military significance, and the pace of attacks plummeted after just a few weeks of war."
Ukraine, for its part, has benefited from a very resilient digital ecosystem, years of prior cybersecurity investments, and a surge of cyber support from some of the world's most capable tech vendors and states.
Recruiting people power
A further factor in the seesaw of offensive actions is that cyber warfare is increasingly being conducted outside of centralised military or government efforts, reports Marcus Fowler, SVP, Strategic Engagements and Threats at Darktrace and CEO of Darktrace Federal.
"Without direct government supervision, thousands of private individuals and organisations in Ukraine are [involved] in the cyber-fightback against Russia," Fowler says. As of July 2022, "The head of Ukraine's State Service of Special Communications & Information Protection has spoken of a group of some 270,000 volunteers who are self-coordinating their efforts, and who can decide, plan and execute strikes on the Russian cyber infrastructure without the Ukraine government getting involved."
Russia has also mobilised its 'citizen hackers' in defence of its systems and in support of offensive actions against Ukraine and (probably) Ukraine's allies. The extent to which these civilian groups are working with, or being co-ordinated by, Russia's state agencies is not openly disclosed. But the suspicion by some observers is that collusion involves individuals who might have ranked as cyber-criminals in pre-war times – or at least part-time malefactors.
Whether they are patriotically volunteering their services, or expecting to be rewarded by the Russian authorities in some way, is a further matter for speculation, of course.
According to a study by Insikt Group (Recorded Future's threat research division), Russia's continued reliance on leveraging proxy groups to achieve its objectives in Ukraine, while keeping up plausible deniability, has further highlighted links between Russia's intelligence services and non-state actors, 'as evidenced by Russia's direct, indirect and tacit relationships with cybercriminal and hacktivist groups targeting western interests'.
When cyber-criminals go to war
The difficulty of distinguishing between 'official' nation-state attacks, hacktivists and vigilantes raises perilous issues, Darktrace's Fowler argues. It makes it possible, for instance, for nation-states to conduct devastating attacks against critical national infrastructure from behind a 'front' of proxy criminal organisations. "Ties between nation-states and shady agencies may be suspected, but accusations are rarely confirmed." says Fowler.
A further concern for all globally connected entities has to be that state-guided belligerent hacktivists are acquiring higher-level knowhow that may later be re-directed offensively against other targets of choice located anywhere in the world.
The so-called 'vigilante' approach to cyber geopolitics is also on the rise, further complicating cyber attribution and security strategies, according to Fowler: "Hack attacks by pro-Russia groups such as Killnet, though limited in their operational impact, have succeeded in gaining global headlines in light of the Russo-Ukraine conflict, leading to concerns that these citizen-led operations could become more destructive, or that states could use these groups as another deniable proxy."
Claims that 'Russia' launched third-party attacks can be misleading, Fowler warns, and stoke "an already complicated political fire".
What's the point of attribution
Due to the Internet's innate facility for identity masking, cyber-attack attribution is rarely assured and hardly ever confirmable. Even when state agencies have good evidence of both the identity and motive behind a destructive cyber action, named states almost never admit authorship of a given incident.
It's an issue that since the outbreak of the Russo-Ukraine hostilities has loomed large in the cyber risk insurance market, where pay-outs for cyber damages claims are often contingent on attribution of the source of the attack.
Further, many policies exclude coverage of cyber damages if they're the result of acts of war. The question of attribution occurs regularly when Russia is suspected of being directly behind attacks that may or may not be motivated by its Ukrainian war aims.
Cyber attribution has traditionally been based on indicators of compromise (IOCs) discovered during post-event forensic analysis. Insurance analysts now tend to rely on TTPs (tactics, techniques and procedures) built on behavioural models, along with clues like the language indicators in the compiled code and file modification time zone.
Cyber attribution and deciphering the extent of state-level tasking is difficult, with blurred lines between state-aligned-, state-involved- and state-directed incidents, says Fowler, thus increasing the risk of misattribution and escalation across fronts.
Action not prediction
Amid this dense cyber fog of war, knowing thy cyber enemy has become much trickier, Fowler argues. But it remains critical that at-risk organisations stay aware of the heightened realities of cyber risk, and place less emphasis on a 'blocking the Bogeyman' model of cyber security and defence.
"As it gets harder to positively identify cyber opponents, we see organisations moving away from the headline threats and toward ensuring operational stability and resilience based on a bespoke understanding of their unique risk profile." says Fowler.
Defenders are realising the need to "pivot away from concentrating on trends and predictions", Fowler maintains, and shift focus to understanding the "landscapes and 'normal' patterns" of their digital environments – and of those their businesses operate within.
With this approach enterprises can harden attack paths, have visibility of their extended digital attack surfaces, detect the smallest deviations from 'normal' operations, and disrupt attackers before damage is done.
"At Darktrace the belief is in the power of self-learning AI to understand 'normal' as an organisation's most redoubtable defensive posture, and 'enforcing normal' rather than trying to predict attackers' probable actions," explains Fowler. "Trying to work out what known threats are most likely to do against you is becoming unfeasibly difficult. The number of possibilities has become infinite. Crunching through threat intelligence slows time to action."
Fowler adds: "Don't misunderstand me. I'm not discounting the innate value of high-quality threat intelligence – it brings context and prioritisation, and enhances risk awareness. But it should not be the critical line where an organisation's cyber defence sits. By definition it is historical, what has happened in the past, whereas Darktrace's self-learning AI-based tools are focused on detecting malicious activity as it is happening."
Touched by war – eventually
Meanwhile, the wider impacts of the Ukrainian situation continue to reverberate through the global digital infrastructure, touching businesses and supply chains that might suppose themselves far removed, geo-politically, from the nearfield percussions of the armed conflict.
"Even where a company does not have direct involvementwith the war they are thinking about how it might affect them – or their strategic partners – from a cyber security perspective somewhere along the line," says Fowler. "More and more, Darktrace is having conversations about how we can further leverage customer partnerships to lower their exposure to possible cyber risks connected to events in Ukraine. Very often these focus on stepping up our customers' operational sensitivity to remote threats."
At the same time, the general level of 'as usual' cyber hazards such as malware and ransomware, continues to proliferate, and has not been reduced or degraded by the Russo-Ukrainian disruption.
Fowler adds: "We are seeing that businesses want to be more 'aggressive' around their security response capability – how they 'enforce normal', and how they can most effectively disrupt attackers that target them. They have become more open to operating Darktrace's AI tools in fully autonomous mode, for example."
Which of course in many ways accurately chimes with the dynamics of cyber-warfare. "When we speak of clashes between 'cyber superpowers', it is defensive superiority rather than offensive capability that determines which side gains winning advantage."
No comments:
Post a Comment