The recent attack on computer networks at broadcasting organisations and banks in South Korea has brought cyber war into the limelight.
While the cause of the attacks remains unknown, South Korean authorities say they "do not rule out the possibility of North Korea being involved." CBR rounds up expert opinions on the issue.
Ross Brewer, vice president and managing director for international markets at LogRhythm
"South Korea is one of the world’s most technically aware societies and is often described as ‘The World’s Most Wired’ country. As such, it is especially critical for its organisations to have a deep understanding of their own IT systems in order to ensure that its networks are not only adequately protected, but should they be attacked – which seems inevitable in today’s era of cyber attacks – that any potential damage is effectively minimised in real time and evidence of the attack is correctly monitored.
"The cause of yesterday’s network problems are still unclear and managed to infiltrate systems to the point of "crippling" them – indicating that these organisations didn’t have the visibility required to effectively monitor IT systems and identify and remediate any anomalous IT network behaviour in real time. Organisations need to be continually monitoring all of the log data generated by all of their IT assets in real time – which is where evidence of all IT network activity lies – to detect and respond to suspicious or unauthorised behaviour the instant it takes place. Not only does this log data help firms identify hacks before any lasting damage can be done, it also provides vital forensic evidence about how and why these attacks happened in the first place.
"The other serious issue is that there remains an enormous amount of uncertainty surrounding the origins of the attack. Without confirmation of the source of cyber attacks, inaccurate finger-pointing can and often occurs – and given the current diplomatic tensions between South and North Korea, this can lead to unwanted military involvement. As such, further forensic analysis of the breach is required – but this cannot be achieved with traditional point security solutions, such as anti-virus or firewall tools.
A holistic IT security strategy focusing on the continuous monitoring of IT networks provides the network visibility and intelligent insight needed for such deep forensic analysis. Only with this deep level of network visibility can organisations ensure cyber attacks are effectively mitigated and accurately attributed to the correct perpetrators."
Wieland Alge, VP and EMEA General Manager at Barracuda Networks
"Investigations into suspected cyber-attacks on broadcasters and banks in South Korea reflects the realisation that cyber attacks are becoming more and more frequent. The gangs behind them are improving their exploitation tactics greatly, whether to display pop-up advertisements, install spyware to spy on users’ Web browsing habits or insert Trojans.
"Any critical infrastructures are in constant danger of being targeted too. Private and publicly owned businesses alike need to have a clear and immediate understanding of the threat situation in order to develop countermeasures to protect themselves from falling prey to the same kind of attack.
"In order to help address this, precautions must be taken at all levels to prevent the crime happening in the first place. A good place to start is by ensuring effective perimeter defences such as firewalls and strong security policies are in place to start with. Cybercriminals are stepping up their game and so should we."
Jarno Limnell, director of cyber security at Stonesoft
"If North Korean agencies are responsible, this is the latest step in an escalation of cyber-attacks made across the Korean peninsula in recent months. Only last week, North Korea accused the US of using cyber capabilities to disable its internet services.
"The choice of targets is telling of the trend that the chief candidates for attack are increasingly likely to be global financial markets and critical infrastructure systems, which if taken down have the power to cripple a nation. In today’s digitally interconnected world there is huge potential for unpredictable side effects and collateral damage from aggressive actions. As such, fighting fire with fire is a dangerous tactic.
"The influence of cyber capabilities is becoming more apparent in politics as a forceful method of driving through political objectives. However, in some circumstances, awareness of strength can work to prevent conflict between nation-states by raising the threshold to conduct an attack. The defense policy of many countries is based on the assumption that if you’re able to expose strong enough military capability, the likelihood of being attacked decreases. Testing the cyber capabilities of other nations, and the use of offensive techniques are as such an increasingly recognised part of strategic influence and combat."
Ron Gula, CEO of Tenable Network Security
"A few years ago we were hearing scary stories about how North Korea had a large investment in offensive cyber war, and how they’d be able to cause profound damage when they finally struck. However, "paralysis at major banks and media organisations" is hardly the kind of devastating strike we were warned about.
It’s worth considering that any organisation which chooses to look at its security logs can see attacks from North Korea, along with Russia and China. They can also see attacks from the UK, the US and Israel and, if they wanted to, can find attacks from IP addresses geographically located within 10 miles of Downing Street, the NSA, or the Kremlin.
Because these types of attacks are so pervasive, any time a real-world physical escalation occurs, such as North Korea threatening to launch a nuclear attack, these normally ignored network attacks get undue significance and hit the headlines.
Attribution on the Internet is extremely difficult. Government agencies and organised crime have the resources to operate hacking activities in many different countries. Any organisation with a worldwide presence that is compromised can be leveraged to launch attacks from a given country. And any country that is on the Internet is likely to have computers which are vulnerable and already part of a botnet.
Organisations need to be vigilant to search for indicators of compromise on their networks, but they should not make any type of strategy decision based on where the immediate attacks are coming from based on "geo IP" lookups. Instead, they should figure out what their attack surface is, what sort of damage (or denial of service) is occurring and if any data has been stolen.
Of course, in the case of North Korea, we may expect a Y2K-style scenario, in which we could argue that it wasn’t so devastating because we warned everyone five years ago, and they fixed it. This may have been the case for Y2K, but it’s unlikely to be the case for this particular cyberwar."