Information Warfare: When Intrusion Detection Isn’t Enough

September 11, 2001-¦ that date will be engraved upon the memories of most Americans for many years to come. That is the date when Terrorists brought their battle to the U.S. soil. One week later, the Internet came under attack by the Nimda worm. Many claimed this was an act of Information Warfare. This was not the first “attack” on the Internet, and it certainly won’t be the last, but was this an act of Info War? I don’t believe it was. Let’s compare the tragic events from the 11th with the Nimda worm to see if we can draw some conclusions about Information Warfare.

On September 11th, without warning, 4 commercial jets were hijacked. Contrary to the historic profile of such events, no negotiations took place. Instead the aircraft were flown into prominent U.S. landmarks. Both World Trade Center towers were completely destroyed, and the Pentagon suffered major damage as a result of this attack.

On or about September 18th, the first signs of the Nimda worm began to surface. This worm used several methods to propagate around the Internet. It was again targeted at computers running various Microsoft products (Internet Information Server, and Outlook). It rapidly moved throughout the Internet, compromising thousands of computer systems around the world. So, was it Info War? In a word-¦ No!

This was just another Internet worm. It used well-known vulnerabilities just like previous worms, Trojans, and malicious software. It was not targeted against prominent U.S. targets. It did not specifically target any of the U.S. critical infrastructures. Instead, it indiscriminately scoured the Internet for vulnerable computers, infected them, and moved on. This is not what we can expect in the event of a true Information War.

So what is Information Warfare? There have been many definitions of Information Warfare offered. My favorite definition comes from Dr. John Alger, at a seminar on Information Warfare (I found this reference here).

Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary’s information, information-based processes, information systems, and computer-based networks while protecting one’s own.

Now that we have a definition, we can think about the form these attacks might take. How will we know if and when we’ve been targeted by an Info War attack? Let’s see what lessons, if any, can we learn from the events of September 11th?

The airline hijackings and subsequent attacks against the World Trade Center and the Pentagon buildings were almost a complete surprise. It turns out the Intelligence community was aware of a threat of “unprecedented attacks” against the U.S., but they didn’t have the specifics. It also quickly became clear that these attacks were very well planned out. Preparations had been ongoing for at least 12-18 months. Terrorists had established a presence in the community, and had even taken flying lessons. Even now we don’t know the extent of their plans, or how long they’ve been setting this up.

I suggest that we will get hit with Info War attacks in a very similar manner. We already know the threat, in vague terms. There will be “offensive use of information and information systems to deny, exploit, corrupt, or destroy our information, information-based processes, information systems, and computer based networks. More simply put, we’ll be the target of crippling viruses and worms. Our infrastructure will be infiltrated with the goal of manipulating, corrupting or destroying our data and systems. We’ll also be denied access to our systems and infrastructure by some form of “denial of service” attacks. Hmmm-¦ sound familiar?

We’ve been experiencing all these forms of attacks for quite some time, but this is NOT Information Warfare in it’s true sense. I believe that when the real attacks arrive, we won’t even know we’ve been hit. Not at first, anyway. I believe that targets of Info War and cyber-terrorism have been identified, and possibly infiltrated. This infiltration may be physical, such as people working under cover at power plants, telecommunications centers and the like, or it may be electronic. There may already be Trojans, viruses and malicious code in our most critical networks and systems, laying dormant for now and awaiting an electronic trigger to wreak havoc.

The reality is that if we are going to experience an Info War attack it will probably not be noticed by conventional defensive measures. Our current security defenses are designed around various specific countermeasures:

  • Block unused ports or services
  • Filter traffic going to allowed ports and services
  • Search the remaining traffic for known attack strings
  • Use anti-virus programs to search for malicious software

This is not intended to be an all-inclusive list, but it gives a very high-level overview of common defensive measures. These standard measures may be ineffective against Information Warfare. Let’s look at each measure listed above and discuss it’s weakness.

  • Blocking unused ports and services is the foundation of most hardening procedures. If you don’t need the service, disable it so you don’t have the additional overhead of maintaining it. Let’s face it-¦ we all have enough work to do without adding more, unnecessary work. This is a sound concept, but the converse of this rule is to allow access to used ports and services. One of the most common services used on the Internet is http, or Web Access. This is also the most attacked and exploited service. This fact should be clear in everyone’s memory after the recent Code Red and Nimda attacks.
  • Since we have to allow some traffic over our network (we created the networks to allow some traffic) then how do we protect ourselves from allowed traffic? One method is to use content filtering to try and stop attacks from entering our network. This method is good for information traveling in the clear, or unencrypted. The shortcoming is that any form of encrypted traffic cannot be monitored for content. This includes such common protocols at https, ssh, and VPN traffic. Again, most attacks in recent history have been web based, and they will still work against a server running https. There have also been some recent attacks against ssh that demonstrate this problem as well.
  • Another method of stopping attacks against our network is to use an Intrusion Detection System (IDS) to search for signatures of known attacks. There are many shortcomings to this method. First, this only defends us against known attacks. New attacks will not be detected by conventional IDS. Next, these systems generate a huge number of false positives. They search for a string or sequence of characters or data. If this string is contained in innocuous traffic, the IDS will still trigger an alarm. This requires someone to investigate the cause. Too many false alarms, and you have a worthless system that will be largely ignored. An attacker may take advantage of this weakness and flood the network with a huge volume of attacks in an attempt to overload the monitoring system. At this point, it would be much easier to sneak a true attack through the flood of false alerts.
  • Anti-virus software has become more prominent as the quantity, maliciousness, and speed of propagation of malicious code has increased. Anti-virus software now detects most Trojans, viruses, worms, and many hacking tools that are available on the Internet. This is a powerful security tool that should be installed on every computer in existence. But this too has its weaknesses. Like an IDS, anti-virus software only truly effective against known attacks. New attacks usually slip right by, unless it’s a close variant on an older virus. The signature database must be regularly updated, and during high profile events, such as the Anna Kournikova virus/worm, some anti-virus sites can be so overwhelmed it would be impossible to download the updates.

As you can see, each type of security measure has its weakness. The combination leaves an opening in our defenses that cannot be closed if we are to maintain any sort of functionality. That’s why most security experts recommend that security be applied in layers.

A well-planned and orchestrated Info War attack would take advantage of this combination of vulnerabilities. Specific entities would be targeted. Reconnaissance would be complete, documenting the critical systems in the target infrastructure. Operating System versions, and hosted applications and services would be identified. A deployment method would be developed. The actual attack would depend could be reliant on a couple different scenarios. The most trivial method would be to wait for new vulnerabilities in the targeted systems. With all plans in place, the new attack could be quickly utilized to gain access to the systems. If the attack were carried out quickly enough the relevant patch might not yet be available. Signatures for the IDS or Anti-Virus software might not have been developed or distributed. Another, more discreet scenario is also possible. Once the target systems have been profiled, a new exploit could be developed to slip by all defenses. If it were exploited in a limited manner, the exploit might never become known. Where does this leave our defenses?

There is a little-explored area of security defense known as anomaly detection that, once fully developed, could provide a much-needed extra layer of protection. Anomaly detection systems look for behavior that deviates from normal system use. It would generally involve an initial baseline of normal system traffic behavior. Once the profile has been established, any traffic which not matching this profile would be flagged for analysis. This would be especially useful in the previously mentioned scenario because an Info War attack is likely to result in some new stream of traffic. If a system is compromised, with the purpose of gaining access to the internal network, the resulting network profile would change. This compromise would have to make use of existing traffic patterns, such as establishing a tunnel via http. But the difference might be inbound traffic on port 80 to a system that has not historically provided this service.

Developing an anomaly detection system or ADS is a very complex venture. It is likely to be more prone to false alerts than current intrusion detection methods. It would likely require more vigilance, more interaction, and a higher level of technical knowledge and experience to effectively manage. But it’s a method that will hopefully be explored in the near future. With all it’s potential shortcomings, it would nonetheless provide another layer of security monitoring, and one more defensive tool that might help us in the event of a true Information War.