Our digital networked environment is increasingly vulnerable to cyber attack, a
phenomenon which is perhaps more accurately defined as “the takeover of an organization via its IT system. Protecting your organisation against
cyber attack is no longer just a story line from science fiction. High Flyer talked to Airbus Defence and Space Cyber Security experts, to understand
both the nature of the threat and what is being done to mitigate it.
Perhaps the following sounds far-fetched. “Cyber terrorists could derail passenger trains loaded with lethal chemicals, contaminate the water supply in major cities or shut down the power grid across large parts of the country.” Until recently scenarios such as these were more likely to be one of the many threats faced by Jack Bauer in the popular TV series “24”. However, the quotation comes from former US Secretary of Defense Leon Panatta speaking in 2012.
Cyber attack is not just about sabotage either. As NSA whistle-blower Edward Snowden revealed in 2013 cyber espionage is (and will remain) a fundamental element in the so-called war on terror and in international power games. Director General of the British intelligence organization MI5 Jonathan Evans made the following statement in 2012,
“The extent of what is going on is astonishing. One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations.”
The main feature that distinguishes attackers is their motivation, which can be analysed according to the classic Mice scheme – Money, Ideology, Compromise, Ego. Whatever their ultimate goal may be, they are very well informed about their target (for instance through social networks), extremely organised, and occasionally even commissioned and financed by the state. Furthermore, they look for highly targeted information.
The most sophisticated of these groups of attackers design specific tools for their own purposes and develop them during an attack. One example of this is PlugX, which Airbus Defence and Space experts saw emerge in 2013. The majority of attacker teams still use tools that are well known in cyber circles but are unfortunately still operational. They are therefore perfectly aware of how to get round standard security equipment and also use classic IT administration tools to make themselves undetectable at first sight. It may take these attackers a long time to infiltrate your network, but this matters little to them: a single fruitful attempt will suffice to achieve their aims.
And the frequency with which organizations are subjected to cyber attack is increasing. The US Department of Defense recorded a number of incursions in 2012/2013 including the extraction of classified information concerning weapons systems such as the F-35 Joint Strike Fighter and the Aegis Ballistic Missile Defense System. Critical infrastructure such as the Carmel Tunnel in Haifa in Israel was subjected to attack in September 2013. Hackers crippled the supervision cameras system, which led to eight hours of traffic chaos.
One statistic makes it clear why it is important to be able to nip cyber attacks in the bud. Airbus Defence and Space’s own research revealed that on average, advanced attackers are on a network for 371 days before being detected. It is therefore critical that an attacker be discovered as early as possible in order to prevent them reaching the core of an organization’s IT system.
The impact of such attacks is enormous. The damage incurred ranges from the loss of control of critical national infrastructure, compromised national security and disruption of IT systems to a loss of data and financial loss. At the very least, it results in the worst possible PR and loss of trust from customers and partners.
With this in mind Airbus Defence and Space established Cyber Defence Centres (CDCs) that connect observation, network monitoring, detection, response and investigation team services in real time.
Longstanding cyber security measures include such items as anti-virus programmes on work- stations, intrusion detection equipment and firewalls. They are in the main sufficient for the majority of threats thus far – the problem is now three-fold. Firstly, cyber criminals, cyber experts sponsored by governments and so-called “hacktivists” are becoming more and more sophisticated. Security measures require constant updating. Secondly, security monitoring undertaken by so-called Security Operations Centres (SOCS) is unable to analyse the impact of an attack or advise on a remedial plan. As a result new attacks remain undetected. The third problem is the combination of the first two, namely that detection and analysis are not combined.
The members of the Cyber Defence Centre team operate mainly in Europe, spread between Germany, France and the UK but also work in the Middle East and the USA. The CDC team is dedicated to supporting two kinds of customers:
Defence and governments, critical infrastructure and industries. More specifically, the CDC combines a number of services, which working in unison are able to combat cyber attacks. These include a full time observation service able to analyse the most recent threats and vulnerabilities, a monitoring service that is supplied with all the necessary tools by the observation service for detecting new attacks as soon as they are identified. Finally it is equipped with investigative capabilities to classify alerts, analyse their potential impact and determine appropriate action. In short the CDC utilizes a three-pronged defence strategy:
- Awareness and anticipation
- Detection and investigation
- Understanding and making decisions
Awareness and anticipation is all about keeping hackers on the radar screen and monitoring what is being published in the academic world or on discussion forums. Tests are then run on the strength of this research with the aim of producing two very different results: the first is a so-called signature enabling Airbus Defence and Space to track a new attack in customers’ IT systems. The second is a suite of countermeasures known as detection rules enabling security equipment to be updated to block an attack as quickly as possible.
Detection and investigation of a cyber attack needs to happen equally quickly. Airbus Defence and Space’s CyberSecurity unit created a tool called Keelback® that combines signature tracking and behaviour detection that reveals the presence of attackers.
Keelback is fitted to the IT workstations and to the internet exit point. It has three components; the first detects “unusual” behaviour, the second combats this behaviour and the third investigates it in order to identify the source. The central processing centre is notified of each incident, which it then compares to the signatures stored in the system.
The final part of the process is understanding and making decisions. The Cymerius® tool is central to this as it enables teams responding to an attack to follow their actions in real time. Cymerius® synchronises tasks at the CDC. It relieves the operator of a number of tedious tasks, such as collecting all the logs required for investigating an incident after it has been detected. He or she can then concentrate on analysis and classification activities. Being aware of the threats associated with the criticality of customers’ assets means that informed decisions can be made in order to visualise and contain attacks in progress as rapidly as possible.