In the last post, we discussed the real and imminent threat of cyber warfare, based on anecdotal and now direct statements at the nation-state level that it could happen at any time*. According to the US authorities, it's believed to be imminent based on “evolving evidence.”
Now, we don’t know what this evidence being cited is, but perhaps we can explore what a test plan for a large-scale cyber attack might look like. The unprecedented factor, in this case, would likely be about scale, and not about the methods that would be used, which have been seen before. Indeed, an attack where the attacker hopes to leave a mark and owns the attribution would have to be practiced and well-executed at the nation-state level. As some recent reporting has pointed out, there has been increased activity of intrusion attempts of large organizations. Intrusion attempts happen all the time, but now it seems to have been kicked up a notch.
So what are the types of attacks that may be the most likely at this point? With supply chain issues revolving around oil and gasoline, an attack on oil and gas pipelines could be devastating. The Colonial Pipeline attack of recent history in the USA is a good indicator that this is possible, and the outcome can be immediately impactful. In Europe, the energy sector is already under stress, and a cyberattack on the production side could have significant effects.
Other supply chains, such as pharmaceuticals and food supplies, could have a very immediate impact. Then, of course, there are the financial networks and the entire payment industry. The truth is that the list of potential targets is endless, and many of the organizations that make up the list can be vulnerable based on fairly easily obtained information about known vulnerabilities.
A wise attacker will likely proceed in stages. The first stage explores how vulnerable systems are and then plans a way to hit as many as possible on the first strike. The SolarWinds incident is a great example of this. Suppose a scenario where the SolarWinds attack was implemented two years later. It would now be dormant, waiting for the go-ahead signal. It would be an undetected and widespread platform for conducting a large-scale cyber attack, and without the need to avoid attribution it could be leveraged more effectively than what was seen in 2020. Unfortunately, it's feasible that something like that exists.
The next stage would likely be a follow-up attack on the necessary reconnaissance and recovery systems and communications networks the victims use to cope with the attack. The goal, of course, is to hit hard enough so the attacker(s) can get the victims to surrender or at least stop doing whatever is annoying the attacker.
This is theoretical, but as a security professional, I know that there isn't much difference between a whitehat and blackhat security expert … except for the color of the hat and the moral ground they stand on.
There is certainly time to act before the “inevitable” happens, but whether it's enough time remains to be seen. Will the potential victims make the right choice to act quickly, or will they adopt a wait-and-see attitude?
This question always haunts me. In the next article, let's discuss about a black swan event that is unprodicable.