Complex and Blended Threats: Weaponizing the Cyber World

4 February 2019

by Omar Tisza

With January already in the rearview mirror–and the proliferation of complex and blended threatsgrabbing the attention of more and more security practitioners like high beams on a semi-truck–we have curated poignant examples of threats, attacks, and vulnerabilities that operate in both cyberspace and the physical realm. These modes of attack are the next frontier of security and resilience within our critical infrastructure and beyond, as more smart technology moves into our homes and the small shop around the corner. Gradually, the threat landscape is forcing security-conscious stakeholders to bring Information Technology (IT) and Operational Technology (OT) into the same set of risk management foundations in order to seriously account for complex and blended threats. This conditions our critical infrastructure to adequately prepare for, mitigate against, and respond to threats and vulnerabilities that often harm critical infrastructure and have the potential to inflict wide-spread damage into our web-enabled, interconnected, and device-centric existence.

Following is a simple refresher of complex and blended threats definitions:

We’ve defined blended threats as natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.

Complex threats are two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component– one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain. More detailed definitions can be found here.

Creating Incentives for Security Against Blended and Complex Threats

Threat Post: “Newsmaker Interview: Bruce Schneier on Physical Cyber Threats.” 02 Jan 2019 by Stephen Pritchard,@s_pritchard. This interview with Bruce Schneier about his new book Click Here to Kill Everybodycontinues to sound the alarm and disseminate insight on “what citizens and society can do about the increased risks from physically capable, and dangerous, computing devices.” Schneier is concerned with the intersection of the integration of computers into vital goods and services, the level of risk this integration brings about, and the window of opportunity for criminals to wring money and information (through espionage) out of vulnerable organizations who are key stakeholders within critical infrastructure. He also remarks that “There is a market failure: we are not incentivizing good security,” which may be solved by creating circumstances “where the cost of insecurity is greater than the cost of security.” In his analysis of complex and blended threats, Schneier believes that the government needs to act on providing cybersecurity guidance on the computing aspect of industry and the market must begin rewarding good security.

From Data Protection to Operational and Physical Security

Security Week: “Attacks Against Critical Infrastructure Poise to Reshape Cyber Landscape.” 02 Jan 2019 by Justin Fier @nerdtux. “Warfare has already moved to the cyberspace, and it is now time for the organizations charged with protecting our physical infrastructure to take action and fight back.” As cybersecurity matures, so do the threats and the techniques used to inflict damage on our critical infrastructure. We are experiencing a shift from data-targeted cyberattacks to operations-targeted cyberattacks, which “now involve sabotaging and disrupting the technology systems that support manufacturing, energy generation, and transportation” for malicious ends. This will enable threat actors to hold essential operations hostage–in contrast to traditional data-targeted attacks. Cybersecurity and potential vulnerabilities have already expanded from the cyber to include the physical and it’s only a matter of time until the public and private sector face an existential threat that originates in the blended and complex realm.

DOJ cracks down on DDoS-for-Hire Services

Flashpoint: “Collective Intelligence Podcast.” 07 Jan 2019 by Flashpoint @FlashpointIntel. “The pre-Christmas takedown of 15 domains associated with DDoS-for-hire services announced by the U.S. Department of Justice could signal a turning point in the fight against those selling booters and stressers in illicit [hacker] communities.” DDoS as a Service (DDoSaaS) or DDoS-for-hire enables individuals who are not hackers to take down online services, through techniques described as boosting and stressing, in critical industry for a relatively small price. The consequences of this can halt every day services such as public transportation and banking, but it can also damage infrastructure and resources that rely on a web connection for sustenance. This was the case in provincial Canada, where 911 services were brought down, and a chicken farm lost thousands of chickens because it used a management system that was connected to the internet. The DDoSaaS provider who led this attack was later arrested. DDoSaaS providers “claim that they’re not responsible for the actions of their customers; they just build the tools,” but it is clear that their products have the potential to carry out damaging incidents that fall within the scope of blended and complex threats.

Blended and Complex Threats Predictions in ICS Cybersecurity

Security Week: “Predicting the Year Ahead in ICS Cybersecurity.” 08 Jan 2019 by Galina Antova @GalinaAntova. In terms of predictions for Industrial Control Systems (ICS) cybersecurity, there are a few that stand out according to Galina Antova, Co-Founder of Claroty– industrial control networks cybersecurity provider. First, the electric grid will (hopefully) not go out as a result of cyber-incidents and/or hacking. Second, “more organizations than ever before will consolidate responsibility for both IT and OT security” in 2019 as both IT and OT continue to amass shared risk. Third, “on a less optimistic note, ransomware will shift from data to operations.” Traditionally, ransomware sought “to hold data at risk with the hope of extorting a payment in return for the promise of decryption.” The evolution of this attack will hold operations, instead of data, hostage which may more easily force an internet-dependent manufacturer to pay the ransom to prevent cybercriminals from disrupting indispensable business activities. Fourth, “Legislation and regulation will play catch-up” bringing government to the table to legislate on this issue and find a sustainable solution.

Beware of Hackers and Cranes

Forbes: “Exclusive: Hackers Take Control Of Giant Construction Cranes.” 15 Jan 2019 by Thomas Brewster @iblametom. Two Italian hackers and cybersecurity researchers, Federico Maggi and Marco Balduzzi thought they could not possibly hack into construction equipment in real world scenarios but “[t]hey cajoled their way into 14 locations where they were allowed [by a construction site manager] to hack into devices that not only controlled cranes but excavators, scrapers and other large machinery. In every case, their prepared attack code worked.” Using a small hatchback as their energy source, their remotely powered laptops successfully manipulated the equipment and vehicles by intercepting, not the equipment itself, but the communications between them. “It soon became obvious: Cranes were hopelessly vulnerable. And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real.”

Global internet disruptions in Venezuela, the Caribbean, and Africa

Oracle: “Last Month in Internet Intelligence: December 2018.” 16 Jan 2019 by David Belson @dbelson. “Closing out 2018, in December the Oracle Internet Intelligence team observed Internet disruptions in countries around the world due to power outages, government direction, technical faults, and possible issues relating to satellite connectivity.” This marks December as a slightly unusual month for internet disruptions as the common root causes tend to be physical weather incidents, “concerns over cheating on exams,” and DDoS. Places such as Venezuela, the Caribbean, and multiple African states experienced internet disruptions due to physical and cyber issues. “[P]ower issues in Venezuela disrupted Internet connectivity in the country during December” which are “similar to issues seen in July, August, and October”–Venezuela, fraught by internal unrest, seems to have recurring internet disruptions. Even though the Oracle Intelligence Team almost exclusively focuses on internet outages, they noted that “nationwide mobile Internet access was finally activated across Cuba,” which may introduce an unprecedented set of cybersecurity risks into the country as “ETECSA [Cuba’s national telecommunications company] reminds users that while security is a shared responsibility, it is mainly the responsibility of the users.”

While complex and blended threats continue to produce significant examples and incidents around the globe, the continual weaponization of the cyber world will keep raising eyebrows and sounding alarms. Even though data and privacy concerns, such as the recent Apple Facetime vulnerability, will continue to increase awareness and ultimately drive competent and effective cybersecurity, complex and blended threats will open our eyes to the countless critical infrastructure vulnerabilities that can be exploited to threaten our cyber and physical security.

Every day, security professionals work towards minimizing risk and making our goods and services safe and robust. There is a lot riding on the quality of our cyber posture within critical infrastructure: our devices, industrial control systems, even our cars. At their core, however, complex and blended threats have the potential to impact quality of life throughout every corner of the world. With internet connectivity in the mix, a computer is no longer just a super calculator, but a potential threat to human life and the vital services upon which life depends; for as long as there is internet there will be risk.

Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (H­ISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.

Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.