Friday, September 7, 2007

CyberWar is, uhh... what is it?

Oh, yeah, it's just like all other hacking, except it's gov-to-gov.

Richard Stiennon wonders in his Wednesday blog post if the PLA hackers that pwned Ministry of Defense e-mail systems wanted to get caught. His theory goes, government-quality hackers should be so good that they are undetectable unless they intend to disrupt systems. Since neither thing happened in this case, Richard suggests that maybe China meant to get caught in order to send a message.

Personally, I think there's a simpler explanation. It goes back to a conversation that I had with Richard Bejtlich about the detectability of breaches. The "Titan Rain" attacks have been going on for the better part of three years (as far as we know). And there were bound to be good hacks that were still detected. Especially since this story made Time Magazine in 2005, we should assume that all of the Allied Forces' three-letter branches have been on the lookout for Chinese hackers.

We often hear (and some of us often say) that, "We have to get it right every time, the bad guys only have to get it right once," when security folks talk about defending against network attacks. But as soon as the attack starts, that equation flips on hackers' avoiding detection, especially if you're going to stay on a system for an extended period of time in order to gather intel. The number of chances that formal security detection mechanisms will catch you increases exponentially with time. Not to mention curious admins, auditors, and plain old dumb luck.

Bottom line is that the best hackers in the world can penetrate nearly any system, and can cover their tracks well. But eventually they'll get caught, whether they mean to or not. And that's what happened to the Chinese hackers in this case. Oops.


Doug said...

That Time article is disturbing. Agreed they will get caught eventually, but is that true only if they come back repeatedly? What about a highly skilled hacker whose mission is to grab data and never come back. I suppose it boils down to the motive of the hacker, the curious ones will keep coming back, but the criminals might not. Of course this means there is a hole somewhere that shouldn't have been open in the first place and detection fails.

PaulM said...

All things being equal, a single intrusion is less likely to be detected than a prolonged presence. Beyond that, it's all situational.