The links between cyber-warfare and terrorism are well-established. Terrorist organizations such as ISIS have been attacking targets they perceive as unfriendly nearly since their inception.
Now, researchers at Cytegic report that they have discovered a link between terrorist attacks, such as the deadly attacks on the Brussels airport and metro system on March 22, and cyber-terror activities immediately before and after those attacks.
According to the activity graphs in its March 23 report on the link between the terrorist attacks in Paris last November and the related cyber-terrorist activity, cyber-attacks increase dramatically shortly after the attacks took place.
Those attacks were aimed in large part against government and media activities on the Internet, and took the form of denial-of-service (DoS) attacks, defacements, phishing attacks including email social engineering and malware injection. Financial service organizations and critical infrastructure were also high on the target list, but not as high as the first two.
Perhaps most surprising of all, there appears to be a reduction in activity immediately preceding the terrorist attacks in both Paris and Brussels. This “quiet period” isn’t a cessation of all cyber-terrorist activity, but rather a reduction in intensity. Some attackers seem to continue at their normal level, while others, who are identified by Cytegic as being cyber-terrorists, show a significant decrease until the attacks take place.
It’s worth noting that cyber-attackers are comprised of several types. There are the attackers that are directly sponsored by the terrorist organizations; there are sympathizers and activists that may be inspired by the terrorists, but don’t work directly for them; and then there are cyber-attackers who are unrelated to terrorist organizations.
After a terrorist attack, the cyber-attack activity picks up markedly. Within a day or so after an attack the cyber-terrorists ratchet up their activity, but so do government-sponsored attackers who are fighting the terrorists, and independent groups such as Anonymous, which have begun fighting the terrorists on their own.
The activity both by and against the terrorist organizations continues for a period of about three weeks, according to the Cytegic study, after which it returns to whatever passes as normal these days.
Cytegic CEO and co-founder Shay Zandani told eWEEK that his researchers gather their information from public sources plus a number of sources on the Dark Web. The data that they gather is processed by what Zandani calls a thesaurus engine to reveal the specific patterns in the attacks. The engine analyzes key words in the data to determine how the attacks are taking place and who is carrying out the attack.
“We think that if one can isolate specific geopolitical data and industry sectors for specific information, one can identify a pattern of behavior,” Zandani said. By discerning a pattern of behavior, he said it’s possible to proactively protect against the attacks.
Researchers Claim Correlation Between Terror Attacks, Cyber Activity
When compared against the attack methods, he said it would be possible to determine what steps to take following a major terrorist attack.
Zandani said that organizations can work with their ISPs to prepare for an expected distributed-denial-of-service attack, and to take steps to prevent defacement of their Web presence. He also suggests that this would be a good time to reinforce training on how to combat phishing and other social engineering attacks.
Organizations should also harden their security incident management rules and prepare their security operations center in advance of the expected increase in activity.
Anti-ISIS activities carried out by military and intelligence services and by Anonymous will also have some limited effect on other organizations, but mostly because of potential network congestion if they launch a DoS attack against ISIS or an affiliated group.
Unfortunately, the level of cyber-attack activity immediately before and after a terrorist attack can tell you only so much. The reduction just before an attack does not appear to be location-specific, so predicting a terrorist attack on the basis of such activity is unlikely. In addition, Zandani said that there are similar patterns before and after other major activities, such as the NFL Super Bowl held in February and perhaps before and after major elections.
Perhaps the best lesson that can come out of the preparation for a cyber-attack is that it will demonstrate whether your organization is actually prepared to effectively manage such an event. “It shows where you need to invest more resources,” Zandani said.
He also noted that companies can use the changes in cyber-activity to fine tune their security alerts and responses since they know that there may be a predictable increase for a three-week period after an attack.
Right now most of the change in activity seems to be focused on Europe because that’s where the increase in ISIS-sponsored terrorist attacks is taking place. But Zandani said that such activity is a good reason to start beefing up your defenses wherever your organization operates. For example, he noted that investing in improved logging systems would provide better alerts when a cyber-attack does take place.
While there’s nothing most organizations can do in response to the terror attacks if they weren’t directly affected, there’s a lot they can do to prevent or mitigate the cyber-attacks that may follow.
The day or two gap between the terror attack and when the related cyber-campaign starts ramping up is enough for most organizations to make sure their defenses are in place.
As tragic as those terrorist attacks may be, there’s no need to sit still for a crippling follow-up cyber-attack if you can prevent it by taking advantage of the warning that the attacks provide.