Are communities missing cyber attacks?
The number of attacks on states, communities and critical infrastructures has steadily grown over the last decade. Communities are now paying more attention because of resulting impacts in the shutdown of systems and networks, the loss of data, and the cost to the community of recovering from the attacks. An important question that communities are now asking is “are we catching all of the attacks?” or are we missing some attacks?
Research conducted at The University of Texas at San Antonio (UTSA) led to some surprising results to these questions. To obtain a better understanding of attacks directed at communities, researchers at UTSA created a phony or “honey” community. The honey community consisted of a website for a fictitious community supposedly close to the UTSA campus.
The website was patterned after other websites from small communities within Texas. It included organizations from five different sectors that a typical small community would include. Once it was developed, it was connected to the Internet for abouttwo weeks and data was gathered on the attacks that were observed. In the short period of time it was connected, more than 3,000 actual attacks occurred on the community in which entities attempted to gain unauthorized access to systems within one or more of the sectors. Two years later, the experiment was repeated a second time with similar results. The analysis of the data gathered led to some surprising results.
The data showed that of the 3,060 attacks identified, 1,430 (46.7%) were an attack on a single sector, 151 (4.9%) were an attack on two sectors, and 52 (1.7%) occurred on three sectors. While these numbers were expected at some level, it was eye-opening, to discover that 1,402 (45.8%) attacks occurred against multiple sectors. These attacks WOULD NOT HAVE BEEN NOTICED BY ANY SINGLE SECTOR!
The attacks would have gone unnoticed because most organizations identify a threshold for alerts. No alert will be generated if monitored activity falls below the threshold. An example of this might be failed login attempts.
A single failed login attempt on an account will not generate an alert. In today’s environment with longer passwords and pass phrases it is not uncommon for a user to make a mistake when typing their password. If, however, a failed login occurred for a given userid/password combination on one system, then seconds later a similar failed attempt occurred on another system, followed by a third and fourth, which indicates something more nefarious than a user mistyping their password. It was this type of activity that was observed and resulted in the 1,402 attacks on multiple sectors.
The implication of this should be obvious. Almost half (45.8%) of the attacks that occurred would have gone unnoticed – unless sectors were cooperating and sharing information between them. This is not to say that this sharing of information and the analysis that would detect these attacks is easy. It is a challenge, but the research points to the need for communities (and the sectors within communities) to participate in a robust information sharing program. This is the purpose of an Information Sharing and Analysis Organization (ISAO) and is one of the reasons that the Texas ISAO was created.