U.S. cyberwar against ISIS could use methods and tactics criminals use against enterprises

Attacks could support traditional military operations or open up a new front

Cyberwar against ISIS could bring into play tools and tactics that corporate security pros face every day, only this time they will be used as part of a larger objective than criminal profit.

The goals of the offensive are to disrupt communications within ISIS and between the group and potential recruits, according to a story in the New York Times.

To meet those goals, U.S. Cyber Command could use such means as DDoS and man-in-the-middle attacks, banking Trojans and even ransomware-type attacks that irreversibly encrypt machines (but skip the ransom), experts say.

+More on Network World: DARPA wants early warning system for power-grid cyberattacks+

Cyber operations would support traditional military tactics and carry out missions traditional military forces cannot, they say.

Knocking out communications ahead of ground attacks is standard military protocol and it used to be done using air attacks against communication centers, says James Barnett, a retired U.S. admiral who heads the cybersecurity practice at Washington law firm Venable LLP.

“That’s just part of the preparation of the battlefield,” he says. Now it is possible to accomplish the same goal with cyberattacks against command and control centers, he says.

ISIS has assets with which it buys armaments and pays troops, and it tries to sell oil to raise cash. Using cyberattacks to disrupt money transfers can deny the group some of its military resources, he says.

Cyber weapons could be embedded in command and control networks to gather intelligence or take them down. “Are we that good yet?” he says. “I don’t know.”

ISIS also holds territory that includes cities and towns, so attacks could be made against the control systems that run water and power supplies, he says.

Oren Falkowitz

Oren Falkowitz


The point of employing any kind of military weapon – physical or virtual – is to have an impact against the enemy, says Oren Falkowitz, a former NSA analyst who worked in Cyber Command, so cyber tactics will be carefully considered.

Attacks could conceivably include malware that infects machines and encrypts them, rendering them useless. But the effect of that wouldn’t be severe enough, he says. “The U.S. government isn’t in the business of just ruining people’s machines,” he says.

Rather cyber warfare would be executed in concert with other offensive operations on land, the sea and by air, he says, helping to achieve an overall victory. Done in isolation DoS attacks and corrupting individual machines are “ankle-biting tactics” that are merely annoying, but could be part of a larger scheme.

+More on Network World: No humor zone: 33 things you should never say to a TSA agent+

In any war, all weapons have to be brought to bear, but need to be matched to specific objectives, he says. For instance, cyber methods are already used by intelligence organizations to gather information, and the military could as well, but likely for different purposes such as to determining where to direct physical attacks. The objective is to gather enough intelligence to have an impact on the enemy, not just to own a vast amount of data about the enemy, he says.

ed cabrera

Ed Cabrera

Of course Cyber Command has the resources to go far beyond what cybercriminal groups are capable of, which means the possibility of more complex, multi-layered attacks, says Ed Cabrera, vice president of cybersecurity strategy for Trend Micro.

As an example of this type of sophisticated attack - carried out by unknown actors - he points to the attack on a Ukrainian power grid last year. The attack started with phishing then incorporated BlackEnergy3, an updated version of a crimeware toolkit that has been around for years. In this case it was embedded in macros in a Word document.

Once there, attackers moved laterally in the power company business network and stole credentials that gave access to the grid-control network.

But the attack had more layers:

  • Installing rewritten firmware that blocked all but manual attempts to restore power
  • Disabling backup power supply so the operations center couldn’t function
  • DoS attacks against customer-service phones to stop calls reporting outages
  • Use of KillDisk to prevent computers needed by grid operators from booting

Cabrera says he has no knowledge of what cyber weapons the U.S. has in its arsenal, but given that this type of layered attack can be fashioned from known exploit tools, it’s conceivable it could create similarly sophisticated attacks using newly devised methods. “They’re only limited by their imaginations,” he says.

For example, says Barnett, the 2009 Stuxnet attack against the Iranian nuclear program was created specifically to damage centrifuges used to refine nuclear material by attacking a specific type of industrial control gear. Stuxnet was a weapon that did physical damage to a specific target, and employed custom-made tools.

So far, ISIS hasn’t shown itself to be much of a cyber threat, Barnett says. ISIS has made threats to use cyberwar but its efforts have amounted to cyber vandalism. He’s certain the group will come up with more sophisticated attacks, but hasn’t seen evidence that the group can take down an electric grid using cyberattacks, for instance.

U.S. officials talking openly about actually engaging in cyberwar is new, and that public commentary could be political, to assure U.S. citizens and allies that the U.S. is taking on ISIS every way it can. Or it may be to get in the heads of ISIS leaders to make them wonder whether their communications can be trusted or whether their data has been corrupted. “They may be toying with them a little bit,” Barnett says.

Regardless, no one should have doubted that cyber tactics were being used, he says. “Cyber offense is critical to any type of military operation,” he says. “It’s inconceivable that we would not use it. It’s conventional now. It’s fully integrated now.”

Join the CSO newsletter!

Error: Please check your email address.

More about NSATrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place