From Russia with Malice? The REAL Issue Behind the Illinois 'Attack'

Wednesday, November 30, 2011

John Linkous

39728eff8ac87a48cfb050f0df29ceaa

Three weeks ago a pump at a water treatment facility in Illinois was damaged by a malicious attack launched by an attacker using a computer based in Russia. 

Or maybe it wasn’t. 

Perhaps the pump was destroyed, but the attacker wasn’t based in Russia.  Maybe nothing happened at all… in fact, the DHS is now denying that a hack even occurred; yet the FBI has, according to reports, launched an investigation.

If we’re honest, there is no consensus on what did, or did not, happen in Illinois – not whether the attack (if indeed an attack took place) was based in Russia, or any other country. 

The purpose of this post is not to speculate one way or another.  The confusion is, however, something that we in the security industry should be very, VERY, concerned about. 

It’s an all too familiar story; something doesn’t feel right, but confirming whether indeed something has happened, if it is something you should be concerned about, what the vector of the potential attack might be, and what you can do to mitigate the damage it could do is very difficult to pinpoint. 

It’s not that the majority of organizations don’t have the tools they need to answer these questions, it’s simply that they don’t have the means to make sense of the multitude reports in order to differentiate the positives from the false positives and the double negatives – and do it quickly.

This problem is only going to get more complex as the role that information networks play in everyday business life. Protecting sensitive corporate and customer data from those that wish to do harm, or use it for their own competitive advantage is increasingly going to be a key battle ground. 

If it takes you three weeks to determine whether or not you’ve been breached you’ll have lost the battle without ever knowing you were under attack.This is why we firmly believe that a new approach to information security is required. 

We proclaimed the death of SIEM as an effective way to protect large corporate information networks a few months ago, and everything we see strengthens our position. 

SIEM is still a valuable tool for collecting log and event based data, but situational awareness gives you the ability to collect ALL network data in it’s native format, correlate it in real time (20 seconds, rather than 20 days) and provides a clear picture of what has happened via a single pane of glass.

Situational Awareness means you can take immediate action to repel or take action to minimize the impact of an attack.

Possibly Related Articles:
10985
Network->General
Information Security
Attack SIEM breach IDS/IPS Situational Awareness ICS-CERT Water Control Systems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.