 Hello everybody Lots of music today, we'll manage We have about couple more seconds before we start And there we go And there we go Hey everybody Hey Good morning I gave this talk once Okay, shut up Thank you This is Defcon, so basically As serious as I want to be And as important as this subject is to me personally And I really want to present it correctly This is still Defcon Which means I gave this talk two days ago at Yeah, at Black Hat And I was somewhat serious But as this is Defcon And I also have somewhat less time I'm going to try and structure the way I swear So that arbitrary swearing doesn't take away too much time I'm sorry, just gonna have to be this way So for Defcon I'm going to be the unprofessional person that I am And say a lot of fuck, shit, ass And swear words in Russian as preferable But my accent isn't that good for Russian So I'm gonna try So Name of the talk Pretty much spelled out what it is Estonia, information warfare and lessons learned Or the first internet war Now You guys want to go sit in the back where the cool people sit? No, you seriously look cool to me And most cool people sit in the back always You said it over earlier Yes, I know, but it's not a joke, I mean that I don't repeat every good joke I have Because I don't have that many I'm just being honest So shut the fuck up Thank you, no Now Estonia information warfare Information warfare plan and simple is warfare with information We're gonna disregard most of it Well, as far as it is considered today And just concentrate on the internet, networks, computers And attacks related to this Not on psychological warfare or the press The media or anything else that may have Anything to do with Iraq or current politics Lessons learned That part is actually going to be That part is actually going to be Limited for this talk But it's what's really interesting me I'm gonna have to talk like this in the next room So The first part of this presentation Is going to be what actually happened in Estonia Put a little bit of chronology into the situation Who did what, when and where Of course from my limited perspective And I'm going to elaborate exactly What that perspective entails And then go to something that is more interesting to me But maybe not to you Which is what we can learn from this And some of the strategies we can deduce To use with information warfare From this particular case study Now I don't have a lot of time For the second part So let's hope I get there real quickly And for the first part It is technological but not very And that is because I figured for this talk Where we aim at getting to I don't want to show you yet another Fucking, there we go Bucket capture of Adidas attack Are you with me with that? So Important note And I'm going to go through this quickly Because again we don't have much time But it is important The Estonian cert The professionals worked for Estonian ISPs The banks All these organizations They deserve a ton of credit I had absolutely Well that's not 100% correct But almost 100% correct IAPS What happened over there I was there as a full soldier for almost a week And I was put in charge Of writing the post-mortem For the Estonian attack recommendations For the future etc So all credit whatsoever goes to them But still I wrote this presentation And although Healer's name with The cert manager at Estonia Is there with me it's because of respect He did not see nor did he review This presentation My name goes to me All credit goes to them Who am I My name is Gadi Yo wake up I know it's late And the party is already It's around 10 o'clock But ok shut the fuck up Number 2 Thank you I'm not going to be nice to you You people Yeah So my name is Gadi I work for a company called Beyond Security The vulnerability assessment vendor in Israel And this is basically What we will be talking about So Second time it gets me again I'm sorry Sorry it's very late So This thing in Estonia happens Right and it happens for the first week And I used to run this search For the Israeli government And I Managed security operations For the Israeli government ISP And I figured hey you know these things happen Whenever there is some sort of Political attentions Or military attentions after that Always There are some guys Some group of people no matter who Who go online and say Those fuckers And immediately proceed to coordinate a little bit Number 3 there will not be a number 4 Do I sound like a teacher or not Except for the swear words So Two weeks pass right and I know that Estonian search manager from all these Global internet security operations going on And I sent him an email saying Yo healer Do you guys need any help And of course we work together Before that and all the regular stuff And he says when do I pick you up From the airport So That was pretty much it so At first when I heard about Estonia I said hey you know It's the small Eastern European Third world country or something right I don't know where it is So I immediately thought about the Dilbert cartoon with Elbonia And Some third world country in Eastern Europe Their main export is mud And their main underground Is babied with beards or pictures of I'm not sure So you can adopt them and send a lot of money To the Elbonians And I said ok let's go And apparently I was very very Very wrong One It is a small country in Eastern Europe Not related to Eastern Europe It's .EE and It has about 1.3 million people living there It's the north most of the I got some comments on this Of the three Baltic states Which pretty much Makes it Nordic I mean they're still Baltic and everything But I went to Estonia I got an email from fsecure An hour and a half later on a shuttle I'm in Helsinki drinking beer Micro brewery beer Pretty interesting stuff It has a flat tax For everything Really interesting And there is no tax on Beer Which is So or alcohol in general And yes there are A lot of blonde girls over there I'm sorry but that was unbelievable But More to the point After the Soviet Union Failed they started building their infrastructure And they did it to shut up Seriously do I need to separate you? You go to the corner So After the fall of the Soviet Union Guys seriously Seriously please I know where you live I can sit on you To the motherland Yes bled So after the fall of the Soviet Union They started building their infrastructure from scratch They didn't have anything so they used The most advanced technology they had Which is of course the internet So they have for example Around 1998 I don't know Acceptance of online banking For some of us Really all these people check their account status Online Seriously They transfer a little bit of money That's cool but no Stop people in the streets And I'm using absolute terms here It's not absolute When have you last been to the bank Last evening Ten years ago It's unbelievable Complete acceptance They have ID cards Which for some of you in the states will give the shivers And they have them with PKI chips Which is really interesting And because of this They have actually held two elections One of them from the parliament From home Meaning they actually voted for their government From home using their internet connection Using their ID cards But it's cool Down to earth I mean they're so internet Guys seriously this is not going to work I don't have a lot of time Thank you So Even in elementary school Grammar school Parents can go to the website every evening Get comments from the teachers See what classes their children have tomorrow Prepare their bags etc It's an online society for real So The attacks start But before that No guys seriously Dye Dye is in death in English So unless you want to personally come down there And pull your ears away from your head I'm being my The way they describe me online right now So please stop Thank you So everybody knew the 9th of May Is coming Which is the day Soviet Russia Won over the Germans There's a lot of Political stuff going around So the Estonian The SO which is the Government's ISP Just imagine that in the states for a second The government taking away all the work for the ISPs And putting all government sites behind one ISP That's going to work So they're government ISP They speak, they talk They're going to expect some trouble to happen So let's do something extra And as you remember earlier When I first spoke of Estonia I was a little bit surprised And things progressed And I learned about their technology They're not stupid people They have a very interesting culture Which is important for their stock Again, very important And speaking of this ID cards With PKI chips in their online elections They have a very open environment over there And this is very important again A friend of mine heard a talk about their implementation Of PKI and their ID cards and all of that And the guy goes on stage And lectures and he speaks about their failures He does not speak About their challenges Milestones He does talk about how they implemented it He talks about their failures, they're a very open society They are in fact A full disclosure society Meaning full disclosure comes first Then we keep things secret if we have to Let's solve the problem It's a very different mindset Than what you would expect So they talked a little bit and said Yeah, we can expect some trouble Let's prepare some very strong web server Put it on some highly defended network And let's talk to some sensitive websites And tell them Prepare a plain text version of your website Just in case It sounds reasonable to me, they all spoke I'm always finding it funny Raise online awareness We need to raise Something from green to red For online people Or we raise awareness status or alertness status Something like that What are they going to do with that Put somebody extra on the night shift So they can play poker Look at the same screens, never got that So they got a little bit better at this And then stuff started This is DEF CON, so let me put my arbitrary shit Saturday 27th of April Was it Friday? 27th of April The attacks start Now this is very interesting The attacks started At roughly Roughly exactly the same time As the riots in the street of Tallinn happened Now we didn't really speak much About what happened in the streets What a political situation That caused this online aftermath Was And I don't really want to go into the Russian standpoint Or the Estonian standpoint Because I see it as beside the point for DEF CON Let's just say On the Estonian side Russia basically conquered Estonia For a long long time Then the Germans, the Nazis came in As saviors, they drove the Russians out And then Soviet Union came in And kicked the rest Which was pretty cool With the Russians on the other hand 20, 30 million Soviet soldiers Died During the Second World War And justifiably The ex-Soviet states are very, very sensitive About this And this goes on and on And both sides of the argument Whenever I tried to pick sides I always got a little bit to see How complicated the situation is And coming from Israel And I didn't really Pick any sides And honestly I had a lot of my mind already But it was interesting to see the culture So let's get started real quickly Through the timeline Really, really quickly through the timeline Saturdays Attacks begin Now on the 27th of April At 2 a.m. People start saying, hey, what's going on here Let's call Hilar from dessert They're really good people Guys, cut it out last time I mean it No, I will not be one of these guys That say last time and then say last time again For three times I've already been that gay No offense to any gay people in Israel We have a different word for that For four times now So once again, one more time and you're out If I have to take you out myself Thank you No, I said shut up Hey So they call Hilar From the story on Saturday It was on his way back from a conference in Dublin And say, look Hilar We have a problem here We have a lot of attacks More than we expected What can we do about this Well, you know servers are really kind of crumbling And they decide to Move the attacked websites The currently attacked websites To the secure web server that they put up And that was that Call ended The next day there is another phone update At 6am Hilar already landed And there are new targets now under attack And there is a new The new well defended server is under Severe stress This is the point to mention that this Defended server was actually behind An open bsd firewall And that one Machine is the only machine that Survived unscathed Throughout the whole incident If you have any open bsd fans in the crowd One Now On Saturday at 6pm There was a staff meeting People actually got together at the ASO The government ISP office And they started discussing all the different Types of attacks happening Again, nothing too special We've seen it all before but still it's really big They said, hold on, stop What's going on here And the interesting thing is Because this was so big They weren't able to collect Correct metrics on this So the attack actually resulted In 100 to 1000 times This is a guess The normal amount of traffic They proceeded with basic incident response Much like anyone would do And that was that So they are still not sleeping They have another staff meeting Their attacks are up A lot more often More successful They have a realisation coming That this is not regular They came to the words cyber riot I don't like the words I don't like cyber something anything But there were riots in the street And they have seen all these things That we are going to talk about in a second Happening on the Russian websites Blogosphere, blogs, forums, whatever That all these people, the population itself Really didn't like what was going on in Estonia And were fired up about it So they called it cyber riot And we will discuss that a little bit more In a couple of minutes Now All these Russian speaking Or Russian language websites Forums, blogs Started really discussing what was going on But it was really quickly It happened like that And suddenly We have seen memes We have seen epidemics Societies, blogs Within hours Certain information is everywhere A link, whatever else This was more This was much faster We can't say for sure Beyond a shadow of a doubt That this was something That this was something Which was organised or anything else But somebody took the time To go to all these blogs To go to all these forums Tell them, look guys This is what's going on Let's do something about it And usually when these attacks happen All the difference between cyber riot Or terrorism or whatever else you want to call it Usually the facements or didos This was not just one group we attacked It was a whole lot of people who got pissed And the one phrase that kept repeating itself Was fucking Estonian fascists Or Nazis or whatever else you want to choose With any Russian who would like to explain to you Why they're welcome to do so Now these guys The Estonians in the meeting Quickly reached the decision that Well Being in emergency mode Or in red mode or in black mode If any of you know the color theory For shooting is not scalable They have had a couple of days Three days of confusion And they got through it Now it's time to make this routine To make the incident response more Maintainable So they decided tomorrow the weekend ends It was really luck That it all happened during the weekend We need to start getting our act together They sent people home And the next morning They came there at 6am This is what they found Basically This is from an Estonian newspaper And you can see the Geek or not geek On the left Yes, I'm actually interpreting the picture With his aunt Or mother or grandma behind him Really not understanding his online game Firing is Kalachnikov I mean, sorry, AK-47 for your Americans And Well, that's the wall behind him Basically through the screen as you can see And it's all So The guys in Estonia really like this picture The representation of what happened over there And I think it's pretty neat If you want the actual This is not going to be in the presentation Because I don't currently right now Have the URL to attribute it to So I just put it here for now The blogosphere If you look for this This is actually Latin Rather than Russian But if you look for this online You will find a ton of websites Talking to people and telling them basically Guys You are sci-fi fans on a sci-fi forum Sorry, SF for any of you fanatics And I'm a sci-fi fanatic, by the way Any of you are free to right now Go and fight this Look at what Estonia has did to the monument And all the graves under that Let's forget the politics and why It happened aside for a second And here is how you do it You open a command Run whatever window You enter CMD, you click enter And you do ping And then you click enter And then you right ping And then you right ping Now this sounds very silly to some of us here But hey, did that simple action Of being able to do something Got people fired out Anybody here can read Russian? Dimitri, are you around maybe? No Dimitri around? Okay, who can read Russian here? You raise your hand No Can you try and read that for us please For a second Translate it if you can please Can you try please If you can No? Okay Basically this tells people About what happened and if they want To take some action they can And it explains them how to open The console window and click enter After all the ping commands And it's pretty straightforward as you can see But still this is not very complicated It gets people fired up no more than that So let's try and automate it a little bit This is just a simple Badge script Badge file that lets people do this automatically Most of the targets were government This was political to a level of course But there were other tools as well DDoS tools, whatever you want It could be downloaded And as people got fired Fired up on this and got excited about this Other people started taking Note So before Everybody starts jumping out and asking Hey, hey, hey, who's behind this? Who did this? Did the Russians do it? I can right now say For the blockosphere perspective only That Either this was A really The first self-learning, self-adjusting attack I have personally ever seen Or to a level this was planned Or more to the point organized Now there were actually Much like the instructions that came On the Russian language blockosphere Periodic updates Telling people hey These are the DNS server This is the tool you need to use tomorrow And use this script instead Etc This responded directly To what the defenders in Estonia were doing Now, who did this? That's a question we'll have to try and answer later I'm guessing these guys But So Another thing of interest that happened Was Ad hoc intelligence Many Estonians who spoke Russian Went on these blogs and forums Going on and in ad hoc fashion Through their Social networks, their social wealth They started passing this information around And it all drained Directly to the Estonian search somehow This was not organized So the Estonian search could actually pick up the phone And say you know what? Tomorrow is DNS day Prepare your servers Which was pretty nice Here you see another tool This is taken from the F secure blog About the Specific DDoS attacker for Estonia And let's just Look a little bit at the numbers Somebody told me I have miscalculation here somewhere I'm not sure where it is So the ASO Which is only the government's ISP Over there and only for the first day or two They have a 10 megabit Line And they add 4 megabit Megapackets per second attack Now packet can mean anything from A few bytes to a few kilobytes So or more So this is not exact numbers Of course and again Metrics were a problem So from a 4 megapackets per second Attack of ICMP echo There are different attacks here The attack became 1.2 megapackets per second Which is interesting That was just the initial filtering The Cisco guard was actually sitting around there Waiting for a demo Got all the dust out of it Connected it And it got down from 1.2 megapackets per second To 150 kilopackets per second Which was pretty neat They configured Cisco guard a little bit further And they got down to 3 kilopackets per second Now looking at the traffic itself It was around Again none of these numbers are Completed this is a work in progress You can see 3 megapackets per second Of ICMP echo In general attack traffic 1 megapacket per second of Scene traffic fluid etc Not really clear on that 150 kilopackets per second Of other attack traffic And this is not final of course Only 3 kilopackets per second Fuck off of Legitimate traffic So This is pretty neat in my opinion Now We can compare these attacks In many cases To other attacks we've seen And honestly this is nothing Why are we even talking about this You know we have seen the root server DNS root servers under attack We've seen many large IRSPs under attack And I don't know I mean this 4 Megapackets per second is big It's significant but it's not that So one it was pretty sizable Again 4 megapackets per second Is not bad And it was just right For Estonia The resources were used correctly This is very important But to be honest even if this wasn't Even if this was completely Insignificant traffic wise What we can judge it by Is actually The significance of its impact If one guy walked by With a stone It would cause this impact As far as I'm concerned it's exactly the same I don't care Now the scale of all the different attacks That were actually happening as this was going on This was not just ping commands We are going to see a little bit more right now That was really impressive That I have not seen in a while And not on that scale ever Ever is a strong word So there are a few attacks of interest There was for example a spam attack Or an email attack against the Estonian parliament And this I believe Again not exact times Resulted in about two days of downtime Now this was during the weekend I think Sorry I can't verify that right now But two days of downtime For the Estonian parliament email systems In a country that's internet based On that far level That's critical There were a few other attacks For example two routers crashed There were many other routers out there That suffered some crashes And stuff like that But the main attacks That actually happened Where one router was actually misconfigured It allowed connections to go directly to it So that router was taken out The second one Was The router just couldn't handle the traffic Seriously one hundred times A thousand times more How much do you leave behind Over your current needs Of maximum use Not one thousand times over Right not even ten times over In most cases Now we can look at this graph for example And this is from MRTG Created by Perl And You can see two spikes On the left side Now We have seen this with other botnet attacks This is not special to Estonia But we believe these are measurement attacks You can't be sure But Basically what happens sometimes Is that you see some sort of concentrated attack It goes on for two minutes Five minutes or something like that And then at some point It disappears Well not some point, two minutes after that It disappears Between an hour after that to three weeks after that A huge attack follows This time it wasn't that long But that's pretty interesting To see a little bit of organization Of botnets Where did these botnets come from by the way To be honest The botnet attacks were quite Regular Now There are so many different forms And attacks happening But There were no bots Or nearly no bots Or measuring what's kind of problematic Attacking from within Estonia Or if it's your organization From within your organization We can know That there are bots everywhere Why did the botnets Exclude the bots from within Estonia And this attack That's not directly clear But it's very interesting And I would like to discuss it a little bit later on Because this did happen This graph is pretty interesting There was a comment This I believe also was on the FSEQ blog But I can't find it And I'm sure I saw it somewhere else as well A comment was made By someone on one of these forums saying You know, I created a PayPal account I created a fund To hire a botnet to Estonia Please donate money Which is pretty cool On the same thread somebody else said Hey buddy, I'll donate two of my botnets This is the important thing This is about Firing up the population Yes, some of the population cannot do much But a lot of these people are capable Some of these people actually know security Or if botnet is ready for spam Or whatever else you want to do Especially when it comes to Russia And again, this is my usual disclaimer when I say this I honestly have nothing against Russia Or Russians A fifth of Israel is Russian My ex-girlfriend is Russian But yes, it was Russians They were attacked And Russia Has a lot of cybercrime going on No, no kidding So in this graph above You can actually see one of the attacks Disappearing at some point Exactly at 3 am Estonia In time Which is midnight GMT This is why I believe This particular attack was That indeed a hired botnet attack Now there are some special botnets around We've seen this before as well But this is not often used Unless you have a real nasty target You just want to take out And these happen Every few months, usually Somebody builds Specific botnets Using samples from new code base Anti-viruses and nobody else's Basically seen before These do not propagate They do not really infect They are bigger And these honestly are just there They do not connect To command and control server They do not try and get orders It's hard coded inside So what we believe happens usually And we've seen this actually in action Is that a current botnet With a current pool Of victims Gets this sample dropped On these machines If you look at these machines Regular to find that botnet Sampled there Probably a few others as well You can correlate that So this was a special attack Raised our eyebrows a little bit Incident response Let's talk a little bit about What the Estonians actually did To combat all this So basic stuff What are the sources of the attacks Of the attackers for that matter Who is attacking us, where are they from And targets currently under attack We want to take care of that We want to secure these servers Now if we are actually dealing with botnets Can we find the command and control servers The CNC server Or the C2 server if you're from the military And take it out Or do something else to it Which you guys are scaring me Okay So Thank you Woo Let's move on If you can see the command and control server This is one issue about Estonia If you think about it If you can detect the bot on the network Or know where it comes from You can try and sniff it out Or just this Estonia is a very small country as we discussed Everybody knows everybody They can raise the phone and say Hey buddy, you have this bot on your network Or more likely step outside into the street Walk 2 meters and go into the second building And you find the botnet and you look at it The server it connects to So this is very interesting that Whether it was OPSEC Do not use bots inside of Estonia Whether it was a fluke, hey, things happen Although I don't believe in this Or whether this was an actual Attack plan No bots were found in Estonia The internet is international infrastructure It's not national infrastructure It's your computer Your computer, my computer And a computer for somebody in Korea and somebody in Nigeria All these computers impact everybody's security So to Respond to this Estonia incident You have to do quite a bit Now the main goal Of the first responders, of course Was one, bring The systems back online if not keep them online Try identifying I mean You cannot anymore Respond by identifying attacks You start by identifying their impact Meaning hey, the light is off over there What happened? Don't identify the packet going there You can't do that anymore It's gone, this is very Big For me anyway Now on the 28th There were two decisions made On mitigation approaches Now again, don't concentrate on the sources But rather on the targets first Which means also the impact, what happens Then they said you know We can't really do technical analysis anymore Do it only when it has direct And a clear effect On mitigation, we're in mitigation mode Now again, Estonia is In a very unique situation Everyone knows everyone, or more to it More to the point, everyone can get in a car And drag people out of bed And when you drink, you have to get out of bed And it's very painful and It's a culture issue I went to Estonia, I left A few days later and don't remember anything that happened there So Kind of like Dexcon, you know Being small They are very concentrated online They could actually do things like Blocking Incoming connections to their banks Or other websites at some point This is not usually the best response One network I was at actually Blocked, you can never know everything But actually blocked Germany off It's not useful in any way This is not really a long term solution But I blocked the networks that were disturbing me And then worked behind the scenes to get the network back Those of us who work on networks Can pretty much see this And they don't necessarily have to block They can decide, for example, that only within The internet exchange of Estonia Can connections be made to the banks, for example Not everything has to be a negative technology Now, Estonia's luck is really dessert There are a lot of people that did a lot of work The professionals with the ISPs The banks But honestly, dessert Took these people and made this Into a response Estonia, as advanced Estonia is And we discussed that They are not ready They were not ready, I'm sorry for this attack Yes, there have been attacks before But still, they were pretty much virgins In online attacks They have not seen this scale Before Sorry, we have seen attacks We have seen large attacks But in the entire country With such an impact, and we will discuss the impact In a second, it has not quite been seen before Bye-bye Long live the motherland Blat So dessert, basically Is there to respond to incidents Right? Now I can actually smile The dessert is there to respond to incidents And as such Of course, it manages incident response It does a lot, it coordinates people And in a small country They can actually, again, raise the phone Or go over to people and get things done That's pretty cool But this particular case was better Healer is a great guy And he can kick your ass Sorry, this is Defconn, I'll say a lot of ass He can kick your ass if you want to do what you need to Hey buddy, where are you? But if it doesn't work I'll kick your ass Basically the dessert there is really cool people There are only two people, really Really, really And they've done an amazing job The lack of this was The first attacks were against the government Where it was also concentrated And most of these websites were hosted At ASO, which has an app link To Ellion, which is the main Estonian ISP So most of the incident response Was done by the cert ASO, the government's ISP And Ellion, then the attack spread But most of the other servers under attack Were also at Ellion So everybody got together And the cert ran some jobber server Or IRC server, I don't remember exactly what To get all the chat going And it basically by consensus And by effect of being there Got to be the leader They, yes They are the body that's supposed to respond to this But they are somewhat civilians And they just made it happen So what saved Estonia Is the incident response We cannot always, I mean We have to admit to ourselves As an industry, yes We want bad things not to happen Yes, we want to try and prevent them But whether by malice Or by mistake, and there is a very important quote On that that I won't make right now Because I can never remember it Shit will hit the fan And we will all, and we are all Judged by how we respond to it For them, oh my god I want them working anywhere that Bad shit happens any day Seriously So global incident response Again, it's the internet and they are beating Just two people and the other professionals in Estonia What are they going to do? So they escalated, much like you call an ISP Second level escalation They saw the sources of attack They asked four certs from Europe Can you help us out? So these certs sent out abuse reports Raised the phone and called people From Germany, Finland And Slovenia And they got in touch With the internet security operations community Yes, Hilar was directly in touch as well But these people really helped It is a global village Sorry for the term So incident response on a global scale Was critical, we can't ignore The fact the internet is global Well, we can try And say that internet Governance works And that .xxx and .net get a lot of money But that's not really what Stares me in these days So let's discuss Estonia's what I call predicament of E-success And this is pretty much known The more technological The country is The more reliant on technology it becomes And therefore, it's more vulnerable But more technology, more vulnerabilities And it's the same about Basically usage and reliability on the internet So most of the banking Clients in Estonia Haven't been into real banking How long, ten years Not all of them, most of them And during the downtime A couple of large banks At the downtime over there And people could not buy groceries They couldn't buy what Hilar calls milk, bread And gas Everything goes online If the online transactions are no longer If the internet is down This is down Now of course there are all the Non-client transactions This is really big We need to actually make the move And understand that progress is good But what of resilience and fallback Consider e-banking or online banking It's a great progress And I'm not talking about fraud right now But if there were four branches Before and there is one now because All these expensive clients Now use the web channel which is cheap And that's great What about fallback if something happens Now I'm not saying That banks for example Should be regulated further Or stuff that's not credit or client Or money related But consider, this is critical infrastructure And we'll discuss that in a second And I'm not sure Whether they like regulation or not Forget regulation If the bank is under such an attack Where will they go for help They can do their own incident response But this is beyond that Estonia is really a window Into where we might be We are all reliant on the internet at some level I'm not sure Israel is reliant enough to Die if somebody attacks it on the internet No, about the US I really have no idea Maybe some recession maybe more Estonia is all the way out there To where we are heading This is a window to the future and we have an opportunity But I hate the term window of opportunity Let's use it as Storytelling for the evening, you know, at night We need to think about this when we make Progress happen Let's progress because we don't have a lot of time Critical infrastructure Actually proves to be The private and business sector Not the transportation and energy systems Not SCADA systems Yes, this is critical infrastructure The military infrastructure The civil infrastructure, energy transportation But it's not What was attacked, it's not what will be Immediately attacked It's always first debt, then the business sector Or whatever And then everything else But seriously we need to put this first At least consider it In more serious terms We can't tell the private sector what to do At least I don't want to But my opinion is This is critical infrastructure And it proved to be critical infrastructure In Estonia You know what, it was ISPs Which is pretty obvious, the banks Which may not be as obvious And media websites, the press Let's not talk about manipulation Or hacking, just the idea Of all the media websites For most of them being down Silenced on the radio, very bad Radio station Now Another critical infrastructure Which presented itself is actually You and me, every single one of us What we can't even handle In cyber crime in everyday life With every user and their grandma Having viruses in malware And everything else on their computer Not good, so These users Have become critical infrastructure Consider attacking from outside of Estonia And inside of Estonia This is pretty amazing Some of us know about the Critical infrastructure Some of us know about the civil Sorry, the private or the business infrastructure This just some of us Maybe consider sometimes, but we don't know how to Handle on that High over front. Information warfare Is usually on a very high degree Of this is national security strategy This is general war strategy Information warfare can be used As fighting, it does not need to be war As part of the all fighting procedure Or war procedure Then we have some spots going around But all the way down we drop With some theory and some actual action All the way down to packets This computer attacks that computer We may have some planning We may have some logistics backing that up But this is missing Estonia is amazing because it provides us With actual case studies Let's go through them if we have time Who was behind the attacks? Don't everybody want to know The KGB Okay not But it sounds good So first of all Add up, lose coupling Of people coming together And doing some stuff to get things going Or was this a planned assault I don't believe it was Russia Well that's my opinion There was organization, there was planning But hey, so blogosphere meme Epidemic The internet is perfect for plausible Enability Consider there were bloodnet attacks From compromised machines, spoofed attacks What are you going to do? So information warfare, you may know Who your opponent, your rivals are You may know your enemies But you most likely from technological sources Alone will not know who your attacker is So There are quite a few indications There are four Honestly That this incident was organized and planned Again to a level It started virtually at the same time as the incident In Tallinn streets The Russians blogosphere basically Was updated periodically responding to the defenders Virtually no bots Attack from within Estonia Although that changed later on So OPSEC fuck up When they attacked later on About this planned I don't know But it's about sources Interesting Now the Russians are coming Not This could be a coincidence Each of these alone, but honestly Every single one of them The indication is alone Shows of some organization Again, I don't know on what level So ad hoc, fully planned assault I don't know, I won't know Was it the Russians fact? Yes, it was the Russians Was it Russia? Opinion ebbs of fragging loosely not And You can read the tone of how the Russian politicians spoke And the Estonian Politicians said a few things Which you can see the tone is pretty much Yeah, that's cool But no, we don't watch, we are not doing that But I can tell you more than that So I try to come up with a term For discussing You know, buttons have been out there for a while But how do you describe A soldier Who may be working for you And for your enemy A traitor, friendly fire I don't know So I came to this thing Called biological warfare example here Which is let's trade prisoners And let's infect them With biological warfare Germs, whatever So I came across this fifth column Concept which different Wikipedia's In different languages, Hebrew and English Actually defined differently But It's attributed originally to Leo Trotsky Or Lev Trotsky Who spoke about this and used this But it's really attributed in history To A general in the Spanish Civil War Who was asked, okay So how big is your army? But my fifth column is inside Madrid So whether this was Some sort of Covert action inside of Madrid Or the people of Madrid themselves I don't want to go into politics Some people have been calling this Talking about Iraq and Vietnam Unrelated politics People have been abusing this term These people can actually be shooting at you And shooting at the enemy at the same time They're owned Owned computers So we have botnets Another interesting example is from Japan We have Winnie Winnie is basically a P2P application in Japanese And I don't want to say every But every computer in Japan has it on There are vulnerabilities in it The author was arrested, he was released I don't know if you ever want to patch that But it's pretty scary That one application which has been used before To steal information from computers That adds sensitive information on them And Winnie, that scares me I don't know what application Nobody doubted it on every computer Not every, but yeah So Mardin van Kreveld came up and said Today, pretty much straightforward But it won't be always countries we fight Might be organizations, I'm saying I'm not Mardin, but this is Populations we are fighting Now The attack is strategy and we'll go through this Really really quickly because we don't have time So cyberterrorism versus internet riot It's mob control, consider if you're one person Or maybe 20 people in a mob Going a little bit to the right, it will follow you If you say down with that statue That statue will go down What about the internet with blogs, with comments All that stuff going, sorry, that kind of shit going around It's really interesting So online mob, online control This is taking psychological warfare Or intelligence warfare And put it under offensive It's pretty damn cool It will get attention in the future So attackers from the world And within Estonia respectively Pretty interesting Attacking the business and private infrastructure As we mentioned And the routing infrastructure which amazingly Comes last So The defense's goal was simple Maintain regular service and stability Of the country's internet That's cool, but Klausowicz on defense He basically said something of sort of Defense is more powerful than attack Because the more that Engagement goes on The stronger the defense becomes And more organized And the more logistical soldiers And organizations and stuff like that People need to live behind I'm not really interpreting Klausowicz for any of you now So Klausowicz or whatever you call themselves Please don't kill me But this is not necessarily true for online Yes, I tried to come up with an answer To the question of Is information warfare the same As warfare And in many cases There are things we can study and learn And we can look at information warfare as fighting Yes, it can support It can be a tool with regular warfare But it's not analogous to warfare In the way that aerial warfare is analogous To a way to marine warfare and there are differences It's a completely different In my opinion right now it may change Form of warfare And Klausowicz is in my opinion right now wrong Although Whatever is the main Thing that runs this warfare Thing online The niches can really become the main thing Everything changes all the time So Defender strategy, you already heard some of it It must be told to the story and I will try to do it in one minute So Crowd control, consider In the streets of Tallinn They actually closed the people in They said, you know what guys Here are the people Let's close them in, let's try and contain the incident This is incident response which is basic Not what we invented in computer security Respond to the incident, contain it Better forces will come on later, we don't have to discuss that But culture specific These are Russians Russians are great people but they love the liquor It was a liquor area, they all went on At 5 am In Paris, I don't remember if this is true But some of the strategies are for example Okay, 30 seconds Okay, let's move through this real quickly There is the broken windows theory Which I really wanted to talk to you about Intelligence, deception, border control Cultural importance And Which is from the bible Which means in cunning and tricks You will wage war And I don't have time to talk about all this strategy And the political implications, I'm sorry Political awareness, why this is the forced internet war Because the politicians knew about it Talked about it and it's their war This on the left is Hilar That's Ivar on the right I'm Gadi and thank you very much We don't have time for questions