Determining the motives for cyberattacks can be tricky

Agencies responding to real-time coordinated cyberattacks must focus not only on eliminating the immediate threat, but on identifying the attackers' motives, a former Defense Department official said during a cybersecurity exercise on Tuesday.

Typically, a widespread attack on computer networks and systems involves a number of seemingly unrelated incidents, and connecting the dots is essential for recognizing potential threats and identifying vulnerabilities, said retired Lt. Gen. Harry D. Raduege Jr., chairman of the Deloitte Center for Cyber Innovation. Deloitte LLP hosted the drill in Arlington, Va.

"The goal is to identify, isolate and mitigate the risk," Raduege said. "Where we'd like to be eventually is not just reacting to threats, but predicting them, based upon incidents that have happened before."

In the staged scenario, an international emergency relief organization's operations center detected three separate incidents of concern: a computer network intrusion traced back to a phishing e-mail that tricked an employee into clicking on a link to provide a hacker with access; a shipping vessel's apparent diversion from its original path, according to real-time sensor feeds; and an employee's unauthorized entry into a secure area of the facility.

"When you're on the ground responding to individual threats, you don't always know that some of these things may be linked," said Stacey Camp, senior manager of Deloitte's technology systems integration practice. By using collaborative tools such as wikis and instant messaging, officials can share information faster to increase situational awareness, she added.

Deeper analysis of the scenario in the drill revealed that the phishing attack gave a terrorist group the data necessary to identify a shipping vessel carrying telecommunications equipment needed to support its operations. The terrorist group passed the information acquired from the network to an employee planted inside the relief organization, who then entered the secure area of the building to alter the coordinates of the ship's destination to the terrorist group's location.

Cutting off all access to the area of the network that had been compromised immediately after a threat is detected might mitigate subsequent dangers, Raduege noted, but it also limits the ability to identify the perpetrators' motives and all parties responsible.

"If you allow [attackers] to persist, and put them in a honey pot of sorts ... you can establish their MO, if you will, and see a pattern that can eventually be used to cut off the operation at the source," Raduege said, comparing the strategy to flying and fixing a plane at the same time.

"In my years in the Defense Department, we were always trying to find out who was attacking who, but it was usually harder to figure out intent," he added.