Governments, military forces and critical national infrastructure organisations typically deal with some of the most sophisticated cyber threats in use today. These cyber threats continue to grow in sophistication and automation, with attackers ranging from highly skilled and motivated organisations, including nation states, or individuals to less skilled attackers using hacking toolkits and frameworks purchased online.
One of the threats is blended threat (also known as a blended attack), a software exploit which in turn involves a combination of attacks against different vulnerabilities. For example, many worm, a trojan horse and a computer virus exploit multiple techniques to attack and propagate. It is a kind of computer threat. Blended Threats are combination of worms, trojan, virus, and other kinds of malware.
The attack described by the author in the paper I Love You Led to Denial of Service exploited email servers, host machines, and network infrastructures in what may be described as a blended attack. The afore-mentioned attack included a virus that infected an e-mail client, gained access to the client’s address book, then mailed copies of the virus to all the entries in the address book.
Some recipients of the first wave of mass mailings opened the messages, which infected the e-mail clients of the host computers used by the recipients and started the cycle to produce mass mailings from each infected client. The messages made way to the mail-servers, which also became infected. The bulk of generated e-mail resulted in a Distributed Denial of Service (DDoS) attack, which seriously degraded the performance of the corporate network.
This blended attack took advantage of multiple attack vectors to cause the mayhem. The initial attack vector was a social-engineering attack that enticed a recipient to open the message. The second attack vector took advantage of a flaw in the e-mail client software, which permitted the virus to gain entry to the address book and generate mass mailings. The final attack vector was a deficiency in the network infrastructure, which was not able to counter the effects of the mass-mailings. The global cost to mediate the I Love You infection was estimated by Cume (2000) at $10 million as stated earlier.
In more recent years, as cyberattacks have demonstrated increased ability to impact physical systems, such as Stuxnet and Triton / Trisis malware, or the 2017 ransomware outbreaks, such as WannaCry, and further recognizing the threats to cyber systems that exist from potential physical hazards, the term blended threat has also been defined as a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.
Symantec further elaborated on the idea of blended threats in a blog post noting, “As the malware begins to become contained, a natural disaster hits the region. As people in need of help flood into medical centers, researchers discover additional concerns inside the malware’s code. This type of attack is known as a “blended threat” – a natural, accidental, or purposeful combination of a physical with a cyber incident.”
Until now, we have been largely dealing with physical attacks and cyberattacks as different and discrete, but in the near-term future, a cyberattack will be used in conjunction with a physical attack to increase the damage and delay or eliminate timely response. The anticipated attack a threatcasting report, a practice of collaboratively predicting the future, similar to the Delphi method, highlighted using blended cyber and physical resources would devastate and/or kill around 2 million people, projecting ahead to the population of Manhattan.
Participating in the forecasting process for this report were a large number of folks from the Army Cyber Institute, U.S. Army Cyber Protection Brigade, Carnegie Mellon University, U.S. Military Academy, USAA, Citigroup, New York Police Department, and the author of X-Men. Science fiction authors participate in efforts like this because they are better at setting possible future scenarios for the study group to consider.
National Health Information Sharing and Analysis Center (NH-ISAC) will use many such threat scenarios in its 2018 Blended Threats Exercise Series being held this summer and fall in different locations around the country. This six-event series will bring together cyber security leaders from the healthcare industry to work through different scenarios and to learn how to handle a blended threat, understanding their complexity and impact potential.
These scenarios were developed based on a threat-informed, risk-based understanding of the current and emerging threat environment with considerations to recent incidents, such as major ransomware outbreaks.
Blended Threats Exercise Series
The 2018 Blended Threats Exercise Series will include six exercises focused on blended threats (both cyber and physical). These exercises will take place at six geographically diverse locations around the domestic United States and be approximately six-hours each.
The exercise participants should be risk management, emergency management personnel and security personnel and anyone who works with incident response.
The objective of the exercise is to provide a forum for NH-ISAC members and potential members to use a blended threat (cyber & physical) security scenario to prompt discussion identifying gaps between cyber and physical preparedness and share approaches from leaders in the community to help inform organizational security preparedness. Provide participants an opportunity to interact with one another and discuss issues, concerns, best practices and other salient points to help inform organizational security preparedness.
“These exercises will stress participants to consider threat-informed, emerging security challenges that organizations should be proactively preparing for,” said Denise Anderson, President, NH-ISAC. “Considering blended threats and the need to coordinate with multiple parts of the organization, these workshops should allow for candid, respectful insights, ideas and challenges from participants, to help all involved further develop their security programs and preparedness.”