December 21, 2008

White powder letters sent to state governors: dry run or distraction?

The Dallas office of the FBI reports that letters with a suspicious white powder has been sent to the offices of 40 United States state governors as well several overseas US Embassies. Initial field tests indicate no biological agent is present in the white powder so at least we know it's not anthrax used in the attacks against media outlets and the US Congress.

My question is: dry run, distraction, or neither? Was this a dry run preparing for a forthcoming attack? Maybe the purpose is to distract and pull government resources toward this ruse to allow for other nefarious work to occur undetected? Or neither, maybe someone looking for 15 minutes of fame?

For the security and IT professionals out there hopefully this incident reminds you to always look for the motive(s), think about your detection systems, and how you handle post-incident followups.

Motives of Your Attackers
You might consider conducting a review of possible motives of your attackers, consider the scenarious and outcomes, and then determine if your countermeasures are sufficient. If you have a team (IOW there's more than 1 of you) this would be a good candidate for a brainstorming session in a conference room or maybe at offsite location. Oh, and let's not forget about determining what information (re intelligence) your attacker can obtain about your organization without actually atacking, this should be part of any counterintelligence program.

Detection Capabilities
Are you able to detect attack dry runs or rehearsals against your computing and physical systems? Can you detect your adversary profiling your systems? Consider how they would perform this activity and compare it against your detection systems in place, I guarantee you'll find gaps that will cause you to consider additional options.

Incident Followups
One such followup might be to increase monitoring of your systems across the board, not just the systems involved. As mentioned earlier you might also consider your counterintelligence program (or build one if you dont have one already). Also, as part of the incident investigation process you should be to look at any strange or abnormal behaviour of related systems leading up to or around the time of the incident under investigation. This is a normal practice in physical security incidents but sometimes is forgotten during computer-related incidents.

Let's hope that there are no future real attacks relating to this latest incident and that the good people at the FBI find the culprit of this latest scare.

As for your environment, take a moment or two (or three) and consider your capabilities and where to improve them.

No comments: