Estonia 2007 Cyberattakcs

Transcription

1 Estonia 2007 Cyberattakcs 2010

2 Agenda Background April 2007 What is cyberattack Estonia as an information society Cyberattacks Protection measures used Lessons learned What are we doing - measures

3 Background 1939 Soviet military bases were placed on the territory of Estonian Republic 1940 Estonian government was replaced 1940 Estonia joined (was forced to) Soviet Union Nazi occupation 1944 Soviet army entered Estonia Second period of Soviet occupation started 1991 Estonia restored it's independance

4 Background For 46 years of occupation the population structure changed Descendants of citizens of Estonia Descendants of Soviet peoples Understanding of 1944 is different One occupation changed to another Liberation from nazi occupation

5 Backround

6 Background The Bronze Soldier was considered to be: The monument for occupants The monument for liberators of Tallinn

7 Background The Bronze Soldier as identity symbol

8 April 2007 Problems with the Bronze soldier: Both sides had extremists The statue was located in the very center of the town There had been conflicts already Real danger of violent clashes The Estonian government decided to move the monument to cemetery

9 April 2007 To defend the Bronze Soldier the night guard was organized

10 April 2007

11 April 2007

12 April 2007 Monument in cemetery

13 Cyberattack Types: Dos DDos Defacing Spamming Breaking IT infrastructure components DNS Routers

14 DoS

15 DDoS

16 Botnet

17 Botnet Computer networks owned by criminals: Overtaken by use of viruses Located all aver the world (18M computers in conficker botnet) Used for illegal purposes Rented for illegal use

18 Routers, DNS

19 Estonia as an information society State to citizen services eesti.ee Law and enforcement services Identification Permits, permissions, documents Economic services Banks (98% of transactions), insurance Medical services E-health, health insurance Recipes All of them are based on public key infrastructure (ID-card)

20 Estonia as an information society Citizens are dependent on IT services Law and enforcement relies on IT services State procedures rely on IT services

21 Attack phases Emotional phase - 27 th to 29 th of April Main attack Wave 1-1 st of May Wave 2-9 th to 11 th of May Wave 3-15 th of May Wave 4-18 th of May

22 Attack targets Internet infrastructure servers and equipment Government and political targets Private sector services Personal and random targets Critical infrastructure objects (transport, energy) were not targeted

23 Emotional phase Mainly DoS and defacing

24 Emotional phase 1 ISP down

25 Emotional phase

26 Emotional phase

27 Emotional phase

28 Emotional phase

29 Emotional phase

30 Main attack 4 th to 10 th of May

31 Main attack

32 Main attack Botnets were used DDoS was used Proxies, to hide the origin, were used Geography of attackers includes 178 countries DNS and routers were attacked Temporary disruptions Government servers were attacked

33 Technical countermeasures Phase I Phase II bandwith was increased (several times over normal) Incoming traffic was reduced IP address ranges were blacklisted Soft- and firmware were patched Attack patterns were used for filtering Some servers were configured to lightweight mode, i.e. static content

34 Organisational measures informal national crisis committee was formed (ISPs, telcos, banks, intelligence, police, CERT) Network organizational structure (no single point) Real time communication Border control Zoning Readiness for lights out Connections to intelligence Calm down Estonian hackers

35 Organisational measures corrections Keep population informed and calm No lights out At any costs keep running Milk, bread and gasoline Newsfeed to people

36 What helped us cert.fi Realtime communication Media attention Political attention NATO call for 'urgent work' against cyberwarfare Merkel's calls to our prime minister and to mr. Putin

37 Lessons learned Laws are inadequate concerning cyberworld Some need additions Some need to be done Critical ICT infrastructure needs to be defined Plans for emergency actions need to be prepared beforehand Cooperation and communication between public and private sector cyberdefense experts should be maintained

38 Measures Widening the scope of criminal law Adopting Cyber Security Strategy Defining critical IT infrastructure Emergancy law Including defense plan for extensive cyberattacks Developing virtual situation room, lead by CERT Cyberdefense Guard Staff training on e-voting Cooperation with US National Guard Cybersecurity Unit

39 Golden Soldier

40 Danke.