Blog‎ > ‎

Mitigating Botnet Information Security Risks through EA and the ITSA - Part 3 of 4

posted Apr 1, 2015, 1:52 PM by Christopher Furton   [ updated Dec 13, 2015, 10:36 AM ]

Written by: Christopher Furton
Mitigating Botnet Information Security Risks through Enterprise Architecture (EA) and the Information Technology Security Architecture (ITSA)

Part 3 of 4


Part III – Case Study: Georgia


During the month of August 2008, the Republic of Georgia imposed a state of war against Russia due to military actions that crossed the demilitarized zone of South Ossetia (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008). Although a physical war followed, the preceding cyber war is of particular interest. This short case study will review the steps taken by Russian hackers to launch a pre-emptive strike against Georgia and will review the actions taken by Georgia to mitigate those cyber attacks.

During the cyber attacks, several methods were used to degrade Georgia’s internal communication and with their ability to update the international community on war efforts. This was accomplished in several ways: by defacing government websites and coordinating Denial of Service attacks and/or Distributed Denial of Service attacks. First, the defacement of Georgian websites was used as psychological warfare by publishing images correlating the current President with other 20th century dictators. This was accomplished by Russian threat actors distributing a listing of known SQL injection vulnerabilities along with exploit tools in public forums encouraging anti-Georgian hackers to take action (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008).

Second, Denial of Service attacks were launched against private and public sector websites including news and banking websites. These attacks were highly coordinated with average traffic data reaching 211.66 Mbps and maximum traffic data peaking at 814.33Mbps. “The major DDoS attacks observed were all globally sourced, suggesting a botnet (or multiple botnets) behind them” (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008, p. 12). The Shadowserver Foundation identified at least six different command and control servers involved in the attack, including DDoS for hire and DDoS for extortion services. One botnet identified was a tool often used by Russian botmasters with seemingly bogus domain registration data. Furthermore, some research indicates potential involvement of the Russian Business Network (RBN) cyber criminal syndicate; however, it is believed that the RBN did not directly carry out the attacks (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008).

In response to these cyber attacks, the Republic of Georgia implemented a simple yet highly effective countermeasure. First, some of the websites being attacked changed their Internet Protocol (IP) address in efforts to thwart the attacks while others changed their hostnames. Second, several of the news outlets moved services to blogspot.com and other blogging public websites. Most notably, the Georgia Ministry of Defense and the President completely relocated their websites to Tulip Systems, Inc., located in Atlanta, Georgia, USA. The Ministry of Foreign Affairs also moved their website to an Estonian server to avoid the denial of service attacks (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008).

The ‘maneuver’ Georgian response to Distributed Denial of Service attacks offers a relatively simple solution that fits nicely into the Information Technology Security Architecture. Through use of holistic planning, organizations can accomplish similar end results seen by Georgia through effective governance and successful business continuity planning. Botnet threat activity in the form of Distributed Denial of Service attacks can disable an organization’s ability to conduct business processes. Having alternative routes and redundant sites (such as hot or warm sites) can provide an option for organizations to essentially move out of the way during an attack. It is unknown whether Georgia’s reactions to cyber attacks were pre-planned or not; however, this relatively small country was able to show resilience to information warfare. Most importantly, this case study gives a real life example of how a holistic approach to information security and botnet defense – including business continuity planning – can help reduce the impact of cyber attack.

 

About the Author

Christopher Furton author bio picture
Christopher Furton

is an Information Technology Professional with over 12 years in the industry.  He attended The University of Michigan earning a B.S. in Computer Science and recently completed a M.S. in Information Management from Syracuse University.  His career includes managing small to medium size IT infrastructures, service desks, and IT operations.  Over the years, Christopher has specialized in Cyber Security while working within the Department of the Defense and the United States Marine Corps. His research topics include vulnerability management, cyber security governance, privacy, and cyber risk management.  He holds active IT Certifications including the CISSP, CEH, ITIL Foundations, Security+CE and Network+CE.  He can be found on , , and .  

Additional information available on Christopher Furton's website at
Comments