Don’t Sleep Deep on Christmas Eve

For reasons that should be obvious, the staccato of gunfire is usually an unexpected interruption of the calm tunes of Silent Night, Holy Night or Kol Nidre, especially in areas that are hot for attacks or counterattacks. Timing is crucial in launching a successful surprise attack; the choice of time is as important as the choice of weapons and tactics. This is why most military attacks are carried out at night; the posture of the target by day is certainly different from the posture by night, and such nocturnal attacks give little time to marshal whatever forces there be.

Holidays have been a choice time for surprise attacks in warfare, from the Battle of Trenton in 1776 to the Tet Offensive of 1968 and the Yom Kippur war of 1973. Again the reason for this is obvious—the overall security posture of an army on a national holiday is quite different from its posture on other days. The mental conditioning of a people on a religious holiday is very different from other days. When you’re getting dressed for church on Christmas morning, the last thing on your mind is a bomb falling from the sky; the aroma from the kitchen, the lights on the tree and the Christmas tunes playing at the background makes it almost impossible for your mind to accommodate any thought that isn’t blissful. The invading army knows this, and so they haven’t spent the days leading up to Christmas shopping; they’ve spent it fine tuning their plans for a Christmas morning strike.

Attackers in cyberwarfare seem to have bought into this as well, choosing holiday seasons as prime time to launch surprise attacks, especially against companies and businesses. On Christmas Eve, everyone is out of office, the Chief Information Security Officer of your company is out of the country with his family, every member of your Incident Response Team is scattered around the globe, and the last thing they are expecting is a call from work. Apparently, if anything goes wrong, your response time wouldn’t be optimal. The attackers know this, and they choose it as the best time to launch their attack.

Now, there are two general means by which attackers launch a holiday attack. The first is to spend sufficient time prior to the holiday planning the attack, deploying the various methods we’ve seen in this book, yet without launching an offensive. They check for vulnerabilities, gather open source intelligence, look for watering holes, and do all they can to fine tune the plan. Then on the eve, or the day, of the holiday they launch the offensive, the goal being to move in, act fast and take over your infrastructure before you can be alerted that you’re under attack and appropriately respond to it.

The second is to spend sufficient time prior to the holiday seeking to gain access into your network and place what is called a Logic Bomb in it. A logic bomb is a ticking time bomb that is placed unnoticed in your network and detonates at a set time, or when a preconfigured condition is met. Like a regular time bomb, it does absolutely nothing destructive until it explodes, and this often makes it hard to detect; your network could function as normal, there might be no unusual processes running, your computers might work with no noticeable drop in performance, everything could be just fine…until Christmas day. Again, this logic bomb could be dropped in your network by several methods—a mercenary within the organization could work with the attackers to drop the bomb, a casual insider could click a link, or any other means could be used by the attacker to get it in. However, whether they choose to drop a ticking time bomb that detonates on Christmas morning, or they choose to move in with their tanks on Christmas Eve, the fact remains that it will be a Christmas to remember, and not for the food and hearty conversations around the table, but for the crack of gunfire in cyberspace that changed everything in an instance.

Marching Orders

1. Realize that there is no holiday in cyberwarfare, and the adversary is not as preoccupied with the turkey as you are, so it’s best to keep one eye on the oven and the other on the screen.
2. Don’t set out-of-office responders on your email during big holidays. Attackers could gather open source intelligence on people working at an organization and shoot them emails to see what comes back. You don’t have to announce your absence to the world, it doesn’t stop them from sending you mails anyway.
3. If you head an organization, set up a Holiday Offensive Team (HOT) that will actively monitor and protect your cyber infrastructure on holidays.
4. For days leading up to big holidays let the alarm ring over and over in the ears of everyone; no one should be ignorant of the possibility of a holiday attack, rather they should anticipate and plan for it.
5. As an organization, strengthen your technical security controls—intrusion detection, intrusion prevention, remote monitoring systems and the likes—even more at holidays. You could reduce account privileges or even deactivate certain accounts during such holidays.
6. As usual, sound the battle cry to those around you—“Heighten your guard on holidays. ‘Merry Christmas’ is indeed a wish.”