“A cyber attack is not a spontaneous occurrence, but rather an event that has been prepared a long time ahead”
Targeted attacks aimed at the IT infrastructure of public institutions, companies or even entire nation states are frequently classified as “advanced persistent threats” by the scientific community. These attacks make use of a variety of techniques, including methods of social engineering, and they are prepared stealthy and a long time in advance. IT security expert Stefan Rass is working on a set of support tools, which are designed to simplify the selection of safety measures.
“A Trojan is usually smuggled into a computer as an attachment to an e-mail”, Stefan Rass explains. Then, for a long period, nothing happens. Weeks or even months later, when the effects of a cyber attack become apparent, most people won’t associate the events with the e-mail. Everything you need to carry out an IT infrastructure attack can be purchased from the Darknet: “The supply chain works very smoothly there. It means that anybody can become an attacker; it’s not necessary to have a lot of technical knowledge.” Meanwhile, cyber attacks are also becoming more frequent in the military sphere: Some of the publicised attacks upon large-scale infrastructure organisations such as the electricity grid in the Ukraine have since been attributed to military hacker groups.
Consequently, it is becoming increasingly important for public institutions and companies to improve their risk management. Incidents such as the recent events increase the general awareness about the issue, “however, as a general fact, IT security does not tend to bring a direct return on investment. Sometimes, it results in making things slower and more complicated. Security investments do not produce profits, but rather they avoid losses.”
The IT security team that Stefan Rass is part of currently works on models designed to simplify the decision-making process for institutions of this kind. In order to answer questions such as “Which technical units are at risk”, “Which security measures should be integrated?” or “How likely is an attack?”, a computer-aided method should develop a decision recommendation. Statistical data serve as a basis, while the method itself is based on game theory.