Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Estonia – lessons learnt in terms of detection and response capabilities

January 18th, 2008 · No Comments ·

threats against infrstructure may result in attacks that lead to a disruption of service – be ready by using a holistic approach, which means
building robustness into your system, preparing an adequate response, profiling attacks, raising awareness and educating users / network operators, etc.
We explain this in more detail below

<7 lessons learnt from the Estonian attacks

In the above posting we pointed out some of the issues that can be learned from the Estonian attacks that resulted in a near breack down of some communication networks in that country.Below we list some of the lessons that people involved with this crisis have put forward to some of their colleagues in other jurisdictions. And before we forget when reading the list below:

Not every lesson is a conclusion

LESSONS LEARNED by insiders fighting the attacks on the ground

  • Below we list a few lessons that one can learn out of the Estonia attacks.
  • Incident response is the most important part of an online defense strategy
  • Bad things of an endless variety will happen, how one responds is far more important
  • CERT organizations are critical and necessary, but what’s needed is what they do rather than the name
  • A CERT without clients who share information and and speak about challenges openly is nothing but a bureaucracy
  • A CERT helps communicate locally and globally
  • Since the Internet is global, your security can be dependent on a personal computer across the world
  • It isn’t practical to survive without outside help. This road goes both ways
  • Response or counter measures must be communicated with and worked out in coordination with parties responsible for business infrastructure
  • Regulation may be unwarranted and not wanted, but when Estonia happens again businesses will look to the government for help
  • Have contingency plans to maintain the Internet within the country/survive without the outside Internet
  • Estonia blocked connections to the local banks from the world. TIX helped make that happen
  • Redefine critical infrastructure to include the private and business infrastructures – first
  • Consider the personal computers around the world and their impact on your infrastructure. This infrastructure is the same one as used by cyber-crime
  • Facilitate law enforcement cooperation globally
  • Global law enforcement cooperation currently is at a stand-still, slow to the point of in many cases being unusable
  • The technical and operational people are already sharing information, cooperating and mitigation global incidents
  • Those expert responded to the request for help put out by Estonia as DDoS brute force attacks hurt the Internet
  • Find your local Internet security operations community, and bridge the gap between technology and policy


Thanks to Gadi Evron and Hillar Aarelaid for pointing out some of this info, omissions and mistakes are my own.


Early Warning System (EWS) – Categorizing the risks

Trend 2007 – regulation that matters – converging communication markets – are regulators too late again? France – vive la difference

CyTRAP Lab’s Choice – free tool – WAZ helps you find the Zombies on your network


If this post was helpful to you, please consider stumbling it or subscribing to feeds from CyTRAP Labs. Cheers.
Some people claim that Estonia has been trying to convince Nato Member States to establish a center of excellence in the country regarding cyber-defense. Unfortunately, Member States were not convinced that having Nato establish such a center would be a great idea. Curious enough, shortly thereafter the attack happened.

Some have raised concerns that the two could possibly be related. This is especially the case, since the attack was subsequently used to support the idea of starting a Nato center of excellence on cyber-defense in Estonia. But the issue remains:

1 – What is the added value of such a center of excellence funded and operated by Nato?

2 – How will Nato Member States benefit from this effort, since Nato’s critical operations run on seperate networks – no connected to the Internet?

3 – If the center produces knowledge – how much access to such information will civil society and its representatives get to determine what and how they might benefit for better protecting critical communication networks (e.g., electricity and financial institutions)?

Until these questions are answered properly and specifically (meaning how exactly will civil society get what?), such a center is unlikely to add value. Most important, the objective of such a center and its benefits to Member States cannot be left until the center has operated for a period of time. That would be bad management by objectives.

But you be the judge.



→ No CommentsTags: cooperation · enforcement · estonia · estonian · globally · learnt · lessons · survive