1. Computer attacks - a definition
In general terms an attack is a "maliciously" intended act against a system.
Lets analyze this definition a bit further:
- "maliciously" intended
- This tells us something about the goals. They are generally hostile and as such sets the non-malicious acts (or threats) beside. They should however not be neglected in a complete security approach.
- act
- This highlights the difference between an attack and an incident. The attack being the single step of an intrusion process, whereas the incident is defined as a group of attacks visible from the higher levels.
- system
- Target systems can be anything: software, protocols, algorithms, data structures, physical components, etc. even non-electronic systems. Another aspect is the scope of the system, it can be specifically or randomly chosen.
This leads us to one classification approach of computer attacks, based on the attackers motives.
1.1. Attackers motives
- Fun Goals: enjoyment, reputation (CV, prestige), ... Attackers: Script-kiddies, Hackers
- Grudge Goals: revenge (vandalism), ... Attackers: Script-kiddies, Crackers
- Terrorist Goals: terror, political/religious issues, .... Attackers: Script-kiddies, Crackers, Mafia, Vandals
- Financial Goals: Money, clients (spying), Attackers: Crackers, Companies
- Business Goals: market shares, reputation (image), ... Attackers: Companies, Corporations
- Government & Military
Goals: political, national security, economy, ...
Attackers: Governments (NSA, DST, BND, ...), Military
NSA eavesdropping paper
2. Taxonomy an essay
To develop a taxonomy for computer and network attacks is not a straight nor easy task. Attacks can be classified by many different ways, mostly depending on the environment one stays in.
Scientifically speaking a taxonomy is an approximation of reality that is used to gain greater understanding of a field of study. As such a taxonomy should have classification categories with the following characteristics:
- mutually exclusive - classifying in one category excludes all others because categories do not overlap,
- exhaustive - taken together, the categories include all possibilities,
- unambiguous - clear and precise so that classification is not uncertain, regardless of who is classifying,
- repeatable - repeated applications result in the same classification, regardless of who is classifying,
- accepted - logical and intuitive so that they could become generally approved,
- useful - can be used to gain insight in to the field of inquiry.
2.1. Process based
This taxonomic approch leads to a process based classification of computer attacks in 4 categories:
- Interruption An asset of the system is destroyed or becomes unavailable or unusable.
- Interception An unauthorized party gains access to an asset.
- Modification An unauthorized party not only gains access to, but tampers with an asset.
- Fabrication An unauthorized party inserts counterfeit objects into the system.
2.2. "means, ways, ends"
From an operational viewpoint, an attacker attempts to reach or "link" to ultimate objectives or motivations. This link is established through an operational sequence of "means, ways, and ends" that connects attackers to objectives. The "means, ways, and ends" is a common paradigm in military strategies that defines objectives (ends), identifies courses of action to achieve them (ways), and provides the resources to support each course of action (means).
For the computer security field it is appropriate to use different, more descriptive, terms like "tools, access, and results".
Attackers => Tools => Access => Results => Objectives
"means"
The approach taken here puts the tools in the following categories:
- User Command The attacker enters commands at a command line or graphical user interface.
- Script or Program Scripts and programs initiated at the user interface to exploit vulnerabilities.
- Autonomous Agent The attacker initiates a program, or program fragment, which operates independently from the user to exploit vulnerabilities.
- Toolkit The attacker uses a software package which contains scripts, programs, or autonomous agents that exploit vulnerabilities.
- Distributed Tool The attacker distributes tools to multiple hosts, which are then coordinated to perform an attack on the target host simultaneously after some time delay.
- Data tap Where the electromagnetic radiation from a cable carrying network traffic, or from a host computer is "listened" to by a device external to the network or computer.
"ways"
The central elements of the connection between attackers and their objectives (the access) are:
- unauthorized access,
- or unauthorized use.
The resources on an ICT system can be seen as:
- processes,
- files,
- and data in transit.
In order to reach (get access to) these ressources, an attacker must take advantage of vulnerabilities. A vulnerability may arise in three types:
- design vulnerability,
- implementation vulnerability,
- configuration vulnerability.
"ends"
Between obtaining access and the attacker's objectives, we conceptualize the results of the attack, which are categoriezed as follows:
- Corruption of Information Any unauthorized alteration of files stored on a host computer or data in transit across a network.
- Disclosure of Information The dissemination of information to anyone who is not authorized to access that information.
- Theft of Service The unauthorized use of computer or network services without degrading the service to other users.
- Denial-of-service The intentional degradation or blocking of computer or network resources.
2.3. The complete taxonomy
Setting this in a more current aspect with modern terms we get:
- Goals
- The prime goal, which motivates the act. Can vary considerably, e.g. stealing money/data, breaking reputation, etc. The goals are mostly the same as in the physical world.
- Subgoals
- Needed to reach the above prime goal. The subgoals are reaching from getting elevated privileges on a target machine, to controlling whole networks. These are the more technical (eletronic world specific) goals to reach the above prime goal.
- Activities
- The actions needed to reach one or more of the subgoals, like getting login credentials, flooding a network, etc. This can be seen as the actual "crack".
- Events
- The results of the above activities: suspended service, halted program, granted acces, etc. - are called events.
- Consequences
- These are the direct business results of the events, a computer being unavailable for business transactions, or balance sheets showing biased figures.
- Impacts
- The impact is the business effect, the very prime damage which was intended. Examples are lost of revenue, tarnished reputation.
3. Featured attacks
Based on vulnerabilities from the major software engineering phases:
- Architecture/design
- Implementation
- Operation
3.1. Architecture/design level
- Man-in-the-middle attack
A man-in-the-middle attack (or eavesdropping) attack is performed when an attacker intercepts a communication between two or more parties, masquerades as one of them modifying or not the transmission data.
- Session hijacking/killing The TCP/IP protocol has a weakness which makes it possible to an attacker to take over, "hijack", an already established session. By sending a forge TCP reset packet the session could for instance be prematurely be killed.
- Spoofing Spoofing is a method to get someelses "identity" (like its IP address, DNS name, ARP address, etc) on a network.
- Race condition The race condition attack is a complex one. The execution of an application is, from them computer (OS, hardware) point of view, done in discrete steps. If these steps are not atomic operations, then an attacker has a brief window of time where he could slip in some code to be executed instead of the original one.
- Replay attack A replay attack, can be performed if the attacker has the opportunites to recored an entier transaction between, say a client and a server. The attacker can then "replay" part of the conversation for his malicious intends.
- Sniffer attack A "sniffer" is a program that silently records all network traffic on a LAN, this method is often used to get usernames and/or passwords transmitted in the clear of the network.
3.2. Implementation level
- Buffer overflow This one of the most common attacks, cause alot of programming languages are vulnerable to buffer overflows. These occur when a too large value is attributed to a fixed sized buffer, without adequate bounds checking being done.
- Back door Back doors in the sens of application development are when a rogue programmer somehow manages to write special code in the application, during its creation process, for instance allowing to bypass acces control later on via a "magic" account.
- Parsing error Programms that doesn't properly check input from users, for example, are vulnerable to parsing error attacks, that try to pass security comprimising content.
3.3. Operation level
- Denial-of-service attack Systems (applications, hosts or even networks) can be rendered unusable by cascading service requests, or high-frequency input flows. Thus legitimate users are denied of the service. These attacks can be very large-scale and coming from different sources, in this case we talk about a distributed denial-of-service attack.
- Defaults account attack Many applications, especially operating systems, have default accounts with unsecure, or no passwords. This is of course a potential risk, where attackers can easily get a legitimate access to systems.
- Password cracking Standard cracking programs give attackers the possibility to guess passwords, so called weak passwords can this way be optained in a few seconds.
