As networks grow more complex, the process of securing and managing endpoints, applications and confidential information has become more challenging than ever before. Last year alone saw a dizzying array of security incidents and breaches, including Symantec, SONY, Fox News, and others. Security is becoming more and more essential to business operations, but traditional defenses aren't working to the degree that companies require. Meeting the new security service levels starts with understanding each type of threat to establish a unified security program.
While every attack is unique in its origin, execution, and range, defending against cyber attacks today can be abstracted down to three of the classic five W’s: Who, How/What and Why. The other two W’s, Where and When, are constant for network defense: your network, 24/7/365.
This blog post will introduce the elements of these categories, then present a deep dive on the Who category.
Who: There are three main categories of attackers. Broadly speaking, there are Script Kiddies, Insiders, and Juggernauts. Script Kiddies are eager but lacking in knowledge. Insiders are people or locations already inside the network. Juggernauts are dedicated to causing damage.
What: The three main categories of attack are Denial of Service (DoS), Vulnerabilities, and Weaknesses. DoS prevents delivery of a service. Vulnerabilities are problems in pre-built software. Weaknesses are problems that are specific to individual sites and services.
Why: There are three main reasons why attackers attack: “Lulz,” Profit, and Ideology. Lulz is recreational hacking, “for laughs.” Profit is making money from an attack. Finally, Ideology is an attack driven by a belief or sense of morality.
Who are the Major Players in Network Security Threats and What Do They Do?
- The Script Kiddie
The stereotypical Script Kiddie is relatively inexperienced (hence “kiddie” or “child”) and reliant on a set of step-by-step instructions (hence “script”). The Script Kiddie was historically motivated by Lulz, and relatively safe to ignore thanks to a reasonably provisioned firewall and good patch management.
However, recent cyber-activism trends have recruited Script Kiddies, using ideology as motive, to act as opt-in botnet members for large DoS attacks.
Modern Script Kiddies also have access to sophisticated attack tools like Metasplot, which have become increasingly powerful and easy to use, re-emphasizing Vulnerabilities as an exploit path. The newest rule to follow in security is HD Moore’s Law: “Casual Attacker power grows at the rate of Metasploit.” In short, it says that yesterday’s defense may not block a Script Kiddie tomorrow.
While Script Kiddies may be able to mount strong attacks, they lack skill and finesse. A Script Kiddie probe of your network will likely be “full of sound and fury, signifying nothing” – setting off IDS alerts without necessarily penetrating anything. Even if a Script Kiddie does gain access to a sensitive system, it’s more likely that they will vandalize than steal. The response to a successful attack shouldn’t take anything more than a restore from backup, quickly followed by patching the bug or blocking the port.
- The Insider
The Insider is simply any vector of attack from within the network. The “spy novel” version of an insider is an industrial spy, or simply a disgruntled employee. The fear is that either of these two is motivated by either profit or ideology, with the goal of hurting the company through stealing secrets or otherwise causing mayhem. The location of the Insider – inside the borders of the network – forces network security to be built in-depth, creating borders and establishing controls between users and data.
The problem with the “spy novel” mentality is that most Insiders are not people, but software. The reason that BYOD is a cause for concern is that its potential threats fall into the Insider category. Viruses and worms also leverage a location in the network, usually relying on vulnerabilities to spread. While viruses were originally motivated by Lulz, they have evolved into carriers for profit and ideology. The Conficker virus in 2008 added the infected machine to a botnet that sent spam (profit motive). In 2010, Stuxnet targeted industrial control systems in Iran (ideology motive). More recently, Flame has been categorized as a “cyber weapon,” ironically like something out of a spy novel.
Despite the apparent intent of Flame (ideology?), its payload of exfiltrating data from the network classifies it as an insider threat. A defense which would prevent an employee from stealing intellectual property would also be in a position to detect and potentially block the outbound communication of a toolkit like Flame.
- The Juggernaut
The Juggernaut attacker is both skilled and motivated. Their motive is usually either profit (e.g. organized crime) or ideology (e.g. Anonymous, “cyber-war”). As an example, although the hacker group “LulzSec” claimed to be motivated by Lulz, their statements imply that they were driven by the ideology of exposing the weakness of current best-practice security. Either way, Juggernauts are willing to spend a significant amount of time to accomplish their goals.
This category of attacker will likely use a variety of techniques to infiltrate the network systematically, using each successfully breached system as a jump point to start the next attack. Most of these attacks will focus on extracting information, usually either intellectual property such as source code or product designs, or customer information such as credit card or social security numbers. Defense against this type of attack should start with assuming that, if it occurs, it will be successful, and planning ahead of time for damage control based on what information will be exposed.
Once damage control is in place, greater defense in depth should be deployed in layers from the location of critical information. Proper planning often calls for a penetration test, in which the company commissions an actual attack as a test of their defenses. It’s not always sufficient to create plans based on network architecture or other design or documentation, as production networks have a tendency to drift from their originally deployed state. Although a penetration test won’t find every vulnerability, it is a low-risk way to learn to defend.
Many companies choose to believe that they are not big or important enough to draw the attention of a Juggernaut attack, and therefore choose not to prepare response plans. Preparing a response plan is an uncomfortable exercise, requiring consideration of painful alternatives. While the probability for most companies of a Juggernaut breach is indeed low, the impact will likely be severe. The exercise of creating a response plan will familiarize the company employees with the likely decisions to be made, speeding recovery and reducing costs.
Understanding who the attackers are will hopefully help you evaluate your current network security posture and defenses, with an emphasis on uncovering any invalid assumptions. In a world where even casual attackers have access to sophisticated tools, there’s a strong value in frequent re-assessment of your security policy.
The next blog post in this series will dive further into exploring the How and the Why of Security Threats – the types of attacks, and what drives the people who use them.
Author Profile - Jim MacLeod is a Product Manager at WildPackets. He has been in the networking industry since 1994, and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course packet sniffing.