LoveMyTool - Open Community for Network Management and Monitoring

Lulz is attacking “for the laughs,” for recreational purposes, or for bragging rights. It is the motivation most commonly associated with chaos, and potentially easily dissuaded by maintaining better-than-average defenses. Lulz-motivated attackers are likely opportunistic. If they find a vulnerability on a site, they’ll exploit it, but they won’t invest a lot of time searching for weaknesses. Expect a Lulz-motivated attacker to deface a web site, randomly erase data, or steal and publish internal documents. Keep in mind that recent advances in security scanning tools greatly reduce the amount of time it can take to make a quick vulnerability assessment against a site.

Remember HD Moore's Law – attack tools are easy to get, quickly updated, and getting better all the time, so you should spend at least as much time assessing your own security as the kind of attacker you want to keep out. Profit is about making money. What differentiates profit-driven attackers is their rational behavior based on a business model. Profit as a motive has driven the development of industrial-strength attacks, plus the evolution of viruses from mere nuisance to botnet recruiter or attack tool. Developing these tools requires up-front investment, with long-term return. Profit is a strong enough motivator that it’s driven the establishment of a new model of security research companies, aided in part by some security-minded product vendors who are offering cash rewards for reports of vulnerabilities. It’s unclear whether these companies are attracting people who would otherwise use the skills for crime, but the partnership of vendors and researchers helps speed the discovery – and the resolution – of potential security problems. At least one security research company has followed the profit motive to a gray area.

Vupen Security, based in France, finds vulnerabilities and sells information about them to its clients. According a profile of the company in the April 9 issue of Forbes, they claim to sell only to government agencies from NATO companies – but they are a visible example of the growing economic infrastructure of information insecurity. In most networks, the most common profit-driven attack is just a virus, with a payload to perform specific actions, such as join a botnet (to send spam or be an agent in a DoS attack), or potentially to extract credit card numbers from files on the PC, or even to create a simple VPN the attacker can use to enter the network.

A recently discovered worm infected machines running the design program AutoCAD, and sent the design documents to servers in China. (Note that China is a popular location for attackers to use as network relays, so there is no guarantee that the attackers were actually in China.) Next level up is automated scans to discover networks and services with exploitable vulnerabilities. A profit motive means that an attacker wants to perform the least amount of work for the largest payoff. Good patch management, plus audits of firewall policy and Internet-facing applications, will reduce the chance of being chosen for a casual random attack. 

The riskiest type of profit-driven attacker is one that has chosen a specific target for some reason. This is the category of industrial espionage. If the potential reward is high, then the attacker may decide that it makes business sense to invest time and expertise. The 2009 film Duplicity portrayed corporate espionage in the high-stakes world of shampoo. The choice of setting serves as a reminder that every industry has information that a rival would find worth stealing. Even at this level of dedication, automation can make the job easier.

The practice of “spear-phishing” entails sending emails to company employees, using phishing techniques either to spread a virus or to fool employees into revealing their passwords. Spear-phishing was the initial technique used in the RSA breach of early 2011. Once one user got infected, it allowed the attacker to enter the network and progressively attack deeper. One additional aspect of profit-driven attackers is that they will take advantage of an opportunity as long as it lasts. After they entered bankruptcy, it was revealed that Nortel had been seriously breached as early as 2000. Attackers reportedly had access to everything – design documents, source code, business plans, everything. In the end, the breach outlasted the company. 

The most dangerous type of motive is ideology. This is the belief that there is a compelling moral reason to attack a specific target. The nature of ideology as a motivator can make it seem as chaotic as Lulz and targeted as a dedicated profit motive, but irrationally persistent even in the face of a strong defense. Ideology is a broad category, tied together by a sense that the victim deserves to be attacked. A small example occurred when a disgruntled employee remotely erased payroll information after being fired. A much larger example occurred when the group Anonymous launched large-scale DoS attacks as protest and vigilante punishment against the US Government. In another example of a small but effective attack, “ComodoHacker,” who released a manifesto listing revenge against the Dutch government as a motive, breached both the Comodo and DigiNotar certificate authorities.  Ideology isn’t confined to the “bad guys.” The largest examples of ideology come when Nation-states infiltrate targets across international borders in the name of national security, like Stuxnet and Flame targeted nuclear research in Iran. In each of these examples, the sense of moral superiority specifically overwhelms the rational decision-making process. When this zealous belief combines with technical skill, the results are going to be trouble for the business. 

Hopefully this primer has provided a framework to begin planning a unified defense against the different types of attack. The threat landscape is changing thanks to the rise of a populist movement coupled with the commoditization of attack tools, along with the technological expansion of organized crime. Understanding the methods and motives will lead to better choices for prioritization of resources for defense.

  Author Profile - Jim MacLeod is a Product Manager at WildPackets. He has been in the networking industry since 1994, and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course