Cybersecurity is perhaps the most challenging intellectual profession on the planet both because of the rate of change and because your failure is the intentional work product of sentient opponents.
—Dan Geer, CISO In-Q-Tel
Intentional attacks against IT systems from motivated malicious attackers are the heart of the challenge in IT security. Malicious attackers work around your controls, actively hide from detection, and zero in on highly valuable systems and data. This chapter explores how you can analyze and predict adversarial attacks.
A Hospital under Attack
In the fall of 2004, twenty-year old Christopher Maxwell of Vacaville, California, came up with a great moneymaking scheme. Already a skilled programmer, he wrote a devious little network worm. The malware used two Microsoft Windows vulnerabilitie s—LSASS and RPC/DCOM—to break into a Windows computer and install his remote control tools. The program would silently scan for other machines to attack and be joined to his fleet of already infected machines (called a botnet). Once an infected machine was up and running, it would stealthily surf to a few web sites that Maxwell ran, and then click the banner ads. Since Maxwell was getting paid per-click from these ads, all those thousands of captured machines would create the illusion of popularity for his site. It was a grand idea; however, not a very original one. This was what cyber-criminals were doing at that time. Maxwell figured most Internet advertising was a shell game anyway, so who cared? Besides, since the victim machine would only be out a few computing cycles and tiny bit of bandwidth, what was the real harm? He made nearly a hundred grand this way. Easy money.
In early January of 2005, at a large medical facility in Seattle, the entire network suddenly seized up in the middle of the morning. Something was burning through Northwest Hospital’s computing systems, jamming all network traffic with scanning sweeps looking for new targets. Diagnostic and lab services couldn’t update patient records. The intensive care unit’s terminals went dead. Even the automatic operating-room doors locked down. Anything on the network was either shut down or turned into a shrieking beacon of network noise. IT staff disconnected a machine, cleaned out the malware, and got it functional. As soon as they put it back on the wire, it became reinfected. Northwest Hospital was in tough spot. It seems that Maxwell’s worm had a bug; the malware was probing too quickly for fresh victims and saturating the network.
Because of the magnitude of the damage, Northwest Hospital called the FBI for help. The FBI cyber-crime unit put their best people on the case. Within a year, Christopher Maxwell was wearing handcuffs. During his interrogation, Maxwell was horrified to learn that his worm had crashed a hospital’s network. He never intended to commit a crime of that magnitude. The judge sentenced him to 37 months in prison.
Adversarial Risk
When most people talk about hacking and computer security, scenarios like Northwest Hospital are what they have in mind. Some “hacker” unleashes a computer worm that wreaks all kind of damage, both on the network and in the real world. These are some of the kinds of incidents that security professionals need to understand and prevent. We can understand them better by modeling the attacker and the attack.
Building a risk model for a human-based attack against technology is challenging. Adversarial tactics change frequently based on rapid shifts in technology, new monetization schemes, and innovative new attack methods. Consider how much the state of IT risk changed on April 7, 2014, when Heartbleed was announced. Suddenly network devices, including network security devices that were once considered secure were now perceived at a much higher state of risk due to a change in the likelihood of compromise. Risk levels changed rapidly for many government agencies on June 5, 2013, when Edward Snowden leaked the National Security Agency’s (NSA) operational secrets. In both cases, the census of perceived risk models around the security of encryption and insider access were changed forever. You are more likely to update your adversarial risk model with more frequency than your natural and operational risk models.
Overview of Attacker Types
To model adversarial risk, you need to look at how an adversary would attack your systems, keeping in mind their goals, capabilities, and methods. To make things easier, let’s break adversaries into four basic types:
Cyber-criminals: Crooks who hack that are external to your organization. They are out for monetary gain.
Insiders: Disgruntled, reckless, or crooked users within your organization. They have varying motivations.
Hacktivists: Political hackers who often seek to expose wrongdoing by exposing protected data.
Cyber-militants: Professional experts in hacking doing espionage or sabotage on behalf of their country or cause.
Cyber-Criminals
There is a vast ecosystem of parasites in the cyber-criminal world. You have young entrepreneurs like Maxwell, sweeping the Internet indiscriminately looking for opportunistic victims. In recent years, these opportunistic criminals have organized and professionalized, resulting in more specializations and more sophisticated scams. Just like old-fashioned criminals, the cyber-crooks have organized into gangs with global reach. Within that group, there are also the “jewel thieves” of the Internet: highly skilled cyber-criminals who target high-value targets and often make off with millions of dollars in stolen data.
Insiders
The concept of malicious insiders covers a wide gamut. The most famous are the disillusioned system administrators who see themselves as the hero in their own story, like Edward Snowden or Chelsea Manning. Sometimes insiders are agents of an outside criminal conspiracy, abusing their position of trust to enable a crime. Sometimes they are opportunists who steal what is in front of them. Some are angry and seek revenge against a perceived wrong. Another class of insider is the careless or reckless individual. People with poor judgement who do dangerous things like download pornography, or pirate movies at work, which can result in expensive lawsuits. They are also people who accidentally release private data on the Internet through carelessness or ignorance. Whatever the case, the impact of their acts is often extreme because of their direct access to systems and valued assets.
Hacktivist
Political hackers run the spectrum, from vicious pranksters like Anonymous to the cyber-activists who feel they are hacking to promote the social agenda of their collective group. In most of these cases, the political hacker attacks by releasing loads of private material on the Internet. Sometimes insiders are politically motivated, as stated earlier. One case worth knowing about is Aaron Swartz, a brilliant engineer who had a history of liberating records that he thought should be public goods from closed systems. He did this with the Pacer court documents, the Library of Congress bibliographic dataset, and JSTOR. JSTOR is a repository of academic journal articles, which Swartz downloaded onto a laptop hidden in a closet at MIT. He was arrested and charged as a cyber-criminal. He faced a possible 35-year prison term. Contrast that with the 37 months given to Maxwell, who crippled a hospital for his own financial gain. Unfortunately, Swartz committed suicide under the weight of the prosecution. It was a tragedy for all involved, as his technical and intellectual contributions helped shape the Internet. The point being that hacktivist motivations can be hard to discern in advance and they are not like ordinary cyber -criminals.
Cyber-Militants
Beyond hacktivism, these are well-trained, well-funded security experts used by nation states, corporations, or large non-government organizations (like ISIS). They may infiltrate networks to spy or cripple critical infrastructure. Sometimes they hack to spread disinformation or propaganda. Some are hired mercenaries being well paid by a variety of masters. They are mostly known by their capability and their actions, which are in a different class than an ordinary hacktivist or cyber-criminal.
Understanding Attacker Capability
Like IT professionals, there are many levels of attacker capability. From the script kiddie, who is only as good as the tools he barely understands, to the seasoned professional who codes her own exploits and rootkits. You need to assess how likely an attacker can smash through your defenses and how likely a particular type of attacker would come after your organization. There many factors that go into this, but let’s look at four big ones: technical capability, trickery capability, timing, and techniques.
Technical Capability
Since we’re talking about IT security, the attacker’s IT skills and tools are a major factor. At the lowest end, we have the aforementioned script kiddie. They aren’t necessarily young kids, but simply technical novices. Their capability begins and ends at the user interface for the tool they are using. They don’t necessarily understand what is going on under the hood, but they do know just enough to be dangerous.
Technical capability also refers to an attacker’s ability to evade or break through IT security controls. An unskilled attacker could be stymied by antivirus software, while a skilled attacker may know how rewrite and pack their malware such that it is undetectabl e.
The Bare-Minimum Threat
Many security professionals use a measure of the minimum threat level that IT security systems must withstand. Security thought leader Alex Hutton referred to this as the Mendoza Line for Security1, taking a reference from baseball. The Mendoza line in baseball refers to Mario Mendoza, who has the minimum batting average acceptable in major league play. For Alex, the Mendoza Line for Security is the capability of the point-and-click penetration testing system, like the Metasploit Framework. If a tool like Metasploit can penetrate your Internet perimeter, then any script kiddie that comes along will crack you wide open. It’s the bare-minimum threat capability.
Advanced Threats
At the highest end of the spectrum are the seasoned professionals. There are indeed hackers out there who understand technology and attack techniques so well that they can find flaws in nearly any system, given enough time. During the investigation of Operation Flyhook2, one of the lead forensic experts remarked that the Russian suspects were some of the best Windows integrators he’d ever seen. It is a telling quote about the capability of some hackers. Many of them have an understanding of a software system on par with or exceeding the original designers of that system. In addition, attackers view that system with a hostile eye, looking for any weakness to exploit. Given the complexity of most systems, you can see how they can chisel their way in.
Attack the Available Power-ups
Advanced attackers often create their own tools for finding or exploiting vulnerabilities. Some of them give or sell these tools to others, providing a pathway for the lesser skilled to follow. Exploit timelines usually goes from discovery, to a proof-of-concept tool (usually a script), to a point-and-click tool, to finally, a fully capable module as part of a penetration tool. Whereas an advanced attack requires time and skill, once a tool is available, it falls to the Mendoza Line for Security. This is how a nearly impossible hack yesterday can become a commonplace attack tomorrow.
Trickery Capability
In addition to their technical capability , attackers cheat. They build complicated deceptions and weave a chain of lies to ensnare victims. Some attackers go through great lengths to impersonate your company and staff, constructing very genuine-looking e-mails or web sites. Some generically masquerade themselves as authority figures, like the FBI or the IRS, and blast out waves of phony e-mail notifications soliciting credit cards or login credentials.
A few are particularly devious and target an industry or organization with a watering hole attack. This is where an attacker researches their target organization to find out which web sites their users visit frequently, like a popular industry blog or an affiliate site. The attacker breaches that affiliate system, which usually has weaker security than the target organization. On the site, the attacker plants web-borne malware or a phishing capture page, in hopes that their target visits it and becomes infected. A popular technique is to put up an enticing video that requires users to install a plug-in that is booby-trapped with malware.
Social engineering is a con game facilitated by technology. The following are some of the facets of a con that are useful in understanding social engineering:
Ring of familiarity: The attacker uses social proof (presents business card, carries a clipboard, has an official logo on a web site) to establish authority.
Urgency: The attacker uses time pressure (“Act now or pay a fine!”) to distract the victim into not thinking clearly.
Incentive: The attacker offers something for you to win or lose: “Pay this fine or be charged interest!” or “Claim your annual bonus!”
Story: Some of the best cons involve stories that engage the victim’s interest in some way.
To reemphasize the power of trickery, nearly all large breaches involve some kind of social engineering. Some hackers say they achieve 100% success with phishing campaigns against sizeable organizations.
Time
The amount of time an attacker spends attacking you is another deciding factor as to whether you suffer an impact or not. Usually this factor is directly related to the technical skills and motivation of the attacker. A script kiddie is doing the network equivalent of walking down a street of cars looking for unlocked doors. As soon as he spots one, he’ll pop the door and snatch whatever he can carry off in a hurry. The window of risk is short. Some attackers set off massive Internet-wide scans for vulnerabilities and then return a day or so later to the identified vulnerable machines.
A more sophisticated attacker spends days or weeks researching her target, probing and testing until just the right opportunity arrives. Once in, she may spend more weeks and months sneaking around the network until she finds her final target. The StuxNet malware attack against Iranian centrifuges involved waiting months for a worm to reach its target. The more-organized hacking groups perform time-consuming and project-intensive attacks; for example, mass phishing campaigns use management tools to assist in keeping track of victims and their status.
Techniques
There are many permutations of how an attacker can combine their technical ability, deception, and available time. Many of the techniques are available only to attackers with the right amount of time or technical ability.
Proximity of Attacker
One aspect of attack technique is the contact method of attack. Most attackers attempt only network attacks, coming in only over the Internet. Some attackers come sideways over the Internet but via third parties or business partner connections, having broken in there first. Other attackers may come from the neighborhood, jumping on wireless connections to get into the network from the inside (infamous hacker Alberto Gonzales broke into TJX retailers from its wireless connections using a laptop in the store’s parking lots). Dumpster-diving attackers rifle through an organization’s trash, hoping to find some useful secrets. One attack technique is to leave USB drives loaded with malware laying around nearby so that unsuspecting users will pick them up and use them inside.
Some attackers physically come into your organization, either by burglary or by social engineering. Once inside your building, they can plant malware, connect key-logging devices, hide spy cams, install their own wireless taps onto your network, or just walk out with hard drives or backup tapes.
Cornucopia of Techniques
Table 5-1 lists a bunch of attack techniques with their respective attributes. Regarding the time and skill needed, a well-funded attacker can easily purchase the necessary expertise to supplement their own lack of time or skills. Also, you should be aware that these characteristics can quickly vary as new tools are made available.
Table 5-1. Attack Techniques
Technique | Time Needed | Skill Needed |
|---|---|---|
Able to create malware that evades antivirus | Not much, tools available | Low; tools available. |
Able to evade standard intrusion detection tools | Some time needed to test tools | Some skill needed. |
Uses chained exploits in attack | Some time to ensure exploits all work correctly on target’s environment | Moderate skill; some tools available. |
Finds new vulnerabilities (zero-day) and develops attack | Weeks/months to find exploit | High skills needed. These skills can be specialized in web apps, operating systems, or a particular type of application/platform. |
Uses wireless man-in-the-middle attacks | Minutes, assuming Wi-Fi clients available to attack | Not much; tools available. |
Perform brute force password guessing attack | Hours/weeks/years, depending on strength of authentication | Low skills needed. |
Able to perform decryption attacks on broken algorithms | Minutes to days, depending on algorithm and traffic captured | Low. |
Able to perform decryption attacks on unbroken algorithms | Minutes to years, depending on algorithm and traffic captured | Highly specialized skills needed. |
Use of social engineering in conjunction with attack | Minutes to days, depending on research needed in attack | Medium skills needed. |
Use of physical penetration in conjunction with attack | Minutes to days, depending on research needed in attack | Medium skills needed. |
Intelligence gathering pre-attack | Hours to weeks, depending on depth of research desired | Low/medium skills needed; some tools available |
Use of watering hole web sites to lure victims | Days or weeks to find and penetrate watering hole | Medium to high skills needed. |
Use covert or side-channels to facilitate hidden communication with compromised hosts | Hours or days dependin g on root kit | Low, tools available |
Understanding Attacker Incentives
Beyond technical capability, the other major attacker attribute is their motivation. There is definitely some truth to compensating for skills with sheer determination. Depending on the incentive, some attackers can be very dangerous threats. Based on that, you should consider what things your organization has or does that could motivate an attack. You can get an idea about this from reviewing your asset analysis. Let’s break that down a bit.
Monetary Incentives
When looking at monetary incentives, sometimes the value is straightforward. If your organization is storing payment cards or involved in banking, then you are a big juicy target for attackers. If you are doing e-commerce for any kind of good that criminals can easily resell on the black market, like electronics or media, then you are a valuable target. The incongruity of this situation is that your data may be worth more to criminals than to the organization itself. For example, for those working in the financial services industry, you can run systems holding personal financial details that are worth hundreds of millions of dollars to identity thieves. However, customers may only be paying a tiny fraction of that to process that same data. This can lead to strange situations, where attackers may have better financial support in stealing the data than you are given to protect it. Always consider the value of your assets to adversaries. To quote the CISO of the University of Washington, Kirk Bailey, “Data is a cash crop.”
Account data is also easily monetized. Things like bank logins and PayPal accounts are obvious valuables worth stealing, but data thieves also harvest many other types of accounts. The accounts can be used to ring up fraudulent charges to fake sellers, launch spam at other victims, or do click-fraud. Table 5-2 lists a sample of commonly stolen accounts.
Table 5-2. Commonly Stolen Accounts
Uber | eBay | Netflix |
Mobile phone | Xbox | Google Voice |
Spotify | ||
Minecraft | Amazon | |
World of Warcraft | FedEx/UPS | iTunes |
Some of these accounts may only be worth a few cents on the black market, but with the power of automation comes high-volume turnover. A good piece of malware can infect about one million computers worldwide. Small amounts of money can easily add up to a big payoff, all with very little work needed. It’s safe to assume that if an account has a password, then it’s worth stealing by someone.
Monetization Schemes
Beyond stealing data, there are many other ways that attackers can monetize a hacked computer. Like a good hunter, no scrap of the animal goes to waste. Let’s look at the Northwest Hospital case again. The secondary monetization scheme that Maxwell used was pay-per-install fraud. Many independent software manufacturers provide free applications with embedded pop-up advertising. They also pay marketing companies to entice people to download and install this software to increase their popularity. These software companies pay marketing companies from the revenue of the software’s pop-up ads. Criminals like Maxwell use their malware to directly install adware onto a victim’s computer, thus generating quick revenue without having to do any marketing. You still see this scheme in use in some mobile malware. The important lesson is that fraudsters find ways to subvert legitimate business models all the time. To see where the trends in hacking are going, you need to follow the monetization schemes. Here are some of the more popular ones over the years:
Click jack /ad fraud: Use your machine to click banner ads
Pay-per-install: Install ad-supported software on your machine
Crypto ransom : Pay us to decrypt your data that we locked up
Fake AV fraud: Trick you into paying for antivirus software you don’t need.
Spam relay : Use your machine to relay spam.
ID theft : Use stolen credentials for impersonation fraud.
Carding : Use stolen payment cards.
Bitcoin mining: Use your machine to mine (calculate) bitcoins.
Botnet for denial-of-service : Use your machine (and thousands of others) to bombard someone else’s site with network traffic for ransom.
Malware delivery: Use your server to host malware to infect other machines.
Phishing platform: Use your server to host fake phishing site to trick others.
Fake ad/SEO injection : Inject banner ads or content onto your site to deliver or help deliver malware.
C&C server: Use your server as a command and control server for other hacked machines (botnet).
File repository: Use your server to store/sell/serve illegal materials (child porn, pirated media).
Stealing and using/reselling organizational secrets: Such as pricing guidelines, proprietary models, contracts, internal security or audit reports, regulatory findings, information on acquisitions/mergers/divestures.
It’s worth mentioning that the audits covered by this book are addressing specific types of monetary-incentivized IT risks. The risks that an SSAE 16 SOC 1 covers are unreliable or misleading financial reporting because of fraud, misuse, corruption, and loss of financial transaction records. PCI DSS primarily addresses the risk of confidentiality breaches of payment card numbers for use in fraud, with some lesser emphasis on protecting integrity and availability.
Political Incentives
Politically motivated hacking can come from amateurs and professionals alike. Amateurs are also sometimes enticed with patriotism based on nationalism and sense of duty. Sometimes amateur gray-hat hackers rise up and decide to act, like the Anonymous group. Professional political attackers are often very dangerous, as they are usually well-funded and well-trained cyber-warriors.
Political hacking can take the form of espionage with covert attacks into messaging systems and financial records to build dossiers on enemies and affiliates like spies, whistle-blowers, unfriendly journalists, and double agents. They can also be looking to gather intelligence for future attacks or steal military secrets. Their attacks can disrupt marketing systems to slow recruitment or to inject their own propaganda. Sometimes political attacks are direct, with attempts to disrupt weapon and industrial systems causing infrastructure damage and financial loss. Sometimes political attacking means implanting malware that lies in wait to disrupt a system when a trigger is depressed. Many political attacks take the form of denial-of-service flooding attacks as a protest against a particular cause.
Targets for political/nation-state espionage and sabotage:
Media and journalists
Universities
Health organizations
Military agencies and related industries (aerospace)
Police departments
Energy utilities and companies
Critical infrastructure (water, sewer, communication)
Financial institutions
Large industrial companie s
Personal Incentives
Some motivations for hacking appear completely irrational. Instead of asking why someone would do that, consider that people may have different priorities. Some people throw up their hands and don’t try to understand these motivations. As John Maynard Keynes said, “The market can remain irrational longer than you can remain solvent.” So don’t discount personal incentives that appear to provide no apparent benefit to the attacker. Let’s look at the detail on motivations seen in these kinds of attacks. Be aware that attackers may have a blend of these reasons.
Counting Coup
Some hackers hack for the sheer joy of hacking. They are breaking in “because it’s there.” Others may be trying to win prestige and fame for being the first to pull off an impossible hack. The organization that boasts of the “unhackable” system is daring a certain community of attackers to come after them. The results of this kind of hacking usually results in humiliation for the hacked system, as web sites are defaced and secrets are leaked. Counting coup refers to how Plains Indians used to win prestige for bravery by merely touching an enemy in battle, but not injuring them. Some hackers do this with systems.
Ideology
This is like political hacking, but often with a vaguer cause—and often with an even vaguer objective. Their focus is to throw a spotlight on wrongdoing. They see themselves as whistleblowers righting an injustice. Ideological hackers often work alone. Snowden and Manning are good examples of ideological insiders.
Duress
Some insiders are pressured into committing cyber-crimes . Some are doing it to support an addiction. These kinds of attacks are hard to spot because the attacker often doesn’t appear to have a motive. I have seen cases where sysadmins end up hacking their own systems in order to cover up mistakes that they made. Fear of being fired actually led them to doing something that really did get them fired. Often there is something going on in their personal lives that are compelling them into action.
Ego
The classic disgruntled sysadmin is a known threat to many security professionals. These kinds of insiders are the most dangerous because they have deep technical knowledge as well as an intimate knowledge of the environment that they’re compromising. They can feel affronted from being passed over for promotion or from simply having their ideas ignored. They can seek revenge in a variety of ways, from simple destruction to complex blackmail or leakage attacks. Some egotistical attackers feel that they are above the rules because of their superior technical knowledge, and they act accordingly.
Deviant Motivation s
Perhaps the most inexplicable are the socially deviant motivated attackers. There have been more than a few cases where one user (usually a man) is hacking the network to stalk or harass another user (usually a woman). There are also attackers breaking into laptop cameras to facilitate their voyeuristic needs. Some of the worst cases are when seemingly normal users are discovered to have large caches of child pornography on their work computers. Despite the awkwardness and distastefulness of these kinds of incidents, they should be considered in a risk assessment.
Common Attack Techniques
Another way to model attacks is to look at the attack techniques. A few attack methods are useful to understand when determining the risk to your organization.
Kill Chain
One of the common attack models for this is the “kill chain” analysis. Originally developed for analyzing military physical attacks (a.k.a. actual warfare), Lockheed Martin adapted the model for IT security. The kill chain refers to each of the stages an attacker must succeed in doing in order to achieve security impact. The idea is that if a defender can break any link in that chain, they can block the attack.
There are seven links in the kill chain model:
Reconnaissance: The attacker scans the network for vulnerabilities and/or researches the organization for weaknesses.
Weaponization: The attacker develops an exploit or attack technique based on the reconnaissance.
Delivery: The attacker delivers the exploit and breaches the organization’s defenses.
Exploitation: The attacker succeeds in capturing a machine or machines within the organization.
Install: The attacker installs a rootkit that allows him to retain control of the captured machines over time.
Command and control: The attacker uses that remote control to act upon the network as if she were a normal user.
Actions on objective: The attacker now goes after his final objective.
The final stage, action on objective, is sometimes called a pivot. It can involve restarting the kill chain internally as the attacker goes after the final objective. For example, the first attack gives the attacker access to a sysadmin’s workstation. Now the attacker will move laterally through the network to find the database server holding all the payment card numbers and break into that.
Note
Check out the Lockheed Martin white paper “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” ( http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf ).
Stealing Authentication
One useful technique for attackers is to impersonate users. With a user’s authentication credentials, they can appear to be legitimate and generate no suspicious hacking traffic that can set off intrusion detection systems. Any audit logs of actions appear as that user. As far as the system is concerned, nothing is amiss. Some organizations do have user-behavior anomaly detectors, but they are still rare and hard to tune. What exactly do I mean by stealing authentication? There are several ways this happens:
Guessing: Some users choose poor passwords and have usernames that are easily guessed. Some organizations don’t bother to change their default accounts. So guessing or brute-forcing (trying all combinations) a bunch of passwords can occasionally be successful. Organizational names can be harvested off social media sites or guessed based on naming conventions, and turned into usernames easily.
Phishing or social engineering: Simply trick a user into giving you their username and password. They can create a fake e-mail and a fake web page, use a browser pop-up window with a login box, or simply call up the user and pretend to be the help desk. If the attacker is physically onsite, maybe the user has their password on a note under their keyboard.
Sniffing: If a system doesn’t encrypt its passwords when being transmitted, an attacker with access to the local wire (or wireless) can use a network sniffer to copy the passwords.
Man-in-the-middle: This is a little more sophisticated attack that also requires the attacker to have access to the network that the victim is using. In this case, the attacker inserts himself into the authentication transaction. When the server asks for the password, the attacker blocks the call and creates his own call to the user asking for the password. The user answers, the attacker copies and relays it back to the server. This trick not only works for passwords, but also for other forms of authentication, like tokens and biometrics. In this case, the attacker sends back an error message to the victim and uses the stolen credential to get in .
Local theft: Most systems make you log in once and then don’t keep reprompting you for authentication every time you do something. What is happening is that once you’ve authenticated to a server, your machine is given some kind of ticket for a duration of time. This ticket is stored in the memory of your computer and is used in place of authentication every time that you need to perform an action with the remote system. In Windows, this is called a Kerberos ticket. On the web, it is a session cookie. An attacker can use malware or direct hacking to simply copy this ticket out of memory.
Modeling for this kind of attack means that you should assume an attacker is going to steal a user’s authentication. Based on that, how would an attacker make use of it on your system? What would that look like and what kind of damage could they do? This can drive decisions down the road for controls to help detect and contain this technique.
Exfiltration
Once an attacker is in your network, what are they going to do? If they intend to steal data, they need to find that data and copy it back out. This is called exfiltration. It is not always an easy problem for an attacker to solve, as sometimes they need to copy large amounts of data. Some organizations have data leak prevention that looks for large data transfers of a certain type. So attackers need to find a way to disguise or conceal the data. A common technique is to send the data out via encrypted web traffic to a web server under the attacker’s control. Some attackers compress, encrypt, and then send the data out in small chunks hidden inside normal traffic, like DNS or Ping. Different organizations have different channels available (or unavailable) for exfiltration, which can squeeze an attacker’s options. This should be considered in risk modeling an attack as well.
Building the Adversarial Risk Model
Now that we have examined a wide range of adversarial models, let’s build a risk model and populate it with data.
A good risk model that is formal but still practical that incorporates many of the elements I’ve been presenting is factor analysis of information risk (FAIR). It’s also an open standard and widely available. It supports both quantitative and qualitative analysis and is relatively easy to use. FAIR’s likelihood component, which it calls loss event frequency. Loss event frequency consists of threat event frequency and vulnerability. Threat event frequency consists of two factors: contact and action. Contact refers to how likely the threat will come in contact with an asset. Action refers to the likelihood the threat will attack the asset, once it comes into contact. The vulnerability factor consists of control strength and threat capability. Impact is defined in FAIR as probable loss magnitude.
FAIR also breaks down impact into more detail subfactors. For the purposes of this example, let’s collapse those factors into a single measure. I also use the same terminology I referred to earlier for this model for simplicity’s sake. FAIR also uses frequency in its risk modeli ng. Frequency refers to the count of observable events, which is great when doing quantitative analysis with past data driving your calculations. For this example, I am going to stick with likelihood since we’re still doing qualitative analysis and it refers to the future probability of an event.
Remember, your risk model needs to fit your organization and in some cases, your organization’s way of expressing things. Although some audits prefer to stick to the book definition of a formal risk model, you can still modify things as needed. You just need to be clear and consistent in how you do your risk assessment. Remember, the process should be repeatable by someone else.
Note
More information about factor analysis of information risk (FAIR) is at the FAIR Institute ( www.fairinstitute.org ).
Qualitative Example
Tables 5-3, 5-4, and 5-5 walk through an example of some risks for a typical organization.
Table 5-3. Sample Qualitative Risk Table: Part 1, Vulnerability
Risk Scenario | Control Resistance | Threat Capability | Likelihood of Vulnerability |
|---|---|---|---|
Malware infection on a desktop PC | Moderate: AV resists 75% of all attacks | Strong: Lots of new malware out there | Moderate: Subfactors moderate and strong |
Insider steals source code | Weak: No controls for insiders | Moderate: All internal users have read access; only two sysadmins with full access | Moderate: Subfactors strong and moderate |
Office intruder steals a laptop with data | Moderate: Door entrance is partially staffed | Moderate: It doesn’t take much beyond daring to steal a laptop | Moderate |
Denial-of-service attack against web site | Weak: No controls beyond basic fir ewall | Strong: A distributed DoS attack would overwhelm us | Moderate High |
Table 5-4. Sample Qualitative Risk Table: Part 2, Threat
Risk Scenario | Contact Likelihood | Attack Likelihood | Likelihood of Threat |
|---|---|---|---|
Malware infection on a desktop PC | High: Malware is always coming in | Very high: Lots of web-based and e-mail malware | High: Both subfactors high |
Insider steals source code | High: Internal users in constant contact with source | Very low: Low chance of insiders; small user base | Unlikely: Very low chance despite high contact |
Office intruder steals a laptop with data | Moderate: Some crooks working downtown | High: If a crook gets in, there are lot of nice laptops to steal | Likely: Subfactors moderate and high |
Denial-of-service attack against web site | Low: We mostly fly under the radar | Low: Our site is pretty boring and static | Unlikely: Both subfactors low |
Table 5-5. Sample Qualitative Risk Table: Part 3, Risk
Risk Scenario | Likelihood of Vulnerability | Likelihood of Threat | Likelihood | Impact |
|---|---|---|---|---|
Malware infection on a desktop PC | Moderate: Subfactors weak and strong | High: Both subfactors high | Likely | Significant: could slow productivity for days |
Insider steals source code from CVS | Moderate: Subfactors weak and strong | Unlikely: Very low chance despite high contact | Moderately unlikely | Highly significant: Our source code is key to our business |
Office intruder steals a laptop with data | Moderate | Likely: Subfactors moderate and high | Moderately likely | Significant: Laptops cost $ and could have data on them |
Denial-of-service attack against web site | Moderate High | Unlikely: Both subfactors low | Moderately unlikely | Insignificant: We don’t care if our web site is offline for a bit |
Quantitative Example
With some work, you can convert these qualitative measures to quantitative calculations of frequency based on real-world data. Some of the data can come from your asset analysis, some from vulnerability scanning, and some from industry reports. Tables 5-6, 5-7, and 5-8 look at the malware threat, but narrow the threat contact vector for simplicity. We’re just going to look at browser-borne infection via web drive-by.
Table 5-6. Sample Quantitative Risk Table: Part 1, Vulnerability
Risk | Control Resistance | Threat Capability | Likelihood of Vulnerability |
|---|---|---|---|
Malware infection on a desktop PC via web | Our antivirus has been rated 85% effective | 75% of company browsers fully patched and hardened | 40% likelihood from (1-0.85)+(1-0.75) |
Table 5-7. Sample Quantitative Risk Table: Part 2, Threat
Risk | Contact Frequency | Attack Frequency | Frequency of Threat |
|---|---|---|---|
Malware infection on a desktop PC via web | 500 users surfing approx. 40 sites per day | 1 in 1000 web sites have malware per industry reports | 20 web malware hits per day |
Table 5-8. Sample Quantitative Risk Table: Part 3, Risk
Risk | Frequency of Vulnerability | Likelihood of Threat | Likelihood | Impact |
|---|---|---|---|---|
Malware infection on a desktop PC via web | 20 hits per day | 40% | Almost 1% per day, or 4% per week; probable infection every 5 months | $600 in IT cleanup costs, lost productivity |
In this example, I made up numbers roughly based on industry data; however, much of that data—and more—is out there. Here are some external resources for data:
Microsoft Security Intelligence Report
Akamai State of the Internet: Security report
https://www.akamai.com/us/en/our-thinking/state-of-the-internet-report/
Cisco Security report
http://www.cisco.com/c/en/us/products/security/annual_security_report.html
Symantec Security Threat Report
http://www.symantec.com/security_response/publications/threatreport.jsp
Mandiant Intelligence Center Report
Virus Bulletin Effectiveness Results
AlienVault Open Threat Exchange
Health and Human Services Breaches Affecting 500 or More Individuals
These are just simple examples but should mostly show you that it isn’t that hard to do a decent risk analysis. There are entire books, classes, certifications, and user organizations focused on calculating and presenting IT risk results. At some point in your IT security journey, it might be helpful to check them out.