While a network security attack will typically operate on the three phases (before, during, & after) discussed in the last blog post, the successful attacker will coordinate actions across all three phases to maximize the likelihood of success. The “before” will consist of multiple scans of the target to find those scanning approaches that produce the most information about the target. This phase may span months, but attackers are patient. Small actions each of which is undetected can be used to build the attack profile.
The attack scenario will incorporate the results of those scans. The attack is launched – or not. The infection technology can be very well obscured by, for example “sleeping” for a long period of time after access has been gained until an action by a user (e.g. some mouse clicks) or external event causes activation of the attack. This characteristic can be effective in preventing detection of the threat even in instrumented “sandbox environments”. Even encryption is not a panacea – certificate compromise is common and many attacks take place over VPN’s created by the attacker once a certificate is compromised.
Probing continues to see how the target defends itself against the initial attack and the strategy may be modified to further the continuance of the attack. At some point, if the attacker is successful in maintaining connection to the target, the goal of the attacker will be realized.
At this point the attacker may take steps to conceal the nature of the attack. This concealment can include removal of the threat, or modification of the threat into a different form that preserves some aspect of the breach for subsequent attacks but protects the threat from detection by post-attack analysis.
The above is a highly generalized view of the attack profile. Far more complexity is found in the real world. For example, looking at a set of specific attacks and threats such as Point of Sale, Web Apps, Malicious Insiders, Physical Theft, Crimeware, Card Skimmers, Denial of Service, and Cyber-espionage, each has its own attack profile. Additionally, each of these threats typically targets a different vertical market (e.g. retail, energy, public, financial, manufacturing, health, and travel). The range of variations between threat types and attack surface in the vertical market increases the difficulty of finding an off-the-shelf solution for the vertical seeking protection. That said, the perennial advice, slightly modified, still holds, “an ounce of prevention is worth a pound of cure”.
Also there are behavioral and systemic weaknesses that do not fall nicely into the simple three-phase model. In the next post we will look at more sophisticated attack strategies and some of the high level failings that fall outside of the point approaches used in the three-phase model.