As explained in the Cyber-attack model a Cyber-attack is when an attacker exploits a vulnerability on an asset to perform a malicious activity (threat). After we got some basic understanding of cyberspace in the cyberspace chapter, we can explore how the cyber-attacks take place.
the attacker takes advantage of a vulnerability in the environment by using certain “exploit code” which automatically performs the attack and will eventually execute the “payload” which allows the threat to take place.
The attackers’ goal is to cause damage to the victim (governments, companies, military or public) by having access to assets (computers, cellphones, passwords, computer networks) they can steal money, blackmail, or even cause physical damage.
Types of Attackers / Hackers
- Black-hat – “violates computer security for little reason beyond maliciousness or for personal gain.” – Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender & Company. p. 258. ISBN1-59345-303-5.
- White-hat– A white-hat hacker breaks security for non-malicious reasons, either to test their own security system
- Gray-hat – computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.
- Script kiddie – an unskilled hacker who breaks into computer systems by using automated tools written by others
- Hacktivist – utilizes technology to publicize a social, ideological, religious or political message
The attacks groups based on “AVOIDIT” taxonomy:
- Attack Vector – the path of several vulnerabilities exploitation
- Operational Impact – the possible threat of the attack
- Informational Impact – the potential impact on the targets information
- Misconfiguration – the attacker can exploit a misconfigured asset and perform the attack
- Cryptanalysis – the attacker tries to break cryptographic security systems to gain access to and encrypted information.
Types of Cryptanalysis attacks:
based on the information the attacker has,
- Cipher-text– the attacker has only access to the encrypted data
- Plain-text – the attacker has samples of encrypted and corresponded plain text
- Chosen cipher/plain text – the attacker can obtain corresponded ciphered text to relevant plain text (or the other wat around)
- Brute force – naïve attack consisting of different options to break the encryption
- Rainbow table – break hash encryption using a precomputed hash dictionary
- Side-channel – break the encryption by using physical information from the encryption mechanism such as timing, power consumption, sound and etc.
- MiTM (Man-in-The-middle) – the attacker impersonates each party’s side of the conversation, forwarding each response for each party, allowing him to listen to the conversation.
- Network Attacks – the attacker can exploit vulnerabilities in the network in order to gain access to the targets traffic for information gathering and perform MITM
- Passive – the attacker has access to the network and he can passively collect the transaction and process them.
- Active – Spoofing/ poisoning attacks – Many protocols don’t have an authentication process enabling the attacker to send and impersonating data protocol on behalf of another user or party. Vulnerable protocols: ARP, DNS, IP, SMTP, and etc.
- Buffer overflow – an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code. In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer. The data sets the value of the return pointer so that when the function returns, it transfers control to malicious code contained in the attacker’s data
- Code injection – exploiting a vulnerability caused by processing invalid data
- SQL injections – a code injection technique, used to attack data-driven applications, in which SQL statements are inserted into an entry field for execution.
- Cross-site scripting XSS enables attackers to inject client-side scripts into web pages viewed by other users.
- Social engineering – the attackers psychologically manipulate people into performing actions or divulging confidential information. Phishing is a technique of fraudulently obtaining private information.
The threat and impact of the attack on the system
- Privilege escalation – the attacker gains elevated access to resources that are normally protected from an application or user.
- DOS (Denial of Service) – the attacker make a machine or network resource unavailable to its intended users
- Malware (malicious software) – any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Usually, the malware uses a Rootkit that allows the Malware to be concealed to avoid detection by modifying the host Operation-system. Some of the malware uses C&C (command and control) servers to get commands and to leak data. Some malware has a Packer the compresses the malware causing the original code to be unreadable.
- Virus – a self-replicating program that can attach itself to another program or file in order to reproduce.
- Worm – not like the virus a Worms do not need another file or program to copy itself; it is a self-sustaining running program. Worms replicate over a network using protocols.
- Trojan horse– Trojans are designed to perform legitimate tasks but it also performs unknown and unwanted activity.
- Botnet – a network of computers that coordinate their action according C&C.
- Backdoor – Once a system has been compromised, one or more backdoors may be installed in order to allow access in the future.
- Distort – the attack harms the system integrity by modifying files
- Disrupt – the attack harms the system availability by overloading it
- Disclosure – the attack harms the system Confidentiality by gaining access to confidential information