Typical Attack

By observing the many instances of intruder attack (and using the testimony of attackers themselves), security experts have been able to compile a modus operandi of intruder behavior, as well as an understanding of the different types of attack and subsequent damage.

Figure 1

Intruder Behavior

Reconnaissance. Before an attack begins or a system is compromised, a potential intruder scopes out potential targets. The cyberspace equivalent of a burglar casing the neighborhood, reconnaissance consists of using networking and programming techniques to determine the location of a company on the Internet, whether through dial-up links or other electronic addresses. By "pinging" networks to find the addresses of perimeter devices, an intruder can effectively map the electronic boundaries and access points of the corporate IS structure.

Perimeter Exploitation. This is the point of intrusion, equivalent to the "breaking and entering" stage of a burglary. The intruder, having located a target and defined its access points, proceeds to enter through weak points in the perimeter or on services that are typically allowed into networks, such as e-mail and Web messages. The usual points of vulnerability are modem connections to hosts, weak administrative passwords for external devices, back doors, misconfigured firewalls, and exploitable Web hosts with links inside the network.

Camping Out. Once admission into the network is gained, the next step is creating a safe, undetected spot within the perimeter for camping out, in order to hide, study the surroundings, and plan the attack. Attackers usually compromise an easy-to-exploit host which allows them to gain root (supervisor) access.

Internal Reconnaissance. Once a camp has been set up, the outsider is now an insider, with all the time in the world to root around the network and identify the spoils. Of course, if the attacker is an insider to begin with (for example, a disgruntled employee), the attacker starts with this advantage, and proceeds to locate the assets to be stolen or damaged in the assault's main event.

Main Event. This is where the real damage is done. Typical main events include grabbing software code, pirating financial assets, accessing confidential information, destroying data or hardware, and planting hidden programs of destruction (Trojan Horses) for future activation. (See next section entitled Types of Attacks.)

Figure 2

Covering Tracks. Once the main event is completed, the intruder must find a way of getting out without getting caught. A smooth exit depends on disabling, removing or replacing log information that would otherwise identify a security breach.

Types of Attacks

Joyriding. This is the commandeering of computing resources, phone service, or Internet Service Provider connections which allow the intruder to exploit these services without paying for them. One of the most popular joyrides is gaining free access to the phone system (called "phreaking," for PHone fREAKING) for unlimited travel on the world's data communications networks. While typically non-destructive, joyriding can be a costly ride at the expense of the customer or service provider.

Vandalism. Vandal attacks include damage to systems and files as well as denial of service to legitimate users. Common vandal acts include data destruction, and Web page creation, alteration, or misdirection.

Vandals need not be inside the network to inflict damage. Destructive viruses can be piggybacked onto files destined for the inside. Denial of Service (DoS) attacks can also be launched externally; by flooding a network device with lots of frames or doctored frames, a vandal can cause a shutdown of service to legitimate users. Internet Service Providers have been the primary victims of these DoS attacks.

Theft. With the growth of Internet commerce, the potential for and dangers of theft have also grown. Anything of value can be stolen — from data and access, to whole databases, financial assets, and sensitive personal information. The latest FBI figures estimate this loss at $7.5 billion annually.

Extortion. Often simply the threat of an attack can effect a corporate loss of assets. The threat of destroying systems, encrypting data and otherwise corrupting the integrity of the corporate network has cost companies millions of dollars a year. In just the past three years, it's been estimated that up to $600 million has been extorted, mostly from financial institutions. A typical scenario is the Trojan Horse threat, wherein a hacker plants a destructive program in the network, waits a period of time, and then demands payment upon threat of activating the destructive mechanism.