Cyber attacks – Know your enemy
There is no week passing without you hearing about major cyber attacks in the news. Cyber attacks are common more then before and the types of attacks are more sophisticated. Understanding cyber attacks start by understanding what they are, what causes them, why people are doing such attacks, and finally how to protect your self from this kind of attacks.
Cyber attacks are malicious and offensive acts that that targets computer information systems, infrastructures, computer networks, and/or personal computer devices. Cyber attacks also can be as simple as attacking a machine by installing a malicious software, or targeting the infrastructure of a nation.
I believe the best way of understanding cyber attacks, is by understanding all aspects of it, starting by defining types of cyber attacks:
- Passive Attacks: simply listening to your network traffic and may capture sensitive information, or scanning your IP ranges without doing an action.
- Active Attacks: an attacker is actively going after your protected resources and trying to get access to it, by modifying or injecting traffic.
You can also divide attacks to two categories:
- Automated Attacks: Nowadays, we have the automated attacks. The vast majority of attacks that we hear about are automated attacks, where the attacker creates a tool that attacks the network by itself. Those tools can get so intelligence. To give a simple example, worms are the famous type of automated attacks. Those automated attacks uses vulnerability in a system and use it, so the best way of defense against those automated attacks are patching your systems and to monitor your network for suspicious events.
- Manual Attacks: the attacker is actively analyzing your network and act accordingly. Those types of attacks are much rarer and the most dangerous types of attacks.
Some people will go further and divide network attacks to four types even:
- Passive Automated: like sniffers that automatically replay an authentication sequence and stroke logger that automatically sends data to the attacker.
- Passive Manual: sniffer that only listen to traffic by an attacker, especially wireless network. Nothing to worry about unless it is escalated to another type of attack, which is the most likely.
- Active Automated: like worms and distributing attacks where the attacker uses thousands of hosts to target a single network to cause denial of service attack.
- Manual Active: this is the most attack that you should worry about, where someone is intentionally targeting you and your organization. Attackers in this case have time, skill, and resources to do the job and hide their attacks. If the attacker is skilled, you may never even know you got attacked.
So which of those cyber attack types we should worry about? It is not the first two, and to some extend not even the third (as you can patch your systems). The attack that worries us is the one where someone adds himself to your payroll.
Don’t get me wrong, all the attacks can cause incredible amounts of damage. An active automated attack in the form of a worm is designed to cause widespread damage, but because it is designed to attack as many systems as possible, it is by necessity generic in nature. The basic principle behind worms is usually to cause maximum amount of harm to the greatest number of people.
I think that you need to start worrying about the first two cyber attack types, then do the necessary to protect yourself against the third attack. Finally raise your bars and start working on preventing the chance for a fourth type of attacks (Manual Active).
Cyber attacks and network damage
Since we have four types of network cyber attack types, we also have four types of network damage caused by cyber attacks:
Denial of Service DoS
the simplest and most obvious type of damage, where the attacker slows down or disrupts completely services of your infrastructure or portion of it. In some cases, this could be crashing or destroying a system or simply flooding your network and IP ranges with so much data that it is incapable of servicing legitimate requests. In a flooding scenario, it usually comes down to a matter of bandwidth or speed, whoever has the fattest pipe or fastest computers usually wins. In simple automated attack, moving the computers or service IP to different IP address can mitigates the attack.
Do not ever underestimate DoS attack. No matter how much you think your network is secure, an attacker from his home can flood your external IP ranges and brings your whole published services down. Some attackers simply flood your public DNS IP ranges, make them inaccessible for legitimate requests, and thus bringing your whole published services down since everything depend on DNS.
Even more, nowadays DoS attacks are offered as payed service per hour!! So a determined attacker can ask one of those companies that sell this service, to flood your network public IP ranges for certain amount of money! Funny right.
We can see also DoS attacks in the form of distributed DoS attacks. The idea is pretty simple. An attacker tells all the computers on his botnet network to contact a specific server or web site repeatedly. Attacker nowadays uses zombie army.
More serious consequence attack than DoS. In this type of attack, you cannot access your resources because they are destroyed. This can be corrupted database files or operating system. This type of attack can be mitigated by maintaining backup copies of your data.
This damage can be more serious than data destruction, because your public reputation can be affected. This happened to Microsoft on 2004 when someone posted portions of Microsoft Windows source code on the Internet. This attack involved portions of intellectual property. Even more, in more sophisticated attack, the victim may not known for years if any data was disclosed. This is exactly the the objective of government spies, to steal information such that they get an advantage while the enemy is unaware of what is happening.
Think of confidential trade secretes that can be used to undermine market share to cause embarrassment or to obtain access to money.
Some people argue that information disclosure is more serious than data destruction (that can be mitigated by going back to backup). After all, ask victims of identity theft if they would have rather had the criminal destroy their bank data rather than steal them.
This can cause the most serious damage of all. The reason, as in the case of information disclosure, is that it is very difficult to detect. Suppose that an attacker added him self to your payroll, how long will it take you to detect that? It depends on the company size. I recall I read one day about a company who decided to give employees their salary in person one month, just to find out that they were giving salaries to many non existing employees for a long time! Data modification can be dangerous in case of medical and health information, as changing the medicin formula for a patient might causes death.
Why they attacked me?
You should have asked your self by now the WHY question, that is, why they chose to attack me and not someone else? What is the motivation behind cyber attacks and why they happen?
Forget for a moment about attacks and how to protect your network and ask the original question “Why do I get hacked?“, and “Who are those people?“. You may also ask your self “Well, I didn’t do something bad to anyone, and I was a good boy“. Believe me, knowing the WHY helps you add more logic to the equation.
Many people who are causing damage in our networks today, are best compared to the people who spray-paint highway overpasses. They are in it for the sheer joy of destruction. They may not be out to attack you specifically. As long as they ruin some one’s day, that is sufficient. In some cases, they may not actually be after you at all. They may be after the vendor from whom you purchased your software or hardware. By causing damage to you, they discredit the vendor by making it seem as if the vendor’s products are more insecure or cause more problem than some other vendor’s system.
People you really have to worry about are the ones who are directly targeting you. In some cases, they are attacking you actively only because you use some technology that they know how to take advantage of, and by doing that, it will earn them money, fame, or prestige in the community of like-minded deviants.
In other cases, they are after you because you have something they want, like customer accounts for example or angry employees who get fired.
It really doesn’t matter what organization or business you are running. There is always something that is of value to someone else. You need as a security expert to consider what those things are, how much they worth, and how much money to spend protecting them.
Finally, always keep in mind that the value of technology is not the technology itself, it is what you do with it. Technology is replaceable, but the services and data you are using it for are not. If your systems are down, the services they would have rendered while they are down are lost forever.
Cyber attacks nowadays are all about getting money from you in a way or another. Ransomware attacks are clearly about money if you think about it. They encrypt your files and ask for money to decrypt them.
Cyber attacks are very common nowadays, and do not think for a moment that you are safe from them. As I always say “There is always someone out there who is really targeting you”.
Cyber attacks nowadays are focusing on getting money from you in away or another. The best thing that you can do is to consider hiring a security administrators who can perform for you some kind of risk assessment, so that you can focus your security measures on things that matter most.
References- sessions and theories from Steve Riley and Jesper Johansson