Attackers

Part Five: Types of Attackers

One thing we can learn from reading police blotters is that not all attackers are the same. Let’s take a look at the various characteristics of would-be robbers of Fort Knox, and how they compare to the different types of attackers trying to access your network.

Target Selection

One of the three major differentiators between criminals is how they select a target. We can learn a good deal about the threat of the criminal by examining how he picks his prey.

Eeny, meeny, miny, moe…

When a purse snatcher is looking to get something for nothing, he waits for an opportunity (big purse, little woman) to come to him. He has no guarantee of what he will get from the transaction and has no pre-knowledge about the target. This is known as a “crime of opportunity,” which is not likely to happen at Fort Knox.

In cyber security, attacks that are looking to infect any old computer are taking a page from this strategy. Minimal effort is utilized, and to make a profit, many targets will need to be exploited.

Target Locked

No one will ever accidently rob Fort Knox. If a real attempt is ever made, the facility will be precisely targeted because of the rich “take” from the crime.

Similarly, targeted attacks on a network have specific goals ranging from attempting to gain access to proprietary information (espionage), transferring funds out of accounts, crippling critical Internet or infrastructure resources (utilities, communications) or assisting in extortion schemes. These types of attacks have a much more devastating impact than random attacks, but are also much more difficult to pull off.

Preparation

A second major differentiator between various types of attackers – both in the physical and cyber world – is the level of preparation required to carry out their attacks. With most “common criminals,” a pressing need (rent, food, drugs, etc.) immediately precipitates the crime of opportunity, and little planning is involved. On the other hand, a gang of criminals looking to rob Fort Knox would have to spend an exorbitant amount of time researching and preparing for the caper.

In network security, when an attacking group patiently plans and executes a targeted attack, it is known as an elite threat. This type of threat starts with reconnaissance of the target (also known as “fingerprinting”). The advanced attackers then begin formulating an attack designed to gain the desired “take” and avoid detection. Intelligence gathering and ingenious (human) planning are the two primary markers for the elite attacker. Because they have time to craft a strategy that thwarts automatic detection mechanisms, countering these attackers likewise requires skilled analysts (smart human beings) to combat their efforts.

Resources

Another issue facing any criminal looking to “knock over” Fort Knox is the availability of resources. The guarded facility is manned by hundreds of soldiers outfitted in hundreds of millions of dollars’ worth of equipment. Success in breaching the most secured vault in the world is going to require a significant amount of manpower and funding.

On the Internet, a good bit of “common hackery” is performed by undisciplined and untrained pseudo-hackers commonly called “script kiddies.” They write malware with no target in mind and no budget to support their attacks. On the flip side, elite attackers often dedicate vast amounts of resources to carrying out their attacks, especially when the crime can produce a large return.

State-sponsored elite attacks (referred to as the advanced persistent threat or APT) have the potential of drawing upon near bottomless sacks of cash, while enterprise-sponsored espionage efforts can be nearly as well funded. In addition to funding, the number of individuals willing to join in the attack also adds to its success. Cyber-attacks that have multiple, well-funded attackers working together make for a much more formidable threat than random, opportunistic attacks.

Wrap Up

By pulling these three categories of attacker characteristics together, we can conclude that a well-prepared, well-funded group of attackers with time on their side makes for a dangerous crew when plotting to exploit a high-value target. While detection mechanisms such as firewalls, signature-based intrusion detection and log monitoring can easily screen out the “purse snatchers” coming after network resources, defending against an elite attacker or APT requires quality intelligence in the hands of skilled analysts. In the next and final part of this series, we will take a look at the incident response procedures required to thwart these elite threats.