List the Typical Attack Methods of the Threat Agents
Like many legitimate business owners, cyber criminals seek to maximize profit for effort expended. In other words, an ultimate goal of financial reward, as much money as possible, leads directly to a corollary of limiting effort expended towards the goal: This is basic capitalism. As a result, cyber criminals try to capitalize as much as possible on the tools and techniques that are available.
Spending months or years creating a new method to execute a series of randomly placed instructions in a program to create an attack simply isn’t worth the effort: The research and development costs are too high. At the time of the writing of this book, so- called “gadget” programs take too much time. Running gadgets culled by finding bits of code within widely distributed applications is much more likely to fall into the category of “stunt hack.” Cyber criminals are probably not going to waste their time unless there was a readily available tool (even if on the black market) that would make this attack trivial.
Instead, the cyber criminal who is going to attack an organization’s system will attempt to use as much pre-existing and proven technology, whether attack methods or attacking tools, as possible. There is a burgeoning black market for cyber attack tools, tools similar to the attack and penetration tool, Metasploit. Generally, the people who make the attack tools aren’t usually the people doing the attacking. The toolmakers get paid for the tools, whether legitimately or on the black market.
Indeed, even more telling, the person actually performing the attack may be at a lower rung of the organization, even a technical novice recruited such that if the novice is caught, those higher up are hidden from the authorities. The actual attackers often have quite limited technical skills. Therefore, the attacks have to be well-known, effective, and well packaged so that they can be run like other user-friendly applications. There is very little incentive for cyber criminals, in general, to invent a lot of technology. Such research would entail an unpaid period of development. The need to accommodate a lower technical sophistication of the actual attackers, and the fact that there is so much vulnerable software available to attack leads to the conclusion: Why waste time on unprofitable activities?
The list of cyber criminals’ attack methods might be found within the suite of known attack variations in any of the available security-testing tools. If the tool can test the type of system under analysis, its suite of tests makes a good starting point for answering the question, “What are the cyber criminal’s attack methods?”
Almost directly opposite the needs of the cyber criminal is a security researcher whose reward can be directly tied to the technical difficulty and complexity of the attack. The reward comes from industry recognition for the technical capabilities and acumen of the researcher. If there are any financial rewards, these will be less directly tied to the attack method, but rather a product of a stronger curriculum vitae and the approbation of colleagues. The more difficult it is to execute the attack, the larger the reward.
Since many (if not most?) security researchers are employed, a typical security researcher has the luxury of an income. Although some security researchers’ jobs entail finding vulnerabilities, others perform their research “on the side,” outside of work hours, as an extracurricular activity. Hence, there isn’t much imperative for speed. The investigation will take as long as is necessary. This means that the researcher can take the time needed to achieve success. This spaciousness with time directly influences the technical complexity of the methodology. Unlike the cyber criminal, looking for the fastest payoff, vulnerability research might be seen as an investment in the skills of the researcher, like time spent studying for an additional, higher education degree. The “final exam” in this case will be the researcher’s proof that a vulnerability is exploitable. The proof is often delivered as a short example program demonstrating the successful exploitation of the vulnerability on the system under investigation.
Security researchers can and do run readily available, open source and commercial vulnerability scanners. The analyst cannot discount the well-known attack methods. Discovery of known classes of vulnerabilities may not have the prestige of a complex stunt hack; nevertheless, finding these proves the security testing capabilities of the researcher and also helps to get vulnerabilities removed from deployed software. And it is generally better for an organization to have a relatively friendly and probably honest researcher find a vulnerability rather than a cyber criminal who will exploit it for gain for as long as the vulnerability continues to be exposed to the criminal’s use of it.
The set of Web-Sock-A-Rama attack methods includes that suite of standard attacks and variations that are understood sufficiently to have been programmed into vulnerability scanning software. But there is also the possibility of extended research probing for more complex issues of a one-of-a-kind nature within the web store software.