A cyber attack is liable to occur across the broadest range of forms, which means that at the time that the attacker makes an effort to penetrate the enterprise at a certain point which is unknown to the defender, the latter must make a broad, perimeter and in-depth defense investment at all levels of the cyberspace environment in order to create effective defense that meets the enterprise’s goals.
What Do Vulnerabilities Look like and How to Investigate Them
Aggressive cyber warefare has several possible objectives, either jointly or separately:
- Espionage, obtaining and/or damage information.
- Software and/or hardware disruption/sabotage.
- Paralyze availability and/or critically damage functional continuity of the enterprise’s infrastructure.
The stages of a cyber attack:
- A cyber attack usually begins with collecting information about the opponent. For example, this stage might include phishing attacks on the opponent’s officers in order to obtain email addresses and passwords.
- After the initial data gathering, an attack usually spreads “across the target network” and the collection of information, such as what computers are used by the network, their addresses, which operating systems they run, and the communications equipment, etc.
- Later on, the attacker will usually plant in the target system a code, which serves as a “beachhead” for the next stage of the attack.
- At this point, the attacker will try to understand which antivirus systems are used by the target network, what type of security equipment is embedded in it, etc.
- Afterwards, the attacker will plant the “harmful cargo” using means of concealment as needed.
- The stage at which the “harmful cargo” is embedded in the target system and reports back to “command and control” may last for several years.
- Finally, a sophisticated attacker will ensure the destruction of the effective cargo and erase its tracks.
Methods of attack:
Treating cyberspace as a multilayer environment according to the 7-layer model and focusing on the attacked layer, which serves as a target for the attacker’s action.
It is also possible to see the use of a wide range of traditional intelligence methods, such as impersonation as a virtual entity, use of social engineering techniques, and even the recruitment of actual human agents.
Connecting to the network’s physical layer
- The attack is directed against the physical layer – i.e. by connecting to the copper wire (or fiber optics) to actually eavesdropping on the line. Eavesdropping is a technique that is millennia old, and most countries have extensive organizations specializing in this field.
- Another way is to install a component in the communications or IT equipment. Usually, the organization eavesdropping on a hostile network is the military and/or an intelligence gathering entity, and the organization eavesdropping on the country’s own citizens is part of counter intelligence. There are several bugging methods:
- Commando raids – most countries have elite military units specializing in eavesdropping on communications and computer networks.
- Local agents – use of local manpower recruited by the party seeking to connect to the network and bug it.
- Attacking the production and supply chain – usually, the local manufacturer does not know the end use of its components. As the semiconductor industry has grown, the various stages of production are carried out by subcontractors around the world. Today, in 2015, almost all of the world’s semiconductor manufacturers separate development, design, production, packaging, and so forth. In practice, all of the world’s large semiconductor manufacturers are dispersed among several countries, some of which are political rivals. Many semiconductor manufacturers have fabs in both China and Taiwan, for example. This geographic dispersion enables easy physical access to components in his comfort zone. The organizational structure outline of these manufacturers show appears in a book about manufacturer’s activity in China (in the “further reading” section below). For example, the United States bans the use of Lenovo computers by government agencies and also forbids them to use mobile devices by one of China’s largest mobile manufacturers. The disadvantage of this method is that it is not focused on particular targets. Its major advantage is the very wide distribution
- Attacking the distribution chain – similar to the broad dispersal of manufacturing plants, in the modern era, distribution chains are global commercial enterprises. The advantage of this method is the possibility of embedding means only in equipment intended for a specific target
Common methods of attack:
- Fake MAC address – in the connectivity layer, the data link, messages are addressed on the basis of a MAC (Medial Access Control) address, which is installed on the network card or modem during the manufacturing stage. This technique of attacking this layer includes a fake MAC address. MACs can be also activated against physical computers as well as against virtual machines.
- Fake IP address – network traffic can be routed in the third layer, on the internet and a large number of other networks by the logic address known as IP. This address is not installed in the equipment during its manufacture, but is a logic address, which can be altered.
- Attacking the middleman – at higher levels of the network layers there is the method of attack known as the “middleman attack”. In this method, the attacker routes the network traffic to pass through the middleman without the parties at either end (the sender and the recipient) being aware of it. Middleman attacks are carried out by manipulating the Hypertext Transfer Protocol. Since this type of attack has become so commonplace, a complete mechanism has been specially designed for it, which uses the “signature” of a trusted third party together with the HTTP Secure traffic encryption.
- XSS attack – an XSS attack allows the injection of malicious code into websites by entering the user’s surfing data. This method can infect the target sites by tempting the user to surf the infected site in order to infect him with the malicious code. Currently (in 2014), this method constitutes the main risk on the Internet, and was used in some famous attacks, such as the attack on oil and gas exploration companies, known as The Mask.
- Denial of service attacks – this very common method of attack inundates the site that hosts the service provider with messages, slowing its ability to respond to users and even crashing it.