[BreachExchange] The who and how of cyber-attacks: types of attackers and their methods

Audrey McNeil audrey at riskbasedsecurity.com
Wed Feb 8 20:42:31 EST 2017


http://www.out-law.com/en/articles/2017/february/the-
who-and-how-of-cyber-attacks-types-of-attackers-and-their-methods/

Having looked at the 10 things you always wanted to know about
cybersecurity but were afraid to ask, we will share our findings in a
themed series. Here we look at the kinds of people behind cybersecurity
breaches and the methods they use.

Who are the attackers?

The sources of attacks are many and varied. The attackers behind some of
the highest profile attacks in the past 18 months have ranged from a
teenager with a basic skillset managing to infiltrate a major consumer
brand, resulting in a record UK fine, through to an alleged state sponsored
attack claimed to have influenced the presidential election of one of the
most powerful countries.

Broadly, the sources of attacks can be grouped into one of four categories:
script kiddies; hacktivists; organised crime; or nation states or their
proxies.

'Script kiddies'

Increasingly, attacks are being perpetrated by relatively unskilled
individuals who use scripts or programs developed by others to attack
computer systems and networks. These individuals are not professionals but
merely exploit weaknesses in others’ computers or systems that have been
exposed by others, with these weaknesses usually shared on the 'dark web'.

Sometimes these 'script kiddies' will attack entirely at random and often
with limited understanding of the effects of their actions. They may do it
purely for the thrill or to increase their reputation amongst peers.

An example of an attack perpetrated by a 'script kiddie' is the TalkTalk
hack in October 2015. The attack, which reportedly cost the company £42
million and resulted in the ICO’s record fine to-date, was the work of a
17-year-old boy who claimed he was "just showing off" to friends.

'Hacktivists'

Hactivists are individuals or groups whose objective is to create public
interest and generate media hype, usually in order to bring attention to a
political, social or ideological cause. Hacktivists tend not to be
profit-motivated but aim to embarrass victims or expose controversial
issues.

The April 2016 'Panama Papers' scandal, the breach of the Panamanian law
firm Mossack Fonseca, was arguably an example of hacktivism: an
ideologically motivated attack by an anonymous whistle-blower, seeking to
expose the offshoring activities of a number of high-profile individuals.
The exposure of some 11.5 million documents caused controversy and
embarrassment worldwide.

Organised crime

Organised criminals behind cyber attacks are usually motivated by financial
gain and aim to obtain financial data or to control payment systems. This
may be by extortion in relation to sensitive or confidential data, or by
the use of ransomware.

By way of example, in July 2014 attackers infiltrated the European Central
Bank’s systems exposing emails and contact details in an attempt at
extortion.

In relation to ransomware, in 2015 a group of computer criminals known as
‘DD4BC’ began threatening targets with massive distributed denial of
service (DDoS) attacks unless they paid a ransom using Bitcoins. These
attackers generally threaten to bring down vital business services and
cause disruption and financial loss unless a payment is made via methods
that are almost impossible to trace.

Nation state/state proxy

The high water mark of cyber attackers are those alleged attacks by nation
states or state proxies, which tend to be motivated by political gain. Key
objectives in such attacks tend to be to disrupt critical infrastructure,
military operations or political stability.

For obvious reasons the details surrounding such events are shrouded in
secrecy, however examples include the recent alleged involvement in the US
election by the Russian state, and the Stuxnet cyber attack against Iran’s
Natanz nuclear enrichment facility discovered in June 2010 which was
alleged, but never confirmed, to be by US intelligence agents.

Insiders

It is important to note the threat that insiders present too. Disgruntled
existing or ex-employees may commit, or even invite, cyber attacks out of
spite or personal revenge rather than for financial reward. Their aims
might be to damage systems or to steal information or intellectual
property. In 2015 a disgruntled Morgan Stanley employee allegedly removed
approximately 730,000 customer details.

It is clear that the range of potential attackers is varied in nature,
capability and motive, and includes both internal and external threats.

What are the common methods of attack?

Broadly, there are three categories of attack:

information theft: attackers seek to obtain confidential information from
the target.
espionage: attackers monitor activities of targets and use that information
in order to expose secrets or to obtain a competitive advantage.
sabotage: attackers aim to blackmail, defame or even destroy targets. The
Sony and Ashley Madison mega-hacks are examples of this type of attack but
so is Stuxnet, an attack that involved physical damage to the nuclear
facilities of Iran.

Motives for attacks generally fall into four categories:

financial gain: an attacker aims to make money by stealing and using your
information or extortion.
political: these come in the form of sophisticated, well-funded,
state-sponsored attacks; as well as loosely affiliated 'hacktivists' who
use publicity or stolen information to further their political goals.
prestige: attacks can be driven by the thrill of a challenge, the need for
publicity or prestige.
nation state: there is much less publicly available information about such
attacks. They may seek physically to damage infrastructure or to influence
the outcome of elections.

The actual methods of attack commonly used are too numerous to list in
their entirety and are continuously changing, but very many of them rely on
employees being insufficiently aware of information security hygiene. It is
much easier for attackers to socially engineer an employee than to carry
out a brute force attack on the IT infrastructure of an organisation.

Typical methods of attack include the following:

phishing and spear phishing and vishing: tricking employees into revealing
private/sensitive information, usually by email, phone or text. Spear
phishing is a highly targeted version of phishing whereby specific
individuals are targeted. Suspicious signs of phishing include: unusual
sender details, poor spelling, unnecessary urgency, offers too good to be
true, suspicious attachments, strange subject lines.

whaling: attacks hunting for sensitive or personal data targeting, in
particular, people in powerful positions. Typically, a whaling attack works
by an attacker masquerading as a senior executive asking an employee to
transfer money. This is achieved through the use of fraudulent emails that
appear to be from trusted sources. For instance, an attacker pretending to
be CEO or CFO emails a high-level employee in the finance department to
wire money or provide payment/account details.

waterholing: this is where an attacker infects websites that they know or
believe are regularly visited by a target victim. They deploy malicious
software (malware) on those sites and rely on employees from their intended
victim having trust in those sites and clicking links or engaging other
prompts to trigger the malware which will then help them access systems and
data of the intended victim.

DDoS – DDoS attacks typically involve attackers using malware-infected
computers to take remote control of those machines and bombard systems with
such large amounts of traffic that the systems cease to function. It can
involve, for example, hundreds of thousands or even millions of machines
being used to request access to the same web-page at the same time.

malware – so-called 'malicious software'. It comes in many forms and is
deployed by those who intend to disrupt the way systems operate, collect
data or display unwanted information. This broad term includes viruses,
worms, trojans, ransomware, spyware, adware, and other malicious programs.

malvertising – this is a specific use of malware where it is deployed
within third party advertising networks that often display ads on popular
websites. One such attack hit the BBC and New York Times websites in 2016.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170208/e3e51f32/attachment.html>


More information about the BreachExchange mailing list