← Older revision
Revision as of 15:12, 29 October 2012
(12 intermediate revisions by one user not shown)
Line 250:
Line 250:
Threat Agent = Capabilities + Intentions + Past Activities
Threat Agent = Capabilities + Intentions + Past Activities
−
The characterization of the threat agent is critical for the assessment of risk since risk can be defined as in NIST SP 800-30 as “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability”. In essence a threat agent can be characterized as the intersection between the agent’s motives, the specific type of attacks used and the vulnerabilities that are exploited. that are exploited. An example of this is shown in the figure herein.
The characterization of the threat agent is critical for the assessment of risk since risk can be defined as in NIST SP 800-30 as “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability”. In essence a threat agent can be characterized as the intersection between the agent’s motives, the specific type of attacks used and the vulnerabilities that are exploited. that are exploited. An example of this is shown in the figure herein.
Line 258:
Line 257:
In regards of the threat agent, it is important to understand “IF” and “HOW” the organization’s web applications and the data stored might be a likely target for an attack. By identifying the threat agent intentions and the capabilities such as the types of attacks used against web applications and the vulnerabilities that are exploited, CISOs can determine the likelihood, the data that is targeted and the potential impacts. As cyber threats continuously evolve and escalate in severity, it is important to understand what these threat agents are, their intentions and the past activities that is the type of attacks used by them. By analyzing how threats evolve, CISO can adapt application security measures to mitigate the risks of these threats.
In regards of the threat agent, it is important to understand “IF” and “HOW” the organization’s web applications and the data stored might be a likely target for an attack. By identifying the threat agent intentions and the capabilities such as the types of attacks used against web applications and the vulnerabilities that are exploited, CISOs can determine the likelihood, the data that is targeted and the potential impacts. As cyber threats continuously evolve and escalate in severity, it is important to understand what these threat agents are, their intentions and the past activities that is the type of attacks used by them. By analyzing how threats evolve, CISO can adapt application security measures to mitigate the risks of these threats.
−
===
Looking to the
Threat Agents Past Activities===
+
===
Analysis of
Threat Agents Past Activities===
The estimation of the threat agents is possible by analyzing their evolution in the last decade to identify the different types of threat agents involved, their motives and the type of attacks used. Threat agents have radically changed from the ones of ten years ago; their motives have changed as well as the sophistication and impact of the attacking tools and techniques used.
The estimation of the threat agents is possible by analyzing their evolution in the last decade to identify the different types of threat agents involved, their motives and the type of attacks used. Threat agents have radically changed from the ones of ten years ago; their motives have changed as well as the sophistication and impact of the attacking tools and techniques used.
−
===Script Kiddies===
+
===Script Kiddies
, Worms and Virus Authors
===
−
Between the years 2000 and 2005, the main threats
against web applications
could be characterized as the so called “script kiddies” seeking to gain notoriety by
spreading computer viruses
and
worms via email
and
botnets
and
cause
disruptions.
Apart from few cases
of
denial
of
service attacks against major web sites
,
mostly caused
by
accidental use
of
file sharing tools
(
e
.
g
. “mafia boy”
taking
down eBay and CNN websites for 90 minutes
in
the year
2000)
, the
primary targets
of
these threat agents weren’t websites consumer’s but user’s
and
company’s computers
.
+
Between the years 2000 and 2005, the main threats
agents
could be characterized as the so called “script kiddies” seeking to gain notoriety by
hacking into government systems using easy-to-find techniques
and
scripts to search for
and
exploit weaknesses in other computers as worm
and
virus authors seeking to spread them for causing notable major computer
disruptions
and get famous as a result
.
Historically, the primary targets
of
these threat agents weren’t websites but computer hosts for the sake
of
getting notoriety by infecting them with viruses and worms. Notable script kiddie of the late 90s includes Jonathan James
,
known as "cOmrade" on the Net, that pleaded guilty to intercepting 3,300 emails, stealing passwords, and nicking data
by
using network sniffers installed by compromising servers
of
US Dept of Defense with backdoors. In the year 2000, Jeanson James Ancheta created a worm that allowed him to infect as many computers on the Internet as he could with off-the-shelf Remote Access Trojans
(
RATs)
.
Over time, he amassed about 40,000 worm-infected remote access computers (also known as bots)
.
In the same year 2000, Onel Deguzman authors the ILOVEYOU virus that spreads by emails to 10 million hosts worldwide costing companies an estimated $ 5.5 billion dollars for cleaning it. In the year 2000, a 15 year script kiddie, Michael Calce known as
“mafia boy”
takes
down eBay
, Amazon
and CNN websites for 90 minutes
by accidental use of file sharing tool. Notable worm author of
the year
2004 is Sven Jascham author of the Sasser worm that is estimated to have impacted 10 million hosts. The impacts of Sasser worm included disabling hosts for satellite communications
,
disabling hosts for operation of air lines trans-Atlantic flights and disabling hosts for at financial organizations and hospitals. Today CISOs need to be on
the
alert for today’s script kiddies using readily available tools that look for common exploits
of
vulnerabilities to expose them to public. CISOs need to make sure that systems
and
web applications are not vulnerable to these easy exploits since this might damage the company reputation when these are published
.
===Fraudsters & Cyber-Criminal Gangs===
===Fraudsters & Cyber-Criminal Gangs===
Line 274:
Line 273:
===Hacktivists===
===Hacktivists===
−
In the years between 2010 and 2012, a new class of threat agents emerged that seek to attack government and corporate websites for political motives. These are computer hacker groups of such as Lulzec and Anonymous. In 2011, Lulzec, claimed responsibility for compromising user accounts and credit card data users of the Sony’s PlayStation Network while Anonymous claimed responsibility for defacing the site of the company HBGary federal and publishing several thousand of client’s emails. These threat agents are commonly referred to as “hacktivists” and seek to attack websites not for financial gain but for exposing corporate and government owned information to the public. CISOs of government and corporate web sites that store customer's confidential information might become target by hacktivists for political reasons need to worry about reputational damage also resulting from public disclosure of website vulnerabilities. Hacktivists often engage in attacking the organization's employees and customers with spear phishing and their websites with SQL injection, Cross Site Scripting and web service vulnerability exploits for the sake to steal and post the compromised information online. Another type of attack that CISOs managing government and corporate websites need to worry about
is
Distributed Denial of Service (DDoS). For example, several of credit card sites such as Mastercard.com, Visa.com were attacked in 2011 by Anonymous with DDoS in retaliation of removing WikiLeaks
as one of their
clients.
+
In the years between 2010 and 2012, a new class of threat agents emerged that seek to attack government and corporate websites for political motives. These are computer hacker groups of such as Lulzec and Anonymous. In 2011, Lulzec, claimed responsibility for compromising user accounts and credit card data users of the Sony’s PlayStation Network while Anonymous claimed responsibility for defacing the site of the company HBGary federal and publishing several thousand of client’s emails. These threat agents are commonly referred to as “hacktivists” and seek to attack websites not for financial gain but for exposing corporate and government owned information to the public. CISOs of government and corporate web sites that store customer's confidential information might become target by hacktivists for political reasons need to worry about reputational damage also resulting from public disclosure of website vulnerabilities. Hacktivists often engage in attacking the organization's employees and customers with spear phishing and their websites with SQL injection, Cross Site Scripting and web service vulnerability exploits for the sake to steal and post the compromised information online. Another type of attack that CISOs managing government and corporate websites need to worry about
are disruptions due to
Distributed Denial of Service (DDoS)
attacks. Typically, hacktivits target websites with DDoS hosted at financial and govenment organizations for political reasons
. For example, several of credit card sites such as Mastercard.com, Visa.com were attacked in 2011 by Anonymous with DDoS in retaliation of removing WikiLeaks
operators among the VISA's and MasterCard's
clients.
===Cyber-spies===
===Cyber-spies===
−
To this year (
2012
)
, besides hacktivists, fraudsters and cyber-criminals, another class of new threat agents that some of the CISO of government and corporate organizations need to deal with is cyber spies seeking to compromise corporate web sites for stealing company’s trading secrets such as property type of information.
These type of attacks often involve the use of Remote Access Tools (RATs) as publicly revealed by McAfee in the operation Shady RAT report. In
the
study, it is reported that these attacks
often
use “spear-phishing email containing an exploits sent to an individual with the right level of access at the company, and the exploit, when opened, in an unpatched system, will trigger a download of the implant malware”. Spyware malware typically execute and initiate a backdoor communication channel to the C&C web server and interpret the instructions encoded in the hidden comments embedded in the webpage code.” Besides spear-phishing, cyber espionage tools can spread also by compromising web servers via SQL injection (http://www.mcafee.com/uk/about/night-dragon.aspx), infected USBs, and infected hardware or software
+
Since the years 2011 and
2012, besides hacktivists, fraudsters and cyber-criminals, another class of new threat agents that some of the CISO of government and corporate organizations need to deal with is cyber
-
spies seeking to compromise corporate web sites for stealing company’s trading secrets such as property type of information. These type of attacks often involve the use of Remote Access Tools (RATs) as publicly revealed by McAfee in the operation Shady RAT report. In
this 2011
study, it is reported that these
type
attacks
went on for several years starting in mid-2006, impacting "at least 72 organizations, including defense contractors, businesses worldwide, the United Nations and the International Olympic Committee". These type of cyber espionage attacks involved the
use “spear-phishing email containing an exploits sent to an individual with the right level of access at the company, and the exploit, when opened, in an unpatched system, will trigger a download of the implant malware”. Spyware malware typically execute and initiate a backdoor communication channel to the C&C web server and interpret the instructions encoded in the hidden comments embedded in the webpage code.” Besides spear-phishing, cyber espionage tools can spread also by compromising web servers via SQL injection (http://www.mcafee.com/uk/about/night-dragon.aspx), infected USBs, and infected hardware or software
.
The
analysis
of some of
the most recently used cyber-
spying
malware
seems to indicate that these are developed by countries engaged in cyber espionage. In 2012
for example
, Kaspersky labs identified a
cyber-
spying malware such as “Gauss” that bear code similarities with other cyber
-
espionage tools such as Flame and cyber
-
war tools like Stuxnet. According to Kaspersky (http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts) Gauss is “designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.
−
The
sophistication
of some of
these
spying
tools
seems to indicate that these are
tools
developed by countries engaged in cyber espionage. In 2012, Kaspersky labs identified a spying malware such as “Gauss” that bear code similarities with other cyber espionage tools such as Flame and cyber war tools like Stuxnet. According to Kaspersky (http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts) Gauss is “designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.
+
===Advanced Persistent Threats (APTs)===
===Advanced Persistent Threats (APTs)===
−
Often cyber-espionage activities are associated with APTs (Advanced Persistent Threats). APT are characterized by advanced that is use sophisticated methods, such as zero-day exploits and persistent that is, the attackers returns to target system over and over again with a long term objective and achieving his goals without detection. Historical APTs includes operation Aurora targeting Google, Juniper and Adobe companies as well as operation Nitro, Lurid, Night Dragon, Stuxnet and DuQu.
CISOs of government organizations as well as corporations whose protection of intellectual property and confidential and restricted information constitute a primary concern, need to be aware that might become the target of APTs seeking to target employees and customers with spear phishing to infect PCs with spyware, as well as to exploit system and web application vulnerabilities like SQL injection for installation and dissemination of cyber espionage tools.
+
Often cyber-espionage activities are associated with APTs (Advanced Persistent Threats). APT are characterized by advanced that is use sophisticated methods, such as zero-day exploits and persistent that is, the attackers returns to target system over and over again with a long term objective and achieving his goals without detection. Historical APTs includes operation Aurora targeting Google, Juniper
, Rackspace
and Adobe companies as well as operation Nitro, Lurid, Night Dragon, Stuxnet and DuQu. CISOs of government organizations as well as corporations whose protection of intellectual property and confidential and restricted information constitute a primary concern, need to be aware that might become the target of APTs seeking to target employees and customers with spear phishing to infect PCs with spyware, as well as to exploit system and web application vulnerabilities like SQL injection for installation and dissemination of cyber espionage tools.
== Targeting Threats to Web Applications with New Countermeasures ==
== Targeting Threats to Web Applications with New Countermeasures ==