Keep Your Eyes on the Prize: Attack Vectors are Important But Don’t Ignore Attacker GoalsJune 23, 2017
Reporting on intrusions or attacks often dwells on the method that the attackers used to breach the defenses of a particular organization. However, the goals of the attacker are the most relevant to how an organization can protect itself. The goals of attackers reflect the perceived value of the critical assets an organization has to the attackers, which is independent from the value these assets have to the organization.
The table below shows a carefully chosen sample of well-documented attacks on what attackers consider to be high-value or critical assets. It is worth noting the following attacks were performed by a mixture of nation states, mercenaries, nation state proxies, cyber criminals and hacktivists, showing a complex ecosystem. We do not aim to provide definitive attribution here, merely state which are the most likely candidates based on assessments from law enforcement or the wider community.
|High Value Asset||Sector||Threat Actor||Impact on Target||Examples|
|Corporate IT infrastructure||All||Cyber criminals, nation-state process, nation states||Availability||Ransomware attacks like WannaCry or the Sony Pictures Entertainment attack deny access to IT resources in order to extort money from the victims and/or cause embarrassment|
|All||Nation states||Confidentiality||Russian-affiliated threat groups broke into a Voting software company in order to use their IT infrastructure to send phishing emails to subsequent targets|
|Customer (WiFi) Networks||Hospitality||Nation states||Confidentiality||The Darkhotel APT group used hotel networks to target individuals of interest and deploy malware to customer machines through malicious software updates|
|Cryptographic material||Technology||Cyber criminals, nation states||Confidentiality||DigiNotar’s cryptographic keys were stolen in order to forge certificates for eavesdropping on Internet users in Iran|
|Database||All||Cyber criminals||Confidentiality, Integrity, Availability||The RansomWeb attack encrypted the victim’s database covertly and when the database and backups were fully encrypted, the encryption keys were removed, the database was inaccessible and ransom demands were made to the victim|
|Financial transaction systems||Finance||Cyber criminals, nation states||Confidentiality, Integrity||Attackers breached various banks worldwide to send money to mule accounts via the SWIFT network infrastructure|
|Finance||Nation states||Confidentiality||Alleged Equation Group leaks detail the compromise of the SWIFT Service Bureau Eastnets to extract transaction information from their database|
|Industrial process design and development||Manufacturing, Aerospace, Defence||Freelancers||Confidentiality||Su-Bin stole component design blueprints and flight test data for sale to competing companies|
|Network infrastructure||Broadcasting||Nation states||Availability||TV5Monde’s routers and switches were corrupted by malicious firmware updates which caused the TV station to cease broadcasting|
|Non-public information||All||Nation states||Confidentiality||Hackers allegedly from PLA Unit 61398 stole “thousands of e-mails and related attachments that provided detailed information about SolarWorld’s financial position, production capabilities, cost structure, and business strategy”|
|Finance, Legal||Cyber criminals||Confidentiality||Hackers stole non-public press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, etc. and used this information to conduct trades|
|Source code||Technology||Freelancers, nation states||Confidentiality||Attackers compromised Yahoo in order to find the source code so they could forge cookies to gain persistent, unauthorized access to user accounts|
|Payment card information||Retail||Cyber criminals||Confidentiality||Attackers stole 40 million records of payment card information from Target’s Point of Sale (PoS) systems via breaking into a supplier who had access to the Target network|
|PHI/PII||Healthcare||Cyber criminals||Confidentiality||80 million customer records were stolen from Anthem, this data may be used for espionage and/or financial crime such as filing fraudulent tax returns and issuing of pre-paid debit cards|
|SCADA systems||Energy||Nation states||Availability||A cyber-attack was performed against a Ukrainian power company’s circuit breakers causing the loss of power to approximately 225,000 customers|
|Social Media accounts||All||Cyber criminals||Availability||Wired reporter Mat Honan had his various cloud service accounts breached and his devices remotely wiped in order to takeover his social media account|
|All||Nation state proxy||Integrity||The Syrian Electronic Army hijacked the social media accounts of various global companies in order to spread propaganda|
A common theme running through the above table is how attackers take the path of least resistance to their goals and in the cases where critical assets were not reachable, used a creative approach to monetize the access that they did have.
Some common themes concerning attacker goals emerge:
- Attacks are a multi-stage process, each stage helps the attackers get closer to their goal. An organization may be compromised for its own assets or because its assets help an attacker reach its target. Financially-motived cyber criminal actors seek out not only directly monetizable assets like payment card information but also assets which can be sold such as PHI/PII or non-public information.
- Sectors such as finance and defense are well-known targets for attackers, but following on from the multi-stage theme above, other organizations may find themselves as targets as they are on the “flight path” from the attacker to the intended target, for example, in the case of supply chain compromise.
- While theft is very common (confidentiality violations), attacks on availability, such as extortion via ransomware, and attacks on integrity, such as source code manipulation, do also occur. Attackers have a diverse set of actions in their portfolio and may use any of them against a particular target.
By understanding the goals of the attackers, defenders can understand which of their assets need to be safeguarded. Any breach investigation or incident response should attempt, where possible, to understand the goals of the attackers in order to gain insight on how attackers are targeting an organization’s assets.
Recent attacks like the Nyetna outbreak highlight the difficulty of certainty around attacker goals as there may be deliberate attempts by the attacker to obscure their true goals, in such cases the different plausible attacker goals must be considered.
We recently wrote a blog on five ways security engineering can help to protect these assets.