List the System-Level Objectives of Threat Agents Using Their Attack Methods

In order to properly defend the attack surfaces, one must understand the intermediate, cyber, digital, or system objectives of the attack methods. For instance, looking once more at XSS attacks, we know that the ultimate objective of a cyber criminal is to extract money from the victim. Of course, there are a multitude of ways that an XSS can be used to do that, from fake product sales (illegal or pirated pharmaceuticals) to theft of personal information like payment card numbers, account information, or an entire identity. But how does the attacker get from the XSS vulnerability to the objective?

For many exploits there is a system-level objective that must be attained in order to prosecute the attack to its goal. For security researchers, the system-level objective— that is, getting a piece of scripting code (javascript) to execute in the user’s browser, or gaining system-level privileges—will be sufficient to prove vulnerability. No more need be accomplished.

But for other attackers, the system objective is the steppingstone to an ultimate goal, whatever that goal may be. System-level privileges allow the attacker to “own,” that is, completely control the attacked machine. From there, all information on the machine can be stolen. With superuser privileges, the attacker can install software that listens to and records every entry on the machine. If a spy, the attacker could turn on the machine’s video camera and microphone, thus eaves dropping on conversations had within the vicinity of the machine. And, of course, an owned machine can be used to stage further attacks against other machines or send spam email. Essentially, a completely compromised machine can be used for the malicious and abusive purposes of the attacker. Hence, the term “owned.”

System-level objectives are tied closely to attack methods. Table 5.3 is not intended to be exhaustive. There are plenty of more extensive lists elsewhere, the most complete probably being CAPEC™[1] at or the lists of attack methods at Nevertheless, we are studying the ARA/threat modeling process in this chapter. The following is offered as an example of a technique for understanding how the prioritized threats are most likely to misuse attack surfaces.

The first three entries in Table 5.3 are purposely difficult enough to execute that these would not be a consideration for most well-managed websites. Unless there is a serious, unauthenticated, remotely executable vulnerability available via an HTTP request or message into a vulnerable application server or Web server, all the other interfaces should be protected in such a way that getting sufficient privileges to perform one of these first three attacks should be extremely difficult. In order to highlight security researcher “stunt hacks,” the first three entries specifically require high privileges or wide access, or both.

The subsequent entries in Table 5.3 are drawn from Top 103 In order to gain a place in the list, an attack method has to be one of the most popularly executed as

Table 5.3 System-Level Attack Objectives

Specific Attack

System Objective(s)

Threat Agent

String code "gadgets" together into a meaningful sequence that escalates privileges

  • • User installed (and accepted) application code running attacker's program without having to install an executable on the attacked machine
  • • Call vulnerable system code from within an installed application and exploit to escalate privilege to system or superuser

Security researchers

Bypass the no-execute page protection policy to execute code

Execute code of the attacker's choosing within the context of the currently logged user and a running application

Security researchers

Use a system debugger to exploit a buried overflow condition

Prove that an overflow condition not reachable through inputs can execute code of the attacker's choosing

Security researchers

SQL and LDAP injection

  • execute unintended commands
  • access data without proper authorization

Cyber criminals

Cross-Site Scripting (XSS)

  • execute scripts in the victim's browser
  • hijack user sessions
  • deface web sites
  • redirect the user to malicious sites.

Cyber criminals

(exposed) Direct Object References

manipulate . . . references to access unauthorized data

Cyber criminals

Cross-Site Request Forgery CSRF)

  • force a logged-on victim's browser to send a forged HTTP request
  • generate requests . . . [that appear to be]

. . . legitimate requests from the victim

Cyber criminals

Unvalidated Redirects and Forwards

  • redirect and forward users to other pages and websites
  • use untrusted data to determine the destination pages
  • redirect victims to phishing or malware sites
  • use forwards to access unauthorized pages

Cyber criminals

SQL = Structured Query Language; LDAP = Lightweight Directory Access Protocol.

Source: Data set in italics is from the Open Web Application Security Project (OWASP) (2013). OWASP Top 10 List.3 well as used on a regular and continuing basis. When we analyzed cyber criminals, we noted their predilection for well-known and proven attack methods. The OWASP Top 10 list is representative of the most often used attacks on the Internet. Since the Web- Sock-A-Rama site is a typical web store, it will be subjected to attacks drawn from the OWASP Top 10 list, at the very least. Security researchers will also attempt well-known attack methods in order to find and report vulnerabilities.

  • [1] Common Attack Pattern Enumeration and Classification. CAPEC is a registered trademarkof the Mitre Corporation. t Not all of the top 10 attacks are listed. Table 5.3 is just an example to demonstrate the processof understanding the system-level objectives of the likely threat agents. Some of the Top 10List are vulnerabilities, thus not detailing an attack method. Table 5.3 is limited to technicalattack methods only. CAPEC, maintained by the Mitre Corporation, details most knownattack methods.
< Prev   CONTENTS   Source   Next >