Attack Basics
Recognizing indicators of an attack is one of the central abilities of a security professional. It involves knowing the main types of malware, password attacks, cryptographic attacks, and some categories of physical attacks.
Malware is a program that executes malicious code, forcing the infected system to perform some unintended action. There are various types of malware, each designed for a specific task, like spying, data exfiltration, turning the computer into a zombie/bot on a botnet, and locking down the machine. The main ones are viruses, worms, trojans, logic bombs, rootkits, remote access trojans (RAT), ransomware, and spyware.
Historically, a virus is one of the earliest types of malware. It can attach itself to the code of other programs to execute its own. It also needs the program execution to replicate. Apart from the name, a computer virus differs from its biological counterpart since it cannot function and replicate itself. A user must run the infected so the virus does its job. Worms, on the other hand, do not have this drawback. They can be executed and replicated by itself.
Trojans are defined by the infiltration method. Normally a user will download a program that poses itself as legitimate (e.g., an image or a PDF file) but is a cover for malware. RAT (aka backdoor trojan) is a special trojan that provides remote access to the target system, enabling the attacker to download data remotely and issue commands.
Logic bombs get their name by the way they are triggered. This malware only runs when certain system conditions are met (e.g., a specific time or an important event). Insider threats usually implement logic bombs by planting them to compromise a system as retaliation for firing, for example.
Ransomware encrypts an entire system and demands payment to the victim for the decryption key. It can also perform data exfiltration, which allows the attacker to demand more money to turn that information to the public. This malware is one of the main threats for today’s company. It can also be called crypto-malware.
Spyware aims to covertly gather intelligence data on the user, and relay that data to the attacker. Data collected can be keystrokes (keylogger), information relevant to advertisers (adware), and other types of data (info stealers). Adware can also force advertisement windows to appear on the screen. The source of spyware can be an advertisement company, a government agency, or another type of potentially malicious actor. These programs can also be called Potentially Unwanted Programs (PUPs).
Rootkits are one of the most insidious types of malware. It can be loaded during the OS boot process and modify core processes to remain undetectable. It can modify kernel processes and capture system calls. Often the only way to remove a rootkit is through machine formatting.
Beyond knowing malicious software, the cybersecurity professional must be familiar with attacks on passwords. Generally, this kind of attack is most effective against weak passwords, comprised of a low number of characters and familiar words. Fundamentally there are brute force attacks, dictionary attacks, password spraying, and rainbow table attacks.
Brute force attempts every letter and number combination until it finds the correct password. Dictionary attacks use a list of common words used in passwords as a reference to try to guess the correct one. These attacks can be combined in a hybrid approach when a dictionary attack adds numbers and symbols to guess the password quickly. These attacks are the reason that cybersecurity professionals recommend a password at least 8 characters long and with a random combination of letters, numbers, and symbols, making these attacks much less successful. A technical countermeasure to these attacks is account lockout, which is triggered after a preset number of failed login attempts.
Password spraying consists of trying the same password on different accounts. This technique avoids account lockout, which is a common countermeasure against brute force attacks on a single account. Rainbow table attacks use precomputed hashes from a specific algorithm and compare them with a set of hashed passwords on a stolen database. This kind of attack can be made ineffective by adding a random string of data before hashing a password, a process called salting. Birthday attacks aim at secure hashes, trying to find collisions in the algorithm by brute forcing it.
Cryptographic attacks work by downgrading attacks. During the handshake process between the client (e.g., a web browser) and a server (e.g., a web server) both agree on using a common secure protocol for transmission encryption. By using an old version of a browser, an attacker may force the server to adopt an old and less secure cryptographic protocol, compromising data confidentiality. In a man-in-the-middle attack (MITM), the malicious actor may use this tactic to masquerade as the victim’s browser and force an unsecured channel.
Today, attacks on artificial intelligence (AI) are entering the scene. AI algorithms work by learning through data collection and analysis, making AI a flexible asset for different functions within an organization, including security. It learns to recognize patterns by analyzing sample data that are fed to it. Recently it has been theorized a type of attack where the malicious actor feeds poisoned or deliberately wrong data to the AI algorithm to bias learning. This attack is called adversarial artificial intelligence.
Aside from the traditional computer attacks, there’s also skimming and credit card cloning, as representatives of the physical attacks category. In skimming, the attacker places a bogus card scanner on top of a legitimate one to collect personal card details on the victim. Logically these data provide the basis for credit card cloning.
