Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Methods of Attack - May 2nd, 2007
Logic Bombs, Trojan Horses, and Trap Doors - May 2nd, 2007
Denial of Service - May 10th, 2007
Are Satellites Vulnerable to Hackers? - May 15th, 2007
Extrusion Detection - April 30th, 2007
Spam and Flooding - May 15th, 2007
Spear Phishing - May 9th, 2007
Remote Maintenance - May 9th, 2007
The Risk of Default Passwords - May 11th, 2007
Race Conditions - May 11th, 2007
Interrupts - May 11th, 2007
Browsing and Enumeration - May 16th, 2007
Traffic Analysis - May 16th, 2007
Alteration Attacks - May 16th, 2007

Methods of Attack

May 2nd, 2007
By Stephen Northcutt




According to Dr. Dorothy Denning, "The rise in computer-based attacks can be attributed to several factors, including general growth of the Internet, with corresponding increase in the number of potential attackers and targets; a never-ending supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated hacking tools that allow even those with modest skills to launch devastating attacks."1

In the Mitnick example, we focused on a single attack that used just a few specific techniques to achieve a well-defined goal. Although there are probably thousands of different exploits that attackers can use against your systems, most can be classified into one or more categories. A large amount of research is being done in an attempt to define a standard vulnerability taxonomy; but so far, none have been widely accepted. A comprehensive taxonomy must be:
Attacks usually rely on programming or user errors
Consider the following Computerworld headline:

"April 26, 2006 (IDG News Service) A number of flaws in the software that is used to administer the Internet's Domain Name System have been discovered by researchers at Finland's University of Oulu."3

Did they use exploits? No, they ran tests looking for problems in software. Security Tracker, probably one of the best sources to track vulnerabilities on the Internet, lists the following categories of causes for software vulnerabilities:
When a potential attacker finds evidence of a software error, they can then construct an attack to take advantage of the error. Once they have their tools, they can search for a victim.

In the classic sense of a planned attack, executed by a hacker with malicious intent, a sequence of events typically takes place. First, in the reconnaissance phase, the attacker gently probes the system(s) or network(s) to get a sense of what is out there. Second, after discovering potential targets, the attacker performs more thorough system scanning, if necessary, and begins the process of enumeration. With enumeration, the attacker attempts to gain some actual information about the network or system's users such as specific system names, open shares, SNMP or LDAP directories, and so on. Third in the sequence is the breach, where the attacker actually attempts to penetrate the system or network. The fourth step is a system administration mode. In this step, the attacker gains access and control of the resource in question. Finally, there may be a clean up mode where they attempt to eliminate evidence of their work.

In the Methods of Attack series, we will discuss classes of attacks that can be applied to almost any system.


1 http://www.ssrc.org/sept11/essays/denning.htm
2 http://www.nccaiim.org/Education/Proceedings/2004/7-Moore-vulnerabilities.ppt
3 http://www.computerworld.com/printthis/2006/0,4814,110897,00.html
4 http://securitytracker.com/topics/topics.html#cause