Computer Security: Principles and Practice
Classes of intruders: criminals
• Individuals or members of an organized crime
group with a goal of financial reward
– Identity theft
– Theft of financial credentials
– Corporate espionage
– Data theft
– Data ransoming
• Typically young, often Eastern European, Russian, or southeast Asian hackers, who do business on the Web
• Meet in underground forums to trade tips and data and coordinate attacks
Classes of intruders: activitists
• Are either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes
• Also know as hacktivists
– Skill level is often quite low
• Aim of their attacks is often to promote and publicize their cause typically through:
– Website defacement
– Denial of service attacks
– Theft and distribution of data that results in negative publicity or compromise of their targets
Intruders: state-sponsored
• Groups of hackers sponsored by governments to conduct espionage or sabotage activities
• Also known as Advanced Persistent Threats (APTs) due to the covert nature and persistence over extended periods involved with any attacks in this class
• Widespread nature and scope of these activities by a wide range of countries from China to the USA, UK, and their
intelligence allies
Intruders: others
• Hackers with motivations other than those previously listed
• Include classic hackers or crackers who are motivated by technical challenge or by peer-group
esteem and reputation
• Many of those responsible for discovering new categories of buffer overflow vulnerabilities could be regarded as members of this class
• Given the wide availability of attack toolkits, there is a pool of “hobby hackers” using them to explore system and network security
Skill level: apprentice
• Hackers with minimal technical skill who primarily use existing attack toolkits
• They likely comprise the largest number of attackers, including many criminal and activist attackers
• Given their use of existing known tools, these attackers are the easiest to defend against
• Also known as “script-kiddies” due to their use of existing scripts (tools)
Skill level: journeyman
• Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities
• They may be able to locate new vulnerabilities to exploit that are similar to some already known
• Hackers with such skills are likely found in all intruder classes
• Adapt tools for use by others
Skill level: master
• Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities
• Write new powerful attack toolkits
• Some of the better known classical hackers are of this level
• Some are employed by state-sponsored organizations
• Defending against these attacks is of the highest difficulty
Intruders: another classification
• Masquerader: unauthorized individuals who penetrates a system
• Misfeasor: legit user who accesses unauthorized data
• Clandestine: seizes supervisory control
Example of intrusion
• Remote root compromise
• Web server defacement
• Guessing/cracking passwords
• Copying databases containing credit card numbers
• Viewing sensitive data without authorization
• Running a packet sniffer
• Distributing pirated software
• Using an unsecured modem to access internal network
• Impersonating an executive to get information
Intruder behavior
• Target acquisition and information gathering
• Initial access
• Privilege escalation
• Information gathering or system exploit
• Maintaining access
• Covering tracks