The threat landscape

The attack surface also brings in another term, threat landscape. We, in the cybersecurity community, talk about it every day. Threat landscape can be defined as the collection of threats that are observed, information about threat agents, and the current trends of threats. It is important that every security professional keeps track of the threat landscape. Usually, many different agencies and security vendors will release such threat landscape reports, for example, ENISA (European Union Agency for Network and Information Security), and NIST (National Institute of Standards and Technology), along with some of the big security corporations.

Moreover, the threat landscape is an extremely dynamic space; it changes very frequently, and is driven by many factors, such as available tools to exploit vulnerabilities, the knowledge base of available resources and vulnerabilities, and the skill requirements to place an attack. (This is becoming increasingly easy due to the freely available tools on the internet.) We will talk more about the threat landscape resources in following chapters in this book. The following is a list of different threats in 2016-2017 and their relative rankings:

Figure 2: ENISA Threat Landscape Report 2017

The preceding image is the threat landscape for 2017 based on a report from ENISA. This brings us to a point where it is important to know a little bit about some common types of attacks:

• Unstructured attacks: These are one of those attacks where the adversary has no prior knowledge of the environment they are launching an attack on. Mostly, in such scenarios, they rely on all the freely available tools. Unstructured attacks are often targeted en masse, based on any common vulnerability and available exploitation.
• Structured attacks: In the case of a structured attack, unlike an unstructured one, the adversary is much more prepared and well planned in carrying out the attack. In most of the cases of structured attacks we notice that the attackers demonstrate their advanced skills of programming, and knowledge about the IT systems and applications they are targeting. These attacks can be highly organized in nature and mostly targeted towards an individual entity or industry vertical.
• Social engineering (phishing, spear phishing, and so on): This attack is targeted towards one of the weakest links, humans. In this attack, the user is exploited in various ways. Often these attacks are successful because of a lack of knowledge or ignorance. Information is extracted from the user by tricking them one way or the other. The most common way is by phishing and spear phishing. In a phishing and spear phishing attack, data is extracted by impersonating something that looks authentic to the user, such as, posing as an administrator helping the user to reset their password, and other account details, via a web portal. These portals are specially crafted to suit the purpose of extracting data which the attacker wishes to collect. Users fall prey to those, and share sensitive information.
• Eavesdropping: This attack can be performed by gaining unauthorized access to the network and listening to the network communications. Commonly, all the traffic that is not encrypted can be easily targeted by the attacker.

• Denial of Service (DoS and DDoS): This is one of the oldest forms of network-based attacks, where the attacker will attempt to overwhelm the processing or computing capacity of the application or device by sending such a flood of data that it is more than the application or the device can handle, thereby disrupting the system. On the other hand, distributed denial of service (DDoS), is launched from multiple sources towards a single victim application or system on a very large scale, more than the amount that can be handled. This is one of the hardest to mitigate without proper technologies in place.

• Man-in-the-middle attack (MITM): In this attack form, the session or the network is hijacked in between by manipulating the communication between server and client, and acting as a proxy server, often without the knowledge of the victim.
• Malware: Malware can be defined as disruptive software, which is intentionally designed to cause damage or achieve any other malicious intent by its creator. Most of the time, this access is gained by exploiting the computing system's security, or any vulnerabilities, with help from the malware. Worms and Trojans are different forms of malware, and these have a very specific capability to spread from computer to computer and replicate themselves. Malware can cause theft of data, mass destruction of computer systems, disruption of network activities, and also can help in corporate espionage. Most of the latest malware may have unique capabilities to hide itself extremely well from the security systems and detection mechanisms, and stay active for weeks to years.
• Botnets: When computer systems are infected with malware, or any other malicious remote tools, and these infected computer systems are controlled by the attacker remotely, it is known as a bot. Furthermore, when there are many computers which are compromised by this malware, and controlled by the attacker, this network, or collection of compromised computers, is called a botnet. The remote mechanism and the control method are also termed as "Command and Control". Botnets can be used for various other purposes by the adversary, and, to achieve these, the botnet master will keep updating the malicious program's binary. Botnets used to be single-focused in terms of their mission. However, in the recent past, they have changed to become multiple-purpose malicious applications.
• Cross-site scripting: Cross-site scripting, commonly known as XSS attack, is an exploitation of flaws in web applications, which allows the adversary to inject malicious client-side script and compromise the user, without their knowledge in most cases. In general, these flaws exist due to poor input validation of web-based applications. Once the XSS is sent to the user, the browser will process it because the browsers have no mechanism to stop XSS based attacks. There are multiple forms of XSS attacks. Stored and reflected types of XSS are very common. Stored XSS allows the attacker to leave permanent malicious scripts in the victim's server, while reflected XSS usually takes place when the attacker sends a specially crafted link with a malicious query in the URL to the user, and the unsuspecting user clicks on the link, which then takes the user to a malicious site and captures the user's sensitive data, which is then sent to the attacker. Reflected XSS is possible only if the user clicks on the link. Or, another method is if the attacker tricks the user into clicking it.

• Drive-by download attack: This form of attack is very commonly seen over the internet. It has been one of the top threats in the past couple of years. In practice, attackers will compromise a well-known benign website and host their malware there, by embedding malicious links. Once users visit these non-suspecting websites, they get compromised by automatically being redirected to the malware download locations. Often, the links of compromised websites could be spread via spam or phishing emails, where a user might click a link out of curiosity, or unknowingly, and get the malware downloaded into the system.
• SQL injection attack: SQL injection attack is usually targeted towards the database exposed via the web. An attacker would execute malicious queries via poorly configured web applications, mostly in the data input mechanism to run SQL commands. The attacker, if successful, can gain access to the database, manipulate sensitive data, or, at times, also modify data. SQL injection can also allow arbitrary commands to manage the operating system remotely. This vulnerability is successful mostly due to the poor input sanitization at the web application, rather than at the database end, because databases are designed to execute queries as they receive them and return results accordingly. So, the developers must take care about input sanitization and only accept data input as desired, and check for any malicious inputs, before sending it to a database for query execution.

• Advanced persistent threat (APT): This attack has been on the rise over many years. The modus operandi of these attacks is mostly to launch highly targeted attacks against specific individual organizations, industry segments, or even a nation. These threats are called "advanced persistent" because the attacker, or the group of attackers, will use many advanced and stealthy techniques to stay undetected for a very long time. Often, it is found that the attack and persistent methods are specifically crafted for the particular attack and have never been used in any other attacks. APT based attacks are mostly well funded and they are mostly a team driven activity. APT is used to target intellectual property, any form of sensitive information, disruptive activities, or may even be for corporate espionage, or sabotage of data, and/or the infrastructure. APT attacks are entirely different from the other forms of attack; the adversary/adversaries take a very organized approach to know their target and the mission they want to achieve, and they do not rush to attack. The attack infrastructure is very complex at times. The main goal of the attacker/attackers is to stay in the compromised network as long as possible and stay hidden from security detection. One of the significant natures of APT, is that it can only impact certain parts of the network, or certain persons in the company, or just a few systems in the network that are the point of interest. This, therefore, makes it more challenging to detect APT activities by security monitoring systems.

• Web-based attacks: In these attacks, as the name suggests, the target systems are mostly those which are internet facing devices, applications, services, and so on. Practically, we can say that the majority of internet applications are exposed to web attacks. These can be attacked via flaws and vulnerabilities, not only in the applications, but, also, in the medium by which we access those applications, such as web browsers. Web browser exploits have been on the rise for many years. Web servers are always a very lucrative target for the adversary/adversaries. Some of the famous attack forms are drive-by downloads or watering hole attacks (where a legitimate web application, used by the target/targeted organizations, is compromised and then the attacker waits for the employees/users to visit the website and, thus, it becomes compromised).
• Insider attacks: Insider attacks are the human element of cybersecurity that are extremely vulnerable and very difficult to track, monitor, and mitigate. This threat indicates that the users with authorized access to the information assets will cause harm to the entity/business, or the organization. This is sometimes done unknowingly by becoming prey, or, sometimes, they are the ones conducting the attack. In general, there are no definitive ways to detect or monitor insider threat proactively; it can only be found when the damage has already been done in most cases. It's been a rising trend over many years, as the advanced attackers try to exploit insiders to gain access to the organization or businesses. This has been a major threat to governments and it's increasing day by day. Even if the organizations have a bullet proof network with a lock down environment, and strong perimeter defenses, insider attacks are considered to be the most effective. The mitigation of an insider threat is beyond the technical implementation. The organization also needs to include the social culture and education of its own users about how to treat security and stay vigilant.
• Ransomware: Ransomware has done a lot of damage recently and has come up as a prominent threat. The modus operandi of ransomware is mostly to gain monetary profit by holding the user's data/system in ransom by making it unusable. This is achieved by compromising the system with one or other form of existing exploits and vulnerabilities and then encrypting the data in the user's system. Once encrypted the attacker would demand money in exchange for the decryption key. The following screenshot shows an example of a ransomware message:

Figure 3: Example of Ransomware message, https://digitalguardian.com/sites/default/files/zdnet.jpg

Ransomware attacks are extremely dangerous because of their mechanism. Anyone with a little knowledge and access to freely available exploitation tools can use them to gain access and encrypt data. This is mostly done on a wide scale to generate more profit by volume, and the process is entirely automated. There are dark net groups that have created ransomware-as-a-service to offer the infrastructure and tools needed to generate such a campaign. Ransomware attacks are now being targeted more at organizations, such as banks and other financial institutions, to generate huge profits by disrupting their business and asking for ransom. WannaCry and NotPetya are the two most disrupting examples of ransomware that we have seen recently.

One of the notorious examples of ransomware even had the modus operandi to make the system unusable, which implied that it not only encrypted the data on the systems, but also had overwritten the master boot record that makes the computer unusable if rebooted. The impact of ransomware is unimaginable when it comes to attack against infrastructure like airlines, hospitals, governments, and emergency services.

• Espionage: This is one of those serious issues that has always been there since the beginning of human warfare. Today, this is taking place between corporate, governments, and various other entities, and the battleground is cyberspace. It's beneficial, in a sense, because no one is directly coming in front to perform this espionage; they are all behind the hidden cyberspace, and the attackers can stay anonymous. We have already seen in the news in the past couple of years how one government is trying to damage or disrupt the other by using a cyber form of espionage, by compromising sensitive information, and then leaking it to the public, to cause chaos and disruption. Even corporations are not far behind. They do it to gain access to each other's intellectual property to stay ahead of the competition. Cyberspace is way more interesting and dangerous when we think from this perspective of cybersecurity.