Home / Blogs

Types of Attack

A lot of pixels have been spilled in the last few years about “advanced persistent threats” (APT); if nothing else, any high-end company that has been penetrated wants to blame the attack on an APT. But what is an APT, other than (as best I can tell) an apparent codename for China? Do they exist?

After thinking about it for a while, I came up with the following representation:

The two axes represent how skilled the attacker is, and how much a particular victim is being targeted.

I dub the lower left “joy hacks”. These are the province of the script kiddie or the novice hacker. They’ve learned about “cool” tools, and they try them out on anyone in reach. Ordinary care will generally deflect joy hackers.

As the attackers’ skill level moves up, you get what I call “random hacks”. (I’m not fond of that name; any better suggestions?) People who write new worms often fall into this class, especially if the worms exploit 0-days. But worms are generally random in their targets. If you’re a spammer or a botnet builder, though, that’s fine; a low-bandwidth node may not be able to spew as much garbage as a well-connected one, but as the saying goes, “from each according to his ability”. Your best defense here is the usual technical litany: turning off unneeded services, keeping up to date on patches, etc.

The X axis, which reflects targeting, does not necessarily imply particular technical measures. In general, though, it means that the attacker will gather as much intelligence as is feasible about the target. (Again, I’m quite unhappy with my name, especially when I have to translate it into the noun for the attacker.) Spear-phishing attacks, which show a knowledge of the organization and the victim and perhaps the purported source of the message, show the efficacy of this. The attacks themselves may not be novel, but the extra information the attacker has helps immensely. This is an arena where education and process help.

The upper right (or the upper right of the upper right) is, of course, the Advanced Persistent Threat, what John Erlichman so memorably called the “big enchilada”. Here, you need everything you can bring to bear and then some: patches, education, process, luck, and perhaps sacrificing the entrails of a virgin artichoke on your keyboards.

Do APTs exist? Assuredly; if it accomplished nothing else, Stuxnet showed that. Are most attacks on high-profile companies APTs? I suspect that some are and some are not—but I haven’t investigated or even reviewed the investigation of any of them, so I won’t comment. Are nation-states behind APTs? Unknown and probably unknowable, though the more sophisticated the attack (and especially the more comprehensive and sophisticated the target intelligence was), I’d say it becomes more likely (which is not the same as “likely”). Should you worry about APTs? Ask yourself this: who would be likely to target you, and how good are they?

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Cybersecurity

Sponsored byVerisign