One thing we can learn reading about the different terror plots is that not all attackers are the same. Richard Reid (thankfully) failed in his attempt to blow up American Airlines Flight 63 due to a handful of factors that can teach us a good deal about what can make one attacker a mere annoyance while another can be a seemingly unstoppable malevolent force.
One of the three major differentiators between criminals is how they select a target. We can learn a good deal about the threat of the criminal by examining how he picks his prey.
Eeny, meeny, miny, moe
When a purse snatcher is looking to get something for nothing, he waits for an opportunity (big purse, little woman) to come to him. He has no guarantee of what he will get from the transaction and has no pre-knowledge about the target. This is known as a “crime of opportunity.” Prior to receiving terrorist training in Afghanistan, Richard Reid was jailed several times. His first conviction was for assaulting an elderly woman.
In cybersecurity, attacks that are looking to infect any computer (normally it ends up being your grandmother’s PC) it is taking a page from the pick pocket on the train or the lioness taking down the slow and weak. Minimal effort is utilized and to make a profit many targets will need to be exploited.
On September 11th, 2001 the devastating effect of coordinated efforts to hit high value targets on US soil forever changed our lives. The targets that were selected were not at random and had an intended result. This type of "targeted attack” had many of us wondering if our homes, places of worship or businesses could make their way onto a target list with international terrorists.
Targeted attacks on a network can attempt to gain access to proprietary information (espionage), transfer funds out of accounts, cripple critical internet or infrastructure (utilities, communications) resources or assist in extortion schemes. These types of attacks have much more devastating impact, but are much more difficult “capers” to pull off. In part two of this series, “Attack Payloads”, we discussed this in depth.
A major difference between Richard Reid’s first crime of robbing an old lady and his (presumably) last crime in attempting to blow up an airliner is the amount of preparation in each crime. While I can’t say with certainty, it is reasonable believe that the future terrorist did not spend weeks planning the robbery of an old woman. As with most “common criminals” an immediate need (rent, food, drugs, etc.) immediately precipitates the crime of opportunity. Contrast this with the bombing of AA63 where years of training and planning occurred. He acquired a shoe bomb, booked a window seat at a sensitive part of the fuselage and traveled to France and replaced his passport to make intelligence sharing more difficult. Years of planning went into this attempted crime.
In network security, when an attacking group patiently plans and executes a targeted attack it is known as an advanced persistent threat or (APT.) This type of threat starts with a reconnaissance of the target (also known as “fingerprinting.”) The advanced attackers then begin formulating an attack designed to gain the desired “take” and avoiding detection. Intelligence gathering and ingenious (human) planning are the two primary markers for APT. Because the APT hackers have time to craft strategy that thwarts the automatic detection mechanisms, countering the attacks likewise require skilled analyst (smart human beings) countering their efforts. Richard Reids attempt bypassed all the machines designed to catch him (x-ray machine, metal detectors, etc.) the only resistance that he found was in the human beings that confronted him. In the case of the 9/11 tragedy, the preparation of the terrorists enabled them to execute a devastating attack.
Another difference between Reid’s robbing the old lady and bombing an airplane was the resources he had at his disposal. He had more than $2,000 in cash available to pay for airfare as well as the mad genius(es) that invented the shoe bomb. Resources were spent on his training, travel and board. In the case of the September 11th attack resources were spent in even greater abundance.
A good bit of “common hackery” is performed by undisciplined and untrained pseudo-hackers commonly called “script kiddies.” They write malware with no target in mind and no budget to support them. In the case of enterprise targeted APT, resources can be great particularly when the crime can produce a large “return.” State sponsored hacking has the potential of drawing upon near bottomless sacks of cash and enterprise sponsored espionage efforts can be nearly as well funded. In addition to funding, the number of individuals willing to join in the “caper” can also add to its success. One problem Reid had in succeeding was his co-conspirator (who was to launch the same attack on a different flight) got cold feet. On 9/11, not every airplane hit their intended target and not every terrorist made it to their planes. Cyberattacks that have multiple attackers working together make for a much more formidable threat.
Pulling these three categories together we can conclude that a well prepared, well-funded group of attackers with time on their side make for a dangerous crew when plotting to exploit a high value target. While detection mechanisms such as firewall, signature based intrusion detection and log monitoring can easily screen out the “purse snatchers” coming after network resources, defending against an advanced persistent threat (APT) requires quality intelligence in the hands of skilled analysts.