In the first part of this series, we evaluated the different attack detection methods used in foiling the 2001 shoe bombing attack on American Airlines flight 63. We focused on how Richard Reid exploited the airport security systems and the lessons we can apply in network security monitoring. In this installment I’d like to turn our focus to the payloads that can be delivered after the exploit is successful.

Differentiating Exploit and Payload

To start off we need to understand the difference between an exploit and a payload. In Reid’s case the exploit was using the space in his shoe to smuggle an unauthorized substance (plastic explosive) through airport security due to the airport’s inability to scan footwear for smuggling (or explosives.) The intended payload (result) of his attack was the destruction of AA 63.

The exploit is the method of circumventing security and the payload is what you do with the gained access. If he was otherwise motivated, Reid could have used the exploit to bring diamonds, drugs or state secrets on the plane. If he would have partnered with additional agents, he could have used the method to bring small weapons onboard to hijack the airplane and its flight path (this was the 9/11 payload.)

Payload Detection

Previously we learned that attacks can be detected by either examining the agent’s composition (signature based detection) or its activity (behavior based detection.) Security signatures can be written to detect an exploit or a payload. In the case of shoe bombing, the exploit (shoe smuggling) is detected by the x-ray machine operator and the payload (plastic explosives) is detected by chemical swabs and bomb sniffing dogs.

Network Payloads

We described earlier some possible payloads that can be (and have been) used onboard aircraft. Let’s turn our attention to what dastardly actions can be aimed at computer networks.

Service Disruption

Perhaps the most reported network attack payloads are those that deal with service disruption. A denial of service (DoS) attack is a payload designed to prevent a server from performing its function. In 1996, the infamous denial of service aptly called “The Ping of Death” was released onto the budding internet. By sending a data payload much larger (>1000x) than a legal ping packet, a vulnerable system would become completely unresponsive until rebooted. A more common type of DoS attack involves sending more service requests than a server can physically respond. When geographically disbursed computers are coordinating a denial of service attack on a host it is called a distributed denial of service (DDos) attack.

It is possible to detect “Ping of Death” type of DoS attacks through the use of signatures. Behavioral/anomaly detection is necessary to detect these “over-request” DoS. An example would be thousands of hacked computers (known as a botnet or “zombie network”) being directed by their hacker to request the homepage of their target as fast as they can. Signature and heuristic detection couldn’t work here because the composition of the traffic is valid (requesting the home page) it’s the deviation from normal frequency of requests that reveals the malevolence of the communications.

Sleeper Cells

Much like Al Qaeda, a successful network attack may be nothing more than rolling a new recruit into the fold. Sometimes sophisticated attacks are used to gain control over a high value server. When hackers gain complete access over a computer they call it “owning” the machine. More often than “owning” a critical server, attackers try to recruit pawns. Across the globe, hackers have installed malicious software (malware) onto thousands of computers so that they have an army of “sleepers” standing by to receive commands. A single computer infected with this type of payload is called a “bot.” Collectively all computers under the control of their attacker are called a “botnet” or sometimes a “zombie network.” Botnets can be used for a variety of purposes ranging from sending spam and scamming online advertisers (click fraud) to DDoS and covert network infiltration.

As enterprise has begun to allow employees to bring their own laptops, iPads and smartphones onto the network (this policy is known as “bring your own device” or BYOD) it has provided a method for attackers to get bots under their control into otherwise inaccessible networks. Much like the challenges facing the agencies waging war on terrorist sleeper cells, detecting bots on the network can be difficult when they are inactive. Signature based detection has to rely on communication to a list of known “bad” internet addresses to detect an internal host beaconing to its nefarious controller. Since criminals in cyberspace can relocate much easier than their physical world counterparts, it makes these types of lists (and signatures) ineffective. Behavioral based detection is able to see new types of communications coming out of newly infected hosts and gives opportunity for incident response.

Loose Lips . . .

If having computers on your network under the control of an unknown hacker scares you, the prospect of your proprietary information being uploaded to a server in China might make your hair fall out. When a computer on your network sends information it shouldn’t out of the network, it is called “data loss.” In a day that has criminal penalties for disclosure of personal, credit card or medical information any unauthorized disclosure of data can permanently hamstring an organization.

Signature based detection of data loss can look for SSN and credit card patterns in outbound communication. It can also look for the names of files being transferred out of the network. Hackers (worth their salt) realized the same encryption technology that was created to protect the citizenry from their attacks could be used to foil signature based data loss protection. By using encrypted communication channels to send protected information out of the network, signature based analysis tools are rendered blind. Since behavioral detection doesn’t require a look inside the transmission data, it is able to flag computers with protected information transferring data abnormally. Instead of throwing a signature based alarm (e.g. “Suspected SSN Sent”) a behavioral detection system would report “Abnormal Data Disclosure” or “Possible Data Loss” alarm by observing the deviation in normal traffic usage.

Wrap Up

We’ve taken a quick look at what cybercriminals can do once they bypass security mechanisms. In the next installment in this series, we will examine how having better intel than the attackers can keep airplanes in the skies and networks secure.