Most of us are familiar with the high profile cyberattacks of the last couple years. Target, Apple, Home Depot, and Sony are just some of the few big names who have dealt with a cyberattack recently. Despite the growing number of attacks, we’re left wondering why and how an attack can occur. More over, we struggle to classify attacks in order to determine how to prevent them in the future.
A new classification system, or checklist of sorts, was published by Ira Winkler and Ari Gomes on Computerworld (a combination of their names, Irari) helps us to classify how sophisticated, or unsophisticated, a cyberattack may be. The system uses the following classifications:
- The attack used malware that should have been detected.
- The attack targeted a known vulnerability.
- Multifactor authentication was not in use on the targeted systems.
- The attack exploited static passwords on critical servers.
- A strong, comprehensive awareness program was not in place, if phishing was involved.
- Detection mechanisms were not in place or were ignored.
- Proper network segmentation was not in place.
- User and administrator accounts that were exploited had excessive privileges.
What does these mean exactly? Well, we have heard from many organizations that are victim to these attacks that they were carried out with extreme sophistication, meaning only a select few would have the skills to pull off such an attack. However, Ira and Ari aren’t so sure. They believe many of these attacks could have been prevented if proper precautions had been taken.
For example, if a bank leaves the safe door open without any security guards then the safe is robbed the bank couldn’t necessarily claim that the robbery was carried out by a sophisticated criminal. It could have been anyone, even with minimal skills in robbing banks. Sure, this is a simple example, and not one that pertains to cyber security, but you get the idea.
Now, when it comes to guarding against cyber attacks many organizations don’t take the proper security precautions. Most often, passwords are not changed frequently, firewalls aren’t strong enough or aren’t set up correctly, or excess authentication is not used. These are examples of weakness, or soft spots in the armor if you will.
Essentially what Ira and Ari are saying here is that you should go down this list to see if any of these items pertain to your attack. Kind of like a “Can You Answer Yes To Any of These Questions?”. If you can, it may mean the cyberattack wasn’t as “sophisticated” as one might think.
Ira continues on describing exactly what each item means with a thorough breakdown. Below are a few of the Irari rules described in more detail by Ira Winkler, you can view the full list here.
The malware used should have been detected. If the malware used is known well enough to be detected by anti-malware or antivirus software, then the attack cannot be classified as sophisticated. The attack could have been detected with properly configured and maintained tools available. Even if a sophisticated attacker was involved, an attack that uses detectable malware shows a lack of respect for the victim’s security program.
The attack exploited vulnerabilities where a patch was available. If an attack exploited a vulnerability that could have been patched, the attack cannot have been sophisticated. A sophisticated attack would never rely on exploiting a vulnerability that could have been prevented. The fact that the known vulnerability existed on the exploited system demonstrates that anyone could have launched the attack.
Multifactor authentication was not in use on critical servers. Multifactor authentication is a common countermeasure for advanced security programs. It prevents a wide variety of potential attacks, including social engineering and password guessing. No attack against an organization whose critical servers don’t use multifactor authentication can be considered sophisticated.
Static passwords were used in attacks on critical servers. Even with multifactor authentication in place, passwords should be changed frequently. Static passwords on critical accounts is just a poor security practice and represents an unsophisticated security program, and their presence eliminates the possibility of a sophisticated attack.
If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training. While we will acknowledge that there are some spearphishing messages that are very sophisticated, and even the most aware people might fall prey to them, these are rare. Exponentially more frequently, the organization’s security awareness program is poor, if it exists at all. Security awareness programs that focus on computer-based training and phishing simulations are examples of poor awareness programs.
So, how sophisticated are the cyberattacks? We may now have a basis to go on if something like the Irari rules become widely accepted. Rules like these may help organizations determine how an attack would affect them and what they can do to prevent such an attack. One thing we do know is that cyberattacks are becoming all too common, and proper security standards and checklists can only help us in the future.