The Russian pipeline explosion demonstrated what a well-resourced attacker could accomplish. The Titan Rain attacks were also by sophisticated attackers. At the other end of the attack spectrum are the novice hackers, also referred to as script kiddies. It is important to understand what attackers’ motivations and capabilities are in order to adequately defend against them. Understanding an attacker’s motivations can allow project managers to effectively allocate resources to those portions of a system most likely to be attacked while understanding an attacker’s capabilities can allow project managers to allocate resources based on how likely an attack is to succeed. This subsection describes the range and nature of attackers.
2.3.1Types of Attackers
The spectrum of attackers includes two characteristics:
Sophistication of technical knowledge – from attackers who develop attacks to ‘script kiddies’ who must rely on attack scripts provided by someone else
Ability to cause harm – from those able to determine and execute actions causing significant harm to an organization to those for whom just gaining entry (and perhaps notoriety) is the purpose for the attack.
Script kiddies use what they can glean from hacker web sites to try to attack systems. Their attack operations tend to be very crudely orchestrated and “noisy.” Given the low barrier of entry consisting of a computer connected to the Internet, a few exploits gleaned from simply using Google to search for an autorooter (scripts or programs for trying to obtain complete administrative privileges) and a little free time, and the script kiddie is in business.
Their attacks can be conducted from anywhere in the world – even from locations where their activities are not illegal. They realize that their chances of ever being identified, much less being convicted, are extremely low. This is true even if the owners of the system being attacked deem it worthwhile to pursue them and are willing to risk the potentially adverse publicity of acknowledging the success of the attack once arrests are made. The attacks by script kiddies are a drain on resources and provide good cover for the sophisticated adversaries. Script kiddies represent the lower-end of a continuum of attackers with a variety of skill levels, resources, and organization. At the higher-end are technically sophisticated attackers who are able to discover vulnerabilities and exploit them, and have the support and direction of a large organization for whom cyber attack is not an end in itself, but rather a means of achieving their desired goals. An example of a high-end attacker would be those executing nation state directed computer network attack.
For the entire range of attacker expertise, it is important to distinguish between the sophistication of the attacker and the sophistication of the attack. Persons with very limited technical ability can now launch very sophisticated attacks thanks to the availability of highly-sophisticated, point-and-click attack tools.
Between the script kiddies and the well-resourced adversaries is a continuum of attackers with a variety of skill levels and motivations. These types of attackers and their motivations are explored in the next subsection.
2.3.2Motivations of Attackers
There are several good sources on motivation – the information in this section does not accurately reflect the current state of knowledge.
Attackers have many motivations. Some of the primary reasons that an attacker would attack a system are: that the attacker wants something that is on the target system, that the attacker wants to use or control the system, that the attacker wants to perform a denial of service against the system, or that the attacker may want to destroy information on the system or the system itself. In general, attackers engage in two types of attacks: preserving attacks and destructive attacks.
Preserving attacks must maintain a low profile and the system must continue to appear to work as expected to the users in order not to be discovered since, if the attack were to be discovered, the access would likely terminate. Where does this information come from? What is the source?
Preserving attacks may be contrasted with a destructive attack that is intent on destroying either the integrity of the data accessible from the system or the system itself. These are very dangerous attacks, as the attacker may not ultimately care that the attack is discovered as in the case of a time or logic bomb. Via a time bomb or logic bomb (see Section 2.4.2 for definitions) intentionally implanted in software, an attacker can, with relative ease, target a system on an isolated network (air-gapped) network. Destructive attacks can have long-term impacts through corrupted data or destroyed files or a loss of confidence even after the recovery of the system.
For either type of attack, many motivations exist ranging from ego, intellectual challenge, or desire for acceptance to revenge, theft, psychopathy, espionage, and information warfare. Particular kinds of attackers, however, tend to have certain motivations. Some categories of attacks and their typical motivations are described in Table 1.
Table 1. Attackers and Their Motivations
recreation, reputation, sense of belonging, malevolence, and learning
revenge (e.g., through sabotage), to gain sympathy, whistle blowing, stalking or intimidation;, embezzlement, “job security” through extortion
money including credit card fraud, insider fraud, and identity theft
Social protestors (hactivists)
publicity, hindering and disruption, patriotism, and social or political change
competitive intelligence for competition or negotiation, industrial espionage, recruitment, subversion, commercial advantage or damage, tacit collusion, and misinformation
Organized crime syndicates
money including fraud, extortion, blackmail; theft, and identity theft; recruitment, corruption, and subversion; intimidation and influence including extortion and blackmail; intelligence on politics, law enforcement, criminal competition, and opportunities and risks for criminal activities; and industrial espionage
intelligence including target identification and information, publicity and propaganda, recruiting, political action, disruption, intimidation, and damage
intelligence and counter-intelligence, economic espionage, training, preparation for information warfare, misinformation, sabotage, law enforcement and deterrence, political influence, blocking illegal or subversive content, and general hindering and disruption.
Thus, no shortage exists of attackers and motivations. This list, however, is not exhaustive and attackers vary in their capabilities, resources, intentions, persistence, and degree of risk aversion. They also may be outsiders or someone inside – someone having a significant relationship with the individual or organization that is the target of the attack.