Managing Network Security

Anatomy of a Successful Sophisticated Attack

by Fred Cohen

Series Introduction

Computing operated in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

A Common Misperception

The fad these days seems to be evaluating cyber-attacks against information networks. The way this is typically done is to scan a network for known vulnerabilities using a simplistic scanning product. If it tells you you're fine, great. Otherwise, fix the bugs and you are again safe. This, in my view, is a big mistake.

From the limited number of interactions I have had with people about the reasons for this approach, one of the common Misperception they seem to share is that all bad actors are one-dimensional loners. In my experience, the more serious attackers of today are complex people who interact with groups of like-minded people working toward common goals. As a result, the attackers most organizations model tend to be far more limited than the real world attackers we all face, and thus most organizations consistently underestimate the attackers.

In this month's article, I am going to outline what I consider a typical example of a serious attack undertaken with realistic goals, properly resourced, and executed by professionals. This is fictional in every way but one - every specific I will be describing has occurred in a real attack. The fiction comes from the way I have combined the facts to generate the specific scenario. It is, I can assure you, quite realistic, and indicative of the sorts of attacks undertaken on an everyday basis by serious attackers.

A Typical Attack Cell

An attack cell is a group of people who work together to attack systems. Like the Mission Impossible television show, there is a team leader (we normally call this person Mr. Phelps), and there are a selection of team members from which the team leader chooses a group for any given penetration. The successful cell is a diverse group of people with special skills.

By this term we mean that they have, over the years, shown particular aptitudes toward doing things that few others are able to do as well. As important as the individual skills, which many people might have, are the combinations of skills. For example, a good second story person will have good climbing skills, good rope skills, lock picking and safe cracking skills, good balance, and so forth. Of somewhat higher value are people that combine a wider range of special skills, such as electronics, programming, lock picking, and caving.

Along with most such special skills are special tools, usually custom developed by the individuals for their own use. For example, a really fine pick kit is different than the off-the-shelf trash you get as a lock smith, and some peoples' custom software tools are particularly handy at performing somewhat unusual tasks in a very short time frame. Small, multi-purpose, easily concealed, and hard to detect tools are especially nice.

In a large, well-funded attack cell, there will be a logistics tail back to a research and development organization that is able to apply far more substantial expertise and resources as needed. For example, a strong scientific research organization is very handy when you need those special tools and capabilities that set you apart from the crowd. Similarly, the logistics tail can be very helpful when you need something special in a pinch, or perhaps a hand up, or some cover when you feel you are near detection, and so forth.

If you are government funded, your government also has other special resources such as embassies and diplomatic pouches, and secret research facilities, and ways to obscure the purchase of special equipment and the performance of special tests, and so forth.

The Goal

Before Mr. Phelps selects a team, he is always briefed by the mystery voice on what the mission is. But the real Mr. Phelps is more often than not a self-starter with generic long-term goals. Most of the plans are made based on what can be done rather than some special mission assigned at the last minute. On the rare occasions when a special mission is required, it is usually based on prepositioned capabilities that Mr. Phelps has developed over a long period of time. The long-term is generally thought of as strategic positioning and the short term as tactical.

We'll pick a strategic goal for discussion purposes. The strategic goal is to infiltrate and gain a strong cyber-warfare position in a key set of industries of financial and strategic importance to Nobody-Knows Electronics Inc. - the organization we represent. We'll call it Nobody from now on. Suppose Nobody is in the cover business of developing and selling electronic devices of all sorts to the world but it also has an internal cell that is really sponsored by a government.

We'll choose a tactical goal for this discussion, but it's important to put this goal in context as a part of the larger operation. As you will see when we talk about the planning and intelligence aspects of this attack, the big picture is truly substantial. Suppose this morning, our cell has decided to go after one of our three key technology focus areas - missile technology - and has focused in on the Mammoth Aerospace Company (MAC) Rocket Motor Technology division (RTM).

Why, you may ask, did they choose this particular target? Simple - because it is now ready for plundering. How did it get there?

The Planning and Intelligence Activity

Nobody has had its eyes on MAC for some time - as a customer. Over a period of years, it has systematically built a business relationship with MAC by providing excellent value in electronic components and boards. It has created a strong working relationship the way every business tries to do it, and by now, there are many workers that regularly exchange data and co-mingle on joint ventures. Employees even go from one firm to the other on occasion, often as a result of doing contract work. While Mr. Phelps doesn't have enough control to mandate these sorts of things, one of his cell members has been involved in MAC projects for a number of years and has recently maneuvered into the position of becoming a MAC employee working in - you guessed it - RTM. Hence the target selection. We'll call this employee Jane Doe for now because some of the information provided to RTM about Jane is false and planted information - in particular her name and other identity information.

Jane doesn't have any particularly high level security clearances or anything like that, she just does her job as a marketer - or actually - not. Jane doesn't really do all that much marketing although she has the skill to do it and does it to some extent. Instead, another member of the cell does the drudge work of marketing for her, using dial-in connections as part of the telecommuting program at RTM and some of Nobody's facilities. Jane's specialty is in elicitation. Her special skill is getting along with people and, in the process, getting them to give her information. But for now, she is acting as a marketer and, of course one of her key customers is Motors Are Us (MAU). Naturally, her performance is pretty good because MAU has a cell that is connected indirectly with Nobody's cell. To put it mildly, the fix is in.

Jane spends a good part of her working day being friendly and slightly flirtatious. As a result, she provides a steady flow of interesting information about RTM employees to Nobody. On occasion, she influences a hiring or a firing, she lets Nobody know about people who are temporarily unhappy with their work, she is privy to a lot of pricing and customer information, and ... you get the idea.

As part of Jane's work from home, her cell-mate Jimmy regularly cruises the internal Web at RTM, keeps all the administrative email, and generally watches the way network traffic works within RTM. Jimmy uses a secure shell connection over the dial-in provided for Jane to access Jane's PC at work for work purposes, but has has also installed a covert link through the network firewall's Web proxy where he does his dirty work.

Over time, Jimmy has planted a series of similar Trojan horses throughout RTM's internal network, and Jane's computer has become the entry point of last resort. Jimmy would only burn her in this way if the operation were about to shut down, and she would know well in advance.

From these Trojan horses, Jimmy does a pretty good job of both securing the machines against detection of his activities and watching network traffic in RTM. If a real expert took a look, they might be able to figure out what's going on, but Jimmy fears not because, the way things are rigged, in the worst case, they will figure he hacked in from the Internet. When they try to trace him down, he will have plenty of notice because he has installed a radio connection between his actual computers and the local university where he has tapped into the infrastructure to link into the Internet. If anyone gets too close to the radio, it's built-in motion sensor will tell Jimmy about it and he will simply move on to his next planted device in the next university down the road.

The Execution

Today, Mr. Phelps decided that it was time to take all of the detailed design information on a new rocket motor that just passed its first round of field tests at RTM. He told Jimmy what he wanted, and Jimmy assured him that it could be done, but was concerned about the high volume of traffic this would involve and indicated that it would be best for the long term if this could be done over a period of a week or two. Mr. Phelps expressed that this would be fine and Jimmy proceeded to prepare his exploit.

Jimmy, as you may by now have guessed, is not some cracker off the Internet. He is a professional with special skills and adequate funding for his efforts. He also has some support staff that helps him get his job done. His first step is to model what he will do by doing it in his practice network deep in the bowels of Nobody's limited access area. He has already done his homework on what's in place at RTM and over time has gathered quite a bit of information. He knows what design automation tools RTM uses and he has acquired access to the same tools which are used in some of the design areas at Nobody. He has contacts with engineers at Nobody who use this system every day and will ask the systems administrator in charge of the computer aided design tools to install the package for him in his tested. He will do all of this legally and pay for the extra license to the design package.

After the CAD package is up and running, Jimmy will take the last system configuration information gathered from RTM and customize the CAD system to be as close as possible to RTM's system as he can get it in a reasonable amount of time. He will be running the same version of the operating system, all the same packages, and so forth. He already has a very substantial collection of attack tools gleaned from off the Internet and will make sure that he has at least 20 or 30 tools that have been tested and work against the system setup at hand in case he has to break into the operating system or use other similar techniques to counter unanticipated defenses.

Jimmy will write a small amount of custom software that extracts the desired information and codes it to look innocuous. His plan is to send it out in a few large file transfers to an FTP drop zone account at a company that RTM regularly deals with for design automation. He knows it will not be noticed because it is within the normal traffic pattern between the companies and because the user who runs that drop zone is on vacation in the mountains for the next two weeks and is not the type to dial in to check email when on vacation. From there, he will transfer it to an unmonitored university account he has broken into, encrypt it, and post it to a USENET News group. From there, he will pick it up through a small company he has broken into that uses a radio LAN to communicate between computers. The files will be transmitted to a pre-positioned radio-LAN gateway computer placed in a delivery truck that will be shipping a large volume of paper products to the company and from there retransmitted to Jimmy as he sits at lunch in a bistro a few blocks away from the company. All of the intervening equipment will be sacrificed after this information is pulled.

The Escape and Aftermath

After going through this cycle of theft of information a number of times, Mr. Phelps decides that it is time for Jane to move on to another aerospace firm. She does what she did before, getting a new job at another firm, more highly placed, at a higher salary, and taking more and more. After a while, Jane becomes quite adept at marketing, and no longer requires any assistance to do that aspect of her job. She merely gives short term insider access to Jimmy or one of his helpers and provides programatic and elicitation information to Mr. Phelps on the subjects he is most interested in while moving into areas of strategic interest to Nobody.

The information gained through this process is used primarily for research and competitive advantage. Knowing bid prices is helpful in underbedding now and then, but it must not be made too obvious, just as research will be aided by design files but should not use those files to directly create their own devices.

On occasion, Nobody may also use the planted holes to harm RTM or others more directly. For example, selective down-time or corruption of files may be used to degrade RTM's position in key areas. In some situations, after Jane has moved on, large numbers of mid-sized electronic funds transfers may be made through foreign holdings and rogue nations. Occasionally, high quality people in RTM or other companies may have their reputations harmed by the creation of false activities attributed to them, or the use of deception to cause them to accidentally do something illegal. Weaknesses identified in employees with access to highly sensitive data may be exploited - but never by Jane herself. Her talk is intelligence gathering and she is too valuable to burn for an individual gain here and there.


The story you have just heard is true. The names and some of the details have been changed to protect the innocent. Jane and Jimmy continue to work for Mr. Phelps, and you might recognize them as highly successful members of your teams. They have not been caught, but some other like them have been.

In today's computing environment, technical safeguards alone simply will not work against this sort of threat. While we could have technical protection that was effective against a large portion of insider activity, to date organizations have been unwilling to apply the necessary resources to be successful. Finding and catching this sort of perpetrator involves a combination of sound management practices in information protection and a solid investigation capability properly applied.

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at or visiting /