Modeling Reality: User Error
Modeling Reality is a series of blog posts describing how real world scenarios are modeled by our software. This is the fifth installment.
Last week we discussed attacks on the user community in the context of vulnerability chaining. This week we will look at how these attacks are carried out. There are a number of methods that an attacker can use to breach the user community.
Malware is a powerful tool because it is self-propagating. Once one user is infected with malware, there is a race between the malware to spread itself throughout the operation and the anti-malware software to detect and clean up the infection. Because of this interplay, the attacker may gain or lose privileges as different user roles get infected by the malware. There are several ways a user may become infected with malware.
Active transmission is where the attacker embeds malware in a web page, typically via third-party advertising, which infects the user when they visit the page. The occurrence of active transmission is modeled based on the length of time the malware exists on a web page, the number of times users visit the page in that time period, and the likelihood the user clicks on the malware.
Phishing is where the attacker sends an email to the user which contains a link to a web page containing malware. The occurrence of phishing is modeled based on the likelihood the messages are caught by anti-phishing software, the likelihood the messages are sent to valid email addresses, and the likelihood the user clicks on the malware.
Spear phishing is a specialized case of phishing, where the attacker spends more time and effort crafting a targeted email that appears to be from a legitimate source, rather than relying on the sheer quantity of emails sent to generate user clicks.
Another method of breaching the user community is by stealing passwords. This can give the attacker access until the user changes their password. If the breached user has application manager or system administrator privileges, the attacker may create new user credentials for themselves, which can go undetected until the operation performs a full audit of their user community.
Social engineering is where the attacker talks their way into the operation, convincing the user that they have a legitimate need for their credentials. The occurrence of social engineering is modeled based on the likelihood that the user falls for the attacker’s ploy.
Brute force password guessing is where the attacker attempts to guess valid username and password pairs by iteratively testing thousands of possible combinations. The occurrence of brute force password guessing is modeled based on the likelihood of guessing a valid username, the likelihood of guessing the correct password, and the likelihood of defeating any two-factor authentication that may be in place.
Common password guessing uses the same model as brute force password guessing, but relies on the fact that users often reuse usernames and passwords across multiple logins. The attacker steals or buys the credentials that the users use elsewhere and tests them for reuse.