Textual Analysis for Network Attack Recognition The Attacker's Perspective

The Attacker's Perspective

The hacker wants to get control of an account on your system, ideally, a privileged account. Now, why do they want this? It depends....

Maybe because they believe you have valuable information stored on your system (maybe a large database of other people's credit card information) or access to your system provides access to valuable information (it could be a platform for sniffing interesting network traffic within your organization, or it is trusted by other hosts).

Far more likely, however, the hacker just wants to use your system as a tool. Probably a tool to attack other systems. Possibly as a place to archive their data (vast archives of bootleg software, MP3 and MPEG files, plus piles of pornography).

There are prominent exceptions, but let's face it, the vast majority of attacks on the Internet in any 24 hour period are just attempts to break one more account on one more system. The next most common attack category is probably the Russian Mob focused on systems holding financial information. I know that if you work for the military or a government agency you're going to worry about espionage trying to find your secret plans or secret data, but that's a vanishingly small fraction of the total threat environment on the Internet.

After all, the al-Qaeda hackers broke into the Arkansas State Highway Commission servers just to install a message server. They weren't trying to learn about or interfere with highway maintenance in Arkansas. That system was just a useful and available tool.

So, you're just a potential tool. You're much more attractive if you have a high bandwidth connection, so carefully planned attacks will concentrate on the blocks of IP addresses making up high-bandwidth networks. You're also much more attractive if you have a lot of storage available, but the attacker can't guess whether that's the case in advance. Since we expect any one attack to scan a wide range of IP addresses, the attack will be automated.

The automated attack can be pretty obvious, so the hacker does not want to do this from their system. Hence the interest in access to many hosts — most of the compromised hosts are used, if at all, to attack other hosts. As an example, see my analysis of a series of intrusions into a poorly configured Linux system: a web-hosting machine in Germany was used to break into a desktop at a major U.S. university, and that was used in turn to attack an entire block of IP addresses at General Motors.

A large number of compromised systems will be used to attack a vast number of targets. Some hosts in the target set will be compromised and information will be saved or immediately sent to the hacker. For example, a list of login-password-IP triples. The attacker will connect to these later.

Loss of an attacking platforms is unfortunate but not critical. The overall plan continues. This leads to at least three situations that may provide detectable patterns:

Some attack sequences may be re-run by one hacker or hacking organization "just in case" it was unable to complete on some compromised hosts. They compromised a host, installed attack software and started an attack. Some time later they noticed that the exploit had been detected and the system rebuilt and the hole closed. Did their attack finish and just find no new victims? Or was the attack stopped in the middle? Maybe they should re-run that attack somewhere else....

Other attack code may be self-propagating, automatically installing itself and starting a new copy on compromised hosts. Yes, this makes it easier for the hacker, but it doesn't make sense to do exactly the same attack again. However, as we'll see, many hackers do things that don't make a lot of sense.

Finally, a large organization (or loose confederation) of hackers may use the same attack code, intending to distribute the work of attacking the entire Internet or at least the interesting parts. They may accidentally duplicate effort. This would be the most interesting thing to detect, as it would expose the scope (if not the origin) of a large-scale attack.