Reducing the Effects of Blended Attacks

Updated on March 5, 2018

Abstract

Although Denial of Service attacks may occur from any single front, many hackers have swayed to releasing blended attacks on the global Internet-connected community. These attacks may infiltrate systems from multiple attack vectors at once or cause multiple types of mayhem in the aftermaths of events. The author reflected back on the interviews conducted for the previous assignment and related the particular mode of attack to that of a blended one. The cost of eradication was considered as it applied to the highlighted organization and the costs of eradication to the global environment. Following best practices guidelines was presented as an effective method for administrators on a global scale to work together to reduce the effects of blended attacks.

The attack described by the author in the paper I Love You Led to Denial of Service exploited email servers, host machines, and network infrastructures in what may be described as a blended attack. Chien and Szor (2001) provided a definition of a blended attack or a blended threat when they stated “A blended threat exploits one or more vulnerabilities as the main vector of infection and may perform additional network attacks such as a denial of service against other systems” (p. 2). The afore-mentioned attack included a virus that infected an e-mail client, gained access to the client’s address book, then mailed copies of the virus to all the entries in the address book.

Some recipients of the first wave of mass mailings opened the messages, which infected the e-mail clients of the host computers used by the recipients and started the cycle to produce mass mailings from each infected client. The messages made way to the mail-servers, which also became infected. The bulk of generated e-mail resulted in a Distributed Denial of Service (DDoS) attack, which seriously degraded the performance of the corporate network.

This blended attack took advantage of multiple attack vectors to cause the mayhem. The initial attack vector was a social-engineering attack that enticed a recipient to open the message. The second attack vector took advantage of a flaw in the e-mail client software, which permitted the virus to gain entry to the address book and generate mass mailings. The final attack vector was a deficiency in the network infrastructure, which was not able to counter the effects of the mass-mailings.

Highlights of I Love You

In the year 2000, lax legislation in the Philippines created a situation that permitted a hacker to write a virus without the fear of apprehension or prosecution. Stateman (2000) summed up the scope of the global effects of the I Love You virus as affecting public organizations and private firms in at least 20 nations. Cume (2000) estimated the shared cost of damage the infections caused at around $10 million.

The estimate provided by Cume (2000) did not take into consideration non-reported occurrences of I Love You infections. The likelihood that the organization highlighted by the author of the paper I Love You Led to Denial of Service reported the infection was fairly low because the cleanup was handled internally. The fear of the loss of public confidence in a healthcare organization could prevent the organization from reporting an infection when data were not compromised.

Security Posture

The highlights of the interviews conducted by the author to gain insight into the DDoS attack that infected the profiled organization demonstrated that the security posture of at least that organization was not prepared for a blended attack. Although efforts to protect the information assets were not totally missing, those efforts were guided by a philosophy that did not view threats to information security as high risks to the organization (Senior Manager, personal communication, September 8, 2011). Controls were in place to protect the network perimeter and individual hosts, but the initial attack vector was not contemplated.

The organization’s perimeter was protected by a firewall and virus protection resided on the organization’s host computers. However, the actions of a single contractor effectively circumvented those precautions. A social engineering attack led the contractor to open up an e-mail containing the I Love You virus. Real-time antivirus protection on the organization’s host computers may have prevented the generation of mass mailings, but that protection was not available at the time of the infection.

The firewall that protected the organization’s network perimeter included no Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). An IDS may have alerted an administrator to a sudden flood of outgoing e-mail, and an IPS may have stopped the proliferation of that e-mail. However, since neither an IDS nor an IPS were in place, a flood of e-mail traffic began with the first infection and continued until the e-mail servers were no longer capable of handling the load.

Cost of I Love You Cleanup

The global cost to mediate the I Love You infection was estimated by Cume (2000) at $10 million as stated earlier. The costs to the healthcare organization to eradicate the infection were much lower than the global cost but were none the less high for the organization. The main cleanup effort was localized to the computers at the corporate home office (Network Engineer, personal communication, September 8, 2011) but the effort included the time of the entire network infrastructure engineering staff.

The network infrastructure engineering staff included a director, a senior manager, two Wide Area Network (WAN) specialists, two server specialists, and five client specialists. Each of these staff members dedicated their time to eradicating the effects of the infection while the incident was in progress. The incident lasted about three days, and those staff members worked 16-hour days during that time.

Eradicating the I Love You infection required the effort of 11 IT staff-members for about 11 hours each during the time of the incident. There were also other on-going efforts that could not be neglected, which accounts for the difference between the time worked by individuals and the time dedicated by those individuals to fighting the infection. Performing the math on the noted hours leads to an effort of 363 working hours from the IT staff members to fight the infection. The loss in working hours for the entire organization would be difficult to calculate, but the loss of e-mail functionality could relate to a loss of productivity of about an hour per day for each affected employee while that employee adjusted tasks to compensate for the loss of e-mail functionality.

There were about 600 employees at the corporate home office, each of whom used e-mail to some extent and the organization also maintained 427 remote business units in 37 states. Each of those remote business units employed a minimum of five individuals who relied on e-mail to perform their daily tasks. To put it in perspective, adding the hours that employees lost due to the infection leads to a figure of 3098 lost working hours. Applying an average hourly pay-rate of $15 per hour for each affected employee would lead to a figure of $46,470, which provides a rough estimate of the cost of lost productivity to the organization.

Worst Case Scenario

In the year 2000 many hackers operated under motivational factors that focused on notoriety and fame. Today, however, the focus of the hacker community has shifted from notoriety and fame to money. Social engineering techniques entice users of both organizational and individual devices to perform detrimental actions without even knowing the effects or consequences of the actions taken.

Although the I Love You virus was responsible for organizations experiencing lost man hours and clean up costs, the effects of blended threats in today’s environment may be much worse. Carafano and Sayers (2008) described the proliferation of botnets. A botnet is a collection of infected host computers that are controlled remotely by a single individual. The individual computers are called zombie computers upon initial infection and become bots after they call home to join a botnet. The hacker who collects bots and controls the botnet is referred to as a bot herder.

Hackers develop many variations of worms with the express purpose of creating botnets. One of the most infamous botnets was the Storm Botnet, which developed as the result of infection from the Trojan Peacomm. The worm that carried the Trojan was transported as an attachment to an e-mail that enticed users with alleged news stories of a Killer Storm or some variant. Gordon (2010) proposed that the Storm Botnet once generated about 20% of the world’s spam e-mail but fizzled out near the end of 2007. “Some 274,372 demonized PCs were exorcised during the first month alone” (para. 2). However, this particular threat appears to be re-emerging, according to Gordon (2010).

Best Practices

An organization faces the internal damage from the successful exploitation of a blended threat. That same organization also faces risk if an internal infection propagates through the internal network and makes way to the outside world. However, there are certain best practices that administrators can employ to reduce that risk. A global effort by administrators to employ these best practices would reduce the effects of global blended attacks.

Remove or Disable Unneeded Services

Many software operating system platforms arrive with many unnecessary services enabled. For instance, the Web Server Service on port 80 may be enabled. If that service will not be used on the device, then best practices prescribe that the service be disabled or removed, this will prevent the device from listening on the port and answering service requests.

Extend Security Efforts inside the Perimeter

Dunkel (2009) proposed that organizations concentrate efforts inside the firewall and extend those efforts “into the computer room, rather than only securing the physical perimeter around it” (p. 50). Although the demand for Linux and Microsoft certified technicians remains high, organizations would do well to employ security analysts as well. This added expertise would allow for the proper tuning of security controls and devices.

Firewall at the Perimeter

Although some organizations do not, every organization should employ a firewall at the perimeter. Firewalls possess the ability to breach many forms of attack before any effect appears on the inner network. Chien and Szor (2001) noted that a particular firewall was able to stop the CodeRed virus because the virus relied on malformed GET requests. The firewall was able to block the virus simply by enforcing a rule to drop the malformed packets.

Personal Firewalls

Newer security suites and some operating systems incorporate personal firewalls. These firewalls reside on the host computers and monitor the activity within those hosts. Chien and Szor (2001) maintained that “Half of the damage is done when the attack enters the internal network; the other half occurs when it leaves the internal network. The secondary damage can often be more costly than the primary damage” (p. 29). As a global strategy, using personal firewalls in conjunction with enterprise firewalls help ensure that organizations do not attack other organizations.

IDS and IPS

Intrusion detection and prevention systems alert administrators when activity extends past the norm. Without such devices, the only warning that an attack may be underway would be when systems start to crash or events go awry. Some of these devices also have the ability to stop certain attacks once they have started.

Security Awareness Training

Implementing organizational security awareness training ranks among the most important best practices for administrators to follow. Users are the ones responsible for the success or failure of security controls and policy. Therefore, only by training users on their responsibilities to protect organizational assets can any security program realize success.

Conclusion

A blended attack may attempt to infiltrate a system using multiple attack vectors and may use an infected machine to launch attacks against other systems or organizations. The incident highlighted in the previous paper was a blended attack because the I Love You virus took advantage of multiple deficiencies to gain entry into a host and the infection resulted in a DDoS attack. This incident resulted in 3098 lost working hours and a cost estimated above $46,000 to eradicate from one firm’s network. The global costs of this one incident were estimated by Cume (2000) at $10 million.

Although the eradication costs may be high, a much larger threat would be the joining of an organization’s networked hosts to a botnet. These demonized hosts take orders from hackers known as bot herders, who use the computers to launch DDoS attacks or generate spam e-mail. Once an organization’s internal hosts fall under the control of a hacker, the organization faces the threat of possible litigation or loss of public confidence.

There are certain best practices that administrators of organizations could follow to reduce the harmful effects of blended attacks. Among those best practices are removing unneeded services from hosts and servers, placing enterprise firewalls at the network perimeter and installing personal firewalls on user’s hosts, employing security practitioners to monitor the security posture and maintain the configurations of security devices, and providing a regimen of security awareness training to employees at all levels. If administrators on a global level follow these guidelines, then the effects of blended attacks would be greatly reduced.

References

References

Carafano, J. J., & Sayers, E. (2008). Building cyber security leadership for the 21st century. Backgrounder , 2218, 1-7.

Chien, E., & Szor, P. (2001). Blended attacks, exploits, vulnerabilities, and buffer-overflow techniques in computer viruses. Virus Bulletin Conference.

Cume, J. (2000). Chapter 15: Hackers don't want you to know ... it takes a thief to catch a thief. In Inside Internet Security: What hackers Don't Want You To Know. Harlow, CM20 2JE: Pearson Education Limited.

Dunkel, D. (2009). A blended solution for a new threat. SDM: Security Distributing & Marketing, 39 (3), 50.

Gordon, D. (2010). Infamous Storm botnet rises from the grave. The Register. Available from http://www.theregister.co.uk/2010/04/27/storm_botnet_returns/

Stateman, A. (2000). Love at first bite. Public Relations Tactics , 7 (7), 1-4.

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: "https://turbofuture.com/privacy-policy#gdpr"

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)