Cyber Attack Models: What are they?

Attack models describe the structure of an attack in phases.   They provide a means to conceptualize the different aspects of an attack.  However, it is important to understand that not all attacks must complete all phases to be successful.  In fact, many attacks iterate recursively through the phases of an attack model.  Kill Chain is a military term used to describe the structure (or phases) of an attack.  In a military context, the process is described as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects.  Scientists at Lockheed Martin used this concept to develop the Cyber Kill Chain.   It was described in a paper presented in 2011 at the 6th Annual International Conference on Information Warfare and Security (Intelligence-Driven Computer Network Defense…).  Some people love it — others, not so much.  Regardless, it has become an almost standard framework which others have altered or extended in different ways.  Let’s do a high-level fly-over, examine some of the criticisms, and then take a look at a couple of variants! (more…)


When organizations consider outsourcing applications or processes to cloud providers, there are many areas to evaluate carefully. Security is always near, or at the top of the list.  Of the many facets of security to evaluate when selecting cloud providers, asking for disclosure of relationships to other cloud providers or third parties of interest is one not to forget.  Let’s examine a simple scenario where this could impact your ability to meet compliance and/or regulatory requirements. (more…)

The time has arrived!  Malware Monday, as some have labeled it.  The FBI has shut off the DNS servers it maintained to allow those infected with the malware to continue to operate and provide additional time for cleanup.  The malware re-directed web site requests to sites where the its authors could make money off of advertising — so called “click hijacking.”  And make money they did — supposedly about $14 million USD. (more…)

With millions of passwords stolen from LinkedIn, eHarmony and in the past few weeks, it is a good idea to re-think your password strategy.  It should certainly make it clear that re-using one or even several passwords across many web sites can be dangerous.  But creating and remembering individual passwords for the ever-growing collection of web sites that comprise our digital lives can be daunting.  What should you do? (more…)

Networks, like the enterprises they support, evolve over time.  It is extremely rare that one has the opportunity to re-evaluate the underlying assumptions behind a logical network design and the IP address schema, and with the advantage of hindsight, make course corrections that can provide flexibility and accommodate the security controls needed now and into the future.  Such an opportunity may only come along once a decade or more.  Most corporate enterprises did not connect to the Internet until the late 1990’s or early 2000’s, and their experience with TCP/IP was limited, but many are still living with the choices made long ago.  If you could re-design your enterprise network IP address space today, what would you change?  The example that follows provides one such way for a large private network.  Of course you have to have a driver for undertaking such a project and the creation of security zones is a good one! (more…)

Establishing isolated security zones within an enterprise network is an effective strategy for reducing many types of risk, and this is especially obvious when one considers how permeable networks are today.  The old perimeter defense model is no longer sufficient.  Some would argue it is no longer necessary — that de-perimeterization is inevitable, we should prepare for a future of blended networks without clear boundaries and security should be moved inward.  Ultimately, all security is about protecting a valuable asset – data – but that protection involves a defense-in-depth strategy that includes all layers. (more…)

Tomcat is a popular, lightweight Java servlet container.  It is often installed along with administrative applications.  Under Debian and Ubuntu, these are part of a separate package, tomcat6-admin (in the case of Tomcat 6).  Although the admin application is no longer available, both a manager and host-manager application is provided.  When deploying Tomcat in production, the best risk mitigation strategy is to remove them (or not install them in the first place).  However, if you choose to, or need to keep these services then additional controls are required.  Where and how? (more…)

Next Page »