What is a Cyber Attack?

2021.04.03

Microsoft recently reported a cyber attack against its Exchange. The Exchange is the digital code that backbones Microsoft’s proprietary email application, Outlook. It is analogous to a postal service, much like Canada Post’s system of addresses, postal codes, and delivery procedures that enables the physical transfer of a parcel from one geographical location to another. The Exchange is the digital equivalent, enabling data transfer between computers numbering in the hundreds of millions around the world. It provides an essential service to most governments as well as countless corporations. However, while the scale of the attack has been well-reported by the mainstream media, to the average news reader the story is esoteric and weird, and its impact on their own life is not clear.

One reason for the inability of the ordinary person to comprehend attacks like the one on the Exchange is that there is no widely accepted explanation of how or why a cyber attack is conducted — or even what a cyber attack is. Conceptual tools for modelling cyber attacks do exist, but they are only suited to technical analysis of the bits and bytes of data trafficking. This essay will propose a simplified model called the RAED cycle that not only makes clear to the layperson what constitutes a cyber attack, but also explains why it is imperative to understand such attacks.

For the purposes of the new model, the following working definition will be adopted: A cyber attack is any activity that results in a compromise of the confidentiality, integrity, or availability of digital data that is not intentionally initiated by the owner of that data. So, what kinds of activity can result in an attacker compromising someone else’s data? It turns out such attacks follow a predictable, phased sequence in almost every case. To understand that sequence, let us hypothesize a cyber attack.

Imagine an attacker named @ha845C4 [see footnote], a member of a state-sponsored cyber warfare unit like the one that attacked the Microsoft Exchange. His team has been directed to identify and compromise targets that can provide insider-information on the Canadian banking system. @ha845C4 initiates the attack sequence with the first phase: Reconnaissance.

[1] That is ‘Athabasca’ in elite speak. Elite speak (aka ‘leetspeak’ or just ‘leet,’ aka 13375p34k or 1337) is a pidgin English that allows hackers to communicate across digital networks using language that is not easily tracked or queried in a database. If that does not make sense, follow this link and enter ‘13375p34k 15 h0w y0u 4v01d d373c710n’ into the translator. If you are still confused, do not worry. That is the point of leetspeak.

A quick Google search tells @ha845C4 that Dr. Eduardo Ordonez-Ponce, Assistant Professor in the Faculty of Business at Athabasca University (AU), recently received funding to investigate how Canadian banks are responding to the Covid-19 pandemic. @ha845C4 suspects that Dr. Ordonez-Ponce will possess lots of curated information regarding the Canadian banking system and will have many contacts within the financial world that can also be exploited. In short, @ha845C4 has found his target data. But he decides not to aim his hack at the doctor himself because if the data owner discovers the intrusion attempt, the network defenders that guard his data (AU’s IT security) might be alerted to the attacker’s intention. So, @ha845C4 determines it is better to find a back door to the data. That way, if he gets found out, he will not have burned the target. @ha845C4 has a way forward. He transitions to phase two: Access.

@ha845C4 assumes the professor will have the target data on an AU intranet site, so finding alternate access to that network is a good backdoor. He returns to Google and types “systems administrator Athabasca University” into the search engine. The first result is a LinkedIn profile for Christopher Miersma, “Senior System Administrator at Athabasca University.” Mr. Miersma informs his LinkedIn audience that his “core technology skill set is Linux server administration,” leading @ha845C4 to believe if he can access AU’s Linux root server using Mr. Miersma’s credentials, he will have administrator privileges to the AU intranet and, by extension, will be able to access Dr. Ordonez-Ponce’s data. He writes a piece of malicious code called a Remote Access Trojan, or RAT, a cyber weapon that will exploit the network for him. He then uses social engineering techniques, such as striking up a chat on LinkedIn, to get Mr. Miersma to click on a link or open a document that delivers the weapon onto the target system. @ha845C4 is now ready to progress to phase three: Effects.

The Effects phase is the essence of a cyber attack. In the Reconnaissance and Access phases, no data is compromised, even if a cyber weapon such as malicious code is delivered to the target system. But now @ha845C4 will use the command-and-control functions of his RAT to observe and steal the system administrator’s log-in credentials. That is a data compromise because @ha845C4 is violating the confidentiality of the data, since the data owner wants to keep his username and password to himself. As @ha845C4 continues infiltrating segments of the network, he will eventually achieve access to Dr. Ordonez-Ponce’s hard drive or intranet profile and use the administrator privileges to compromise the target data in multiple ways. He could change figures on Excel spreadsheets to make Canada’s economic outlook appear worse than it is; that would be a compromise of data integrity. Or he might delete a key report the day it is due to be presented because it speaks negatively of potential trade agreements between Canada and the nation-state that is paying @ha845C4 to do all this hacking; that would be a compromise of data availability. Once @ha845C4 is positioned to deliver those effects continuously, he will transition to phase four: Dwell Time.

The goal of most attackers is not just to compromise a single piece of data. Most cyber attacks are designed to enable the attacker to dwell on the network long-term. Attackers rarely want to compromise a piece of data and then disengage from the system. They want to stay undetected and conduct further RAED cycles across the network environment, to compromise bigger and more audacious objectives. That iterative nature of the typical cyber attack is why the four-phase RAED model needs to become common knowledge. Cyber war is forever. Reporting on individual hacks as if they are discrete events obscures the unending contest for relative advantage that exists between attackers and defenders. And remember, if you have digital data, you are a defender. You are in the war.