Attack Vector Artifacts

Tuesday, November 9, 2010 Posted by Corey Harrell
An investigation into a compromised system may involve answering various questions such as how did this occur or what security controls failed. To answer either question I think you would have to identify the point of unauthorized access. For example, did the incident originate from a user opening a malicious email attachment, did a user visit a malicious website or did someone just have physical access to the computer. I think you have to determine the attack vector used in order to identify the point of unauthorized access.

SearchSecurity defines an attack vector as "a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome". Using this definition, the attack vector can be broken down into three separate components. The path or means is the exploit used, the payload is the outcome of the exploit, and the delivery mechanism is what delivers the exploit and/or the payload to the target. I know the definition lumps the delivery mechanism and exploit together to make up the means but I think these need to be separated in order to understand the artifacts left on a system. For example, the exploit could be a malicious PDF but the delivery mechanisms such as an email or a website would leave different artifacts on a computer. Exploits, payloads, and delivery mechanisms may leave artifacts on a compromised system and these artifacts could be used to identify the attack vector used.

Exploit
SearchSecurity defines an exploit as "an attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders". Exploits can target vulnerabilities in operating systems or applications. Exploits can also target a feature for malicious purpose such as the Windows auto-run feature. There is information available about exploits but the one perspective I don’t see often (or have been unable to find) is the digital forensics point of view. For example, over the past few weeks there have been articles or posts about Java vulnerabilities being targeted more than PDFs, an unpatched Internet explorer vulnerability being added to the Eleonore exploit pack, and a zero-day Adobe flash vulnerability. Despite all of the information about these vulnerabilities being exploited, I have not seen any information about the artifacts left on a system from these vulnerabilities being exploited. If Java is being exploited then what are the artifacts left on a system which point to this attack vector. How does this attack vector compare to an attack targeting Adobe flash. Knowing the exploit artifacts left on a system could be one piece of the puzzle to identifying the attack vector.

Payload
SearchSecurity defines a payload as "the bits that get delivered to the end user at the destination". The payload of an attack can range from unauthorized access to remote code execution to denial of service to escalation of privileges. I think this is an area where there is a wealth of information about the artifacts from common payloads. Take malware as an example. There is a significant amount of information about the artifacts left on a system by malware because of the malware reverse engineers, security bloggers, security companies, antivirus companies, and books.

Delivery Mechanism
The third part of the attack vector is the delivery mechanism which delivers the exploit and/or payload to the target. The delivery mechanisms could include email, removable media, network services (such as file sharing), physical access, or the Internet. Artifacts could be present on a system from the delivery method used to send the exploit or payload. Take the example of a PDF containing an exploit which downloads a piece of malware. The artifacts left by the malicious PDF and the malware would remain consistent between different attacks but the artifacts left by the delivery mechanism would vary. For example, the PDF being delivered by email would leave different artifacts then the PDF being delivered by a website. Similar to the exploits, this is also one area where there isn't a lot of information from the digital forensics point of view.

How Could these Artifacts Help?
Artifacts could be categorized under the three components of the attack vector. The three components could be further subcategorized until you get to the most basic level. To illustrate I will show a potential way for the delivery mechanism to be broken down to a basic level so the artifacts could be documented. The category at the top would be the three attack vector components.

The subcategories of the delivery mechanism would be the various ways for exploits and payloads to be delivered to a target system. A few examples are shown below.

These subcategories could be further broken down into more subcategories. For example, the email category could be separated into web email or email using a client application. The common email attack techniques such as clickable links or file attachments would be underneath the web mail and client application categories. This would be the basic level that could be examined to determine what artifacts are left on a system by these attack techniques. For example, what are the artifacts if a user opens an email attachment or clicks a link using a web email client or an email application? How would both of these techniques appear in a timeline?

To further illustrate how a category could be broken down to a basic level the picture below shows a potential way to subcategorize the Exploit category.

Subcategorizing until you get to the most basic level would allow you to document the attack vector artifacts. For me, having a resource that outlines these artifacts would be very helpful. I could use it as a guide in order to gain a basic understanding of the different types of attacks and the artifacts left by those attacks. The artifacts could be combined together to illustrate how a certain attack may appear on a system. For example, the artifacts left by an Microsoft Word exploit could be combined with the artifacts of a user opening an email attachment to show what it might look like if a user opened a malicious Word document email attachment. Besides using this resource for learning purposes, I could also use it as a reference during an examination of a system. For example, if a timeline shows activity on a system then the resource could help validate what I’m seeing. I could have used this type of resource to better understand the Windows Help Center vulnerability during the examination of the system in my post Anatomy of a Drive-by Part II.

This has been an area I have been considering for a few months but I haven't had the time to pursue it. However, I think it would be a good learning exercise to try to document the artifacts of a few exploits and delivery mechanisms so I'm making it a point to find the time. Anyone have any thoughts or comments about trying to document the artifacts from the common attack vectors?
Labels:

Post a Comment