I also tweet, blog and . Contact Me|Research

Understanding Modern Computer Attack and Defense Techniques

Attackers have ramped up their efforts with a dangerous cocktail of social engineering, Web-based attacks and persistence. How will your organization stay ahead?

It takes time and money to adjust IT security measures in response to evolving attack tactics. As defenders gradually update their security measures, attackers respond accordingly. Such arms-race dynamics lead to threats of increasing sophistication and efficiency. Today's cybercriminals often have a long-term interest in their targets and often employ social engineering to get inside a protected environment. Their tactics commonly include malicious payload that attempts to compromise the victim's system and may continue spreading within the organization. They also increasingly focus on weaknesses at the application, rather than system or network levels, to obtain data that provide the most value.

Defending IT infrastructure involves understanding attack tactics that are particularly effective today. As you assess and improve your information security program, consider the following characteristics of modern computer security threats and the recommendations for dealing with them.

Social Engineering Bypass Technical Defenses

Attackers increasingly employ social engineering tactics to exploit natural human predispositions with the goal of bypassing defenses. Such approaches can persuade victims into clicking on malicious links, open exploit-laden attachments and install malicious software. The psychological factors attackers incorporate into social engineering attacks include the following:

Such social engineering techniques merge the line between external and internal threats, because social engineering will allow external attackers to quickly gain an internal vantage point. Once inside the protected perimeter, for instance, attackers to pursue targets that are inaccessible from the outside. To account for this threat vector, incorporate social engineering concepts into your security awareness program to make your employees more resistant to such tactics. Assess the extent to which your employees learned the key concepts, provide feedback and adjust training, if necessary.

To further strengthen your posture, employ security defenses assuming that some employees will be social engineered despite the security awareness training. This involves:

Targeting Workstations Through the Browser

Attackers have been successful at penetrating enterprise defenses by taking advantage of bugs in the Web browser or in software that the Web browser can invoke. Such client-side exploits have targeted browser add-ons such as Flash and Java Runtime Environment (JRE), as well as the code that is part of the Web browser itself. They have also targeted document viewers and editors, such as Adobe Reader and Microsoft Office. The exploits might be delivered to victims via email, in the form of attachments or links, or might be presented when the victim encounters a malicious website while browsing the Web.

Although client-side exploits have been part of the threat landscape for a number of years, several factors are making workstations a more attractive target than ever before:

Another factor that seems to be making attacks on workstations more frequent is the increased availability and of powerful exploit kits, which automate the exploitation of client-side vulnerabilities. A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. An exploit kit acts as a launching platform to deliver other payload, which may include a bot, a backdoor, spyware or another type of malware.

Attackers will continue to pursue vulnerabilities in workstations that could be exploited through victims’ web browsers. Consider the following measures to improve your ability to withstand such tactics:

Compromising Web Applications

As our infrastructure security practices mature, attackers are turning their attention to Web applications. In some cases, the attackers' goal is to compromise websites so that they can be used to target client-side vulnerabilities through visitors' browsers. Attackers also commonly pursue Web applications that process or store valuable data. Such application-level attacks, which have been very successful at bypassing defenses, include the following tactics:

The list of effective application-level attack vectors is too long to be included here. For more details, take a look at the OWASP Top Ten Project. Why are so many applications vulnerable to such tactics? Partly, it's because many developers aren't trained to write attack-resistant code. Moreover, developers' incentives prioritize features and deadlines over the application's defensive posture. Yet another reason is the infrastructure focus of many security programs, which don't provide the necessary focus on application-level issues.

Here are a few suggestions for tackling the challenges of application-level threats and vulnerabilities:

Attackers with Long-Term Interests

While a fair number of intrusions can still be classified as quick hit-and-run incidents many attackers have demonstrated the desire and ability to invest into long-term campaigns for achieving financial and, in some cases, political objectives. Such focused activities are typically comprised of a series of events that are spread over a period of months and even years. Recently, attacks with long-term interests took on the forms:

Consider the following recommendations to prepare for dealing with incidents that might be attributed to attackers with long-term incidents:

Modern computer attacks understand the weaknesses inherent in their targets' defensive capabilities sometimes better than the targeted organizations themselves. Intruders often incorporate elements of social engineering to persuade victims to take actions desired by the attackers, such as clicking on links, spreading URLs or supplying logon credentials. Attackers frequently target client-side vulnerabilities, recognizing that enterprises have a hard time keeping workstations up to date on security patches.

Cybercriminals also target vulnerabilities in web applications to obtain access to valuable data and to gain a platform for attacking website visitors. Many attackers are part of well-organized profit-motivated groups, who are willing to invest time and money towards achieving their objectives. As the result, organizations need to be prepared to handle attack campaigns that might span months and years. Resisting the attack tactics discussed above involves understanding the threats, so you can build and adjust your defenses accordingly.


Authored by Lenny Zeltser. Lenny is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and .