Types of Attacks, Types of Attackers
In previous posts I have referenced two different types of attacks: opportunistic and focused. These categories apply to attacks of all kinds, physical and digital, an understanding them is important to fully understanding how to defend against them. This post will attempt to define these two types of attack and the attackers that may carry out each. Please note that these are my own definitions and should not be considered “official”.
Types of Attacks
The types of attacks one may face fall into one of the following two categories: opportunistic and focused or targeted. These two descriptions exist on far ends of the spectrum; every attack will fall somewhere between the two.
The Opportunistic Attack: This type of attack is most common, and is not directed at you personally. Though it may feel extremely personal, especially if the attack is violent in nature, the attack is merely one of opportunity. I considered also categorizing the opportunistic attack as “random”. This attack is not truly random, however. The attacker has made an assessment (perhaps an extremely inaccurate one, perhaps not) that you or your belongings are vulnerable and upon this assessment has made a decision to attack. We can almost entirely avoid this type of attack by being a hard target. Doing so will encourage the opportunistic attacker to move on to a softer target.
The Focused/Targeted Attack: This type of attack is carried out specifically against you and is much more difficult to defend against. The focused/targeted attack will be characterized by a lengthy planning and reconnaissance period, during which time you may be under surveillance, have your perimeter probed, and test runs may occur. The true danger with a focused attack is the willingness of the attacker to adapt his or her methodology to bypass your countermeasures. The best defense against a focused, targeted attack is vigilance and a comprehensive defense-in-depth.
Types of Attackers
Attackers themselves are slightly more nuanced. Categorizing attackers requires attention to two specific attributes: skill level and focus (how interested the attacker is in you specifically). The combination of the two will vary, and will define the attack. The least capable attackers will lack both skill and focus, while the most capable will have ample levels of both.
Level I: An attacker at this level will possess minimal skill, minimal knowledge of his or her target, and little to no focus on a specific target. Examples of this attacker include the kid who is sniffing unsecured Wi-Fi hotspots, the guy who hopes to shoulder-surf your PIN at the ATM, or the smash-and-grab thief who notices there is no car in your driveway and all your lights are off. Defeating this category of attacker is relatively easy: make yourself a hard target by using common sense security measures. An attack by a person at this level will be an opportunistic attack.
Level II: A Level II attacker will possess either some degree of skill or some personal knowledge of you. Examples include an accomplished, skilled burglar who has cased your home or an ex-boyfriend/girlfriend who is out for revenge and has personal knowledge of you but little skill. An attack originating from someone in this category has a higher likelihood of success than an attack from a Level I attacker, and may be opportunistic or targeted/focused. Further, an attacker in this category may be easily dissuaded when encountering a significant obstacle.
Level III: Level III attackers are characterized by a combination of a decent skill level and either personal knowledge of you or the skill and patience to acquire that knowledge. Examples of this type of attacker include professional criminals, serial killers, hackers, and con men. Encounters with individuals in this category are relatively rare but the consequences are potentially dire. An attack by an individual in this category may be opportunistic or targeted, but his or her methodology will be more sophisticated. Deterring or defeating someone in this category requires much more work than Levels I and II. Upgraded security measures, constant adherence to best practices, and situational awareness are the best defense against an attacker in this category.
Level IV: Level IV attackers are known in the information security community as “advanced persistent threats”. Governments fall into this category, as do hacker groups like Anonymous and other extremely sophisticated adversaries who are specifically targeting a specific individual. The attacks perpetrated by these types are not opportunistic; they are targeting you for a specific reason. Perhaps you have angered someone, you are perceived as threat to them, or you are the subject of an investigation. An advanced persistent threat will be characterized by intense focus, extremely sophisticated techniques, the time to conduct a thorough reconnaissance, and the ability to adapt to defeat your countermeasures. The chances of facing a Level IV attacker are very small, and the chances of an Level IV attacker succeeding increase steadily over time.
The higher the level of the attacker and the more the attack trends toward targeted focus, more finesse can be expected to be employed, and time is on the side of the attacker. Unless he or she is strictly opportunistic the attacker has the luxury of time; time to probe your perimeter, learn from mistakes, and try again another day. At this point defenses become somewhat less about preventing the attack and more about making the attacker’s job more difficult and detecting his presence before, during, or after the attack.