Introduction
One barrier to creating a systematic defense for a networked computing system is the broad range of ways in which adversaries attack such systems. While denial of service, phishing, and exploitation of zero-day vulnerabilities are all described as hacks or attacks, they exploit very different parts of a system, and defending against one does not connect to defending against another. Without a unified way of thinking about these attacks, defense becomes ad-hoc and reactive—doomed to playing catch-up to a constantly evolving, and unpredictable offense. There is a need for a framework which allows network defenders to systemize their thinking about what their adversaries will do and to proactively counter attacks before they happen.
Without such framework, defense can be a never-ending series of reactions to the latest attack. Successful ways of dealing with denial of service attacks appear to be unrelated to attempts to thwart phishing probes, both of which are completely different to keeping viruses and worms out of the network. While there are important differences in these various forms of attack, once we see the similarities in them, we can start thinking systematically about how to build a defense that is more unified and flexible than a collection of tools to defend against isolated attacks.
In this paper, we propose a way of thinking about cybersecurity that unifies the various forms of attack. The framework is two-dimensional, looking at both the goal of the attack and the mechanism for launching the attack. The first dimension looks at the goal of the attack by using the common “CIA” triad to categorize the target—that is, whether the attack affects a system’s confidentiality, integrity, or availability (CIA). The second dimension is unique to our knowledge and differentiates attacks based on how the attacks obtain a thread of control. A thread of control is the mechanism that allows work to be done by a processor. It contains such information as what code is to run, the access privileges of that code, and what code is to run next. We show how existing known attacks can be categorized by how they obtain a thread of control. Some utilize an existing thread of control, while others create new threads of control by standard means. A third set of attacks exploit vulnerabilities in the system to create a new thread of control.
This framework allows thinking about the underlying mechanisms of attacks against computer networks, what they have in common, and how efforts to counter one sort of attack could be re-used or adapted to support efforts we have already expended on countering others. Concentrating on methods of control also redirects our attention concerning what should be monitored in a network, allowing defenders to better prioritize resources, and to more quickly and accurately detect attacks. In addition, we believe that this framework allows thinking about attacks that have not yet occurred, helping defenders to proactively detect those attacks and, per-haps, prevent them before they have been successful somewhere else. This, we hope, might help free defenders from the tyranny of always reacting to one attack after another, and may even allow defenders to proactively put into place defenses against attacks before they happen.
Waldo, James, Katherine Mansted , Benjamin Goh and Jiwon Ma. “A Framework for Cybersecurity.” Belfer Center for Science and International Affairs, Harvard Kennedy School, December 2018