Methodology & Terminology 102, Attacker

Recap and Intro

If the CIA triad is the defender’s goal: confidentiality, Integrity, and availability plus non-repudiation then taking the antonym of all of those words and concepts gives us DAD-A. Better known as the DAD triangle, the attacker’s objectives are the following: disclosure, alteration, destruction, and anonymity. All four of these directly correlating to the points of the CIA triad. The purpose of the DAD triad is mostly not to try to defend our networks in a meaningful way, but to categorize and understand what the losses of the CIA triad would mean so that we can down the road better build understanding of risk.

The DAD Triad

Disclosure

A WW2 Propaganda Poster

Best summarized as losing control of your data. While you may have legal recourse over a song, a trademark, or other proprietary data as the saying goes, once on the internet it’s always on the internet. One of the most vile disclosures is the leaking of nude photography of an ex lover, with entire businesses being built around it that won’t be dived into here. Another example being when Edward Snowden famously took classified documents and gave them to WikiLeaks. The information had lost its confidentiality and United States government secrets had been disclosed to the world in the public domain, and could never be removed. Some countries like China have tried to recover the confidentiality of disclosed data, like Tienanmen Square 1989, when several hundred protesters were put down. Now searching for or even the mention of the event can interrupt your internet connection if you’re surfing from China.

Alteration

Substantially more difficult then disclosure. Alteration is your ability to change ones to zeros in a meaningful way, like destruction with extra steps. MI6, roughly the British equivalent of the CIA hilariously performed Operation Cupcake. Through altering the data to be published in an al-Qaeda news letter a bomb recipe was replaced for a link to make cup cakes from The Elen Degeneress Show. Doing so not only proved they could destroy the data, but had full control over the distribution of the newsletter. Alteration is the least common of the four, while destruction inherently means the data is altered, alteration refers to doing so in a meaningful way beyond just destruction.

Destruction

WW2 Propaganda Poster

This also includes degradation, and denial as they all deal with effecting the availability of a system. Distributed Denial of Service attacks, DDoS and Ransomware are both ways to achieve destruction that receive a lot of publicity. Infamously, NotPetya was a ransomware allegedly associated to Russia which encrypted entire hard drives and spread through networks that had the outdated protocol SMBv1 available, unlike other ransomware there never was a way to decrypt it meaning it really did destroy the data. Most parties attributed it to Russia making use of NSA tools that had been previously disclosed by the Shadow Brokers agency who had allegedly stolen them. Considering it largely effected the Ukraine around the time the territory of Crimea was annexed by Russia it’s not hard to see why people have pointed their finger that way. The convenience of Ukrainian systems being destroyed was just too coincidental for any other country to be suspected.

Anonymity

Anonymous logo with their slogan “Disobey.”

While not traditionally being part of the DAD triad it is a very large part of almost any attackers objective. Not only to be anonymous, but to be quiet and unnoticed until you want to be. Very rarely are any actions taken by an attacker who wants to be known as soon as they start. Even groups like anonymous who publicize their attacks pride themselves on people not knowing their identities to avoid legal recourse and to encourage others to take part. Achieving anonymity comes through a lot of different techniques, impersonating users by using their accounts, deleting or editing logs, and VPNs (Virtual Private Networks) to mask where they’re coming in from, or sending information out to.

Wrap Up

So long as the defender can deny the attacker these objectives through proper access control, redundancy, logging, or any other manner of ways they can out last the attacker. There’s no way to stop every attacker all the time, and it takes more then one person to implement and operate all the tools to secure a network. However, if your network is secure enough, for how much getting in might be worth, eventually an attacker will move on. We all have bills to pay.

Edited 21March2019

Leave a Reply

Your email address will not be published. Required fields are marked *