Place, time and role: the three basic principles of physical attacks
The experience of defense in the “Cyberspace” (or digital) is very complex at operational level. As founder of Yoroi, Marco Ramilli, explains in a long post on his Linkedin profile, the advent of Cyberspace produced a role reversal. Both for the attackers and for those who have to defend themselves. This experience changes radically, as it is proportional to the extent of the threat. A physical threat uses tools of various levels of sophistication, but is always respectful of the three cardinal principles of an attack: time, space and role. Every threat can become an attack. Each attack must take place at a specific time, in a specific place, and needs an attacker and a victim.
The standards of physical attacks, explained through the hunter-prey metaphor
The hunter-prey metaphor can help to explain the three basic principles of physical attacks: (a) both must share the same physical environment in order to be able to hunt and be hunted. In fact, the hunter cannot hunt a free prey roaming around in the “woods” if he is having an aperitif in a stylish place in town. (b) Both the prey and the hunter must live in the same time. The hunter can hunt “that specific prey” if, and only if, the prey is temporally adjacent to the hunter. It is not possible for the hunter to hit a prey that is yet to be born, or one that has already died. (c) The role is well defined: the hunter is the one who “hunts”, while the prey is the one who “escapes”. Given the same hunting scenario, a hunter cannot be both attacker and victim at the same time.
In the digital world, the 3 principles of physical attacks are no longer valid. There are weapons capable of breaking space, violating time and reversing roles
Physical defence is rooted in the concepts of time, space and role. Unfortunately, in the digital environment they are no longer valid, as there are weapons capable of breaking space, violating time and performing role reversal. A weapon that can break space allows the attacker and the victim to share different spaces. They may belong to two different places, and a place-attack relationship is therefore unnecessary. A “long-range missile” allows the attacker and the victim to remain in their environment, but there is a spatial relationship proportional to the range of the instrument used. In the cyberspace this relationship does not exist, it does not depend on either the “range” or the “implemented technology”. The digital world naturally brings into being this spatial division. In a communication through a social network or an email, the sender does not need a spatial relationship with the recipient, who can reside anywhere else and receive the message anyway.
In the cyberspace, it is possible to build an attack that persists in time, thus able to affect the systems of several future generations. Or to create one capable of targeting old and no longer in use systems, and persisting over time
In a conventional attack, the victim and the attacker must share time. It is not possible to “shoot the bullet” and wait for the prey to pass by “the next month”. The time period must be shared, and reasonably connected with the subjects of the attack (just as in the metaphor of the hunter). In the digital realm, this temporal link is not necessary. It is possible to build an attack that persists in time, affecting the systems of several generations in the future, or to create an attack able to target obsolete systems and to persist over time. A classic example is the infamous Conficker worm that, since 2007, infects old generation and outdated Windows systems.
In the digital environment, a victim can become an attacker
In a physical attack, the attacker plays the role of the “offender” and the victim the role of the “defender”. These roles cannot be reversed. Once the “rifle” is cocked, the hunter is the one pulling the trigger. While the victim is the one suffering the effect of the “bullet”. In the digital environment, even this concept is no longer correct. A victim can easily become an attacker, and vice versa. Now let’s try to imagine a “link” as if it were a “weapon”. Let’s assume that the victim received it by a trusted person, and that the link points to a Trojan (a “benevolent-looking” system that subtly implements a hidden and “malevolent” behaviour) that can infect the victim. The victim, either distractedly or consciously fascinated by the behaviour of the linked system, can in turn recommend (or forward) the link itself. At this point, the victim becomes an attacker within the same scenario (technically, this process is called “campaign”).
Some victims can unwittingly become attackers
Take, for example, a FakeAV Trojan, a free system that pretends to perform antivirus tasks but that in fact is itself a Malware, which is propagated through reputation channels. Such a system may appear enough convincing, fast, and graphically attractive to captivate the victim. The latter, happy with the bogus antivirus system, may send an email to one of her acquaintances recommending such a system. In this case, the victim turns into an attacker, unintentionally but very effectively.
Defending the cyberspace is a completely new and extremely difficult activity for all those who work in the Defence field
Defending the CyberSpace is a completely new and extremely difficult activity for all those who work in the Defence field. That’s why it is very important to understand that the digital environment, although representing a huge opportunity for all of us, if not used with care and awareness, can sometimes turn into a place where defending the weakest becomes a complex and not always successful task.