Information security. Analysis of the attack system from the defense side.

"Digital data can be made inaccessible as much as water can be made dry." Bruce Schneier

First of all, it is necessary to identify the basic concepts. Security is the preservation of information properties such as integrity, accessibility and confidentiality. Information security is primarily a state of data security. But the protection of information is a process that aims to achieve this state.

It is important to understand the real risks, that is, not to cover up all the shortcomings of the system in a row, not to be afraid of all the potential dangers that exist on the Internet or when operating automated systems - it is very important to start from the real risk and the likelihood of attackers implementing one or another property of the system that has a disadvantage.

The purpose of information protection is to make the cost of an attack more expensive than the benefits of implementing this attack. If the cost of an attack on an organization, its preparation and implementation will cost 2 million rubles, and the profit that the attackers will receive will amount to 1 million rubles, then this will not be an effective investment and most likely the attacker will refuse it.

A new vector of attacks has appeared: it has become more difficult to "hack" organizations directly, but organizations work with a lot of contractors and it is often cheaper to "hack" a complex organization by conducting an attack through such a contractor.

In my opinion, one of the most pressing problems of information security at the moment is social engineering. If you do not own a large organization, or do not have global popularity, then you will not be interesting as a potential victim for a targeted attack. But it's too early to relax, any inexperienced PC user who does not comply digital hygiene is a tasty morsel for cyber thieves, extortionists and unscrupulous miners who have set up their networks. In order not to fall into the trap, it is necessary not to interact with unknown and suspicious emails sent to you by email, because no one has canceled the mass mailing of infected emails yet. It is also necessary to carefully check letters from government agencies if you did not expect a response from them, because life knows examples when attackers sent messages completely identical to those that they send out public services and the differences between them were minimal, up to one letter in the sender's name.

Now, during the mining of cryptocurrencies, it is especially important not to let attackers exploit your computer. When watching a movie on an unknown site, it is a good practice to check the load status of your system, because while you are enjoying the movie, the site during advertising can imperceptibly open a miner tab that will exploit your computer.

So, back to targeted attacks. Any such attack, in fact, is divided into several stages. In this case, we will consider four stages.

The first stage is the preparation of a targeted attack. It is mandatory and includes the definition of the goal and its research. Goal determination and research can take a long time, including taking even months.

The next stage is the introduction of malicious software, which was prepared at the previous stage. There is an infection of individual hosts. Infection can occur in absolutely different ways, including by scattering flash drives around the office, it can occur by delivering malicious software via mail or, for example, through a website for downloading client information, client documents for internal employees. These client documents are usually delivered behind the application to the internal infrastructure on network folders, and there they can be unpacked, opened already by internal employees.

The next step is to achieve the goal directly. When the attackers penetrated the infrastructure, spread horizontally, received the necessary information to carry out the attack, know how to carry out this attack, prepared the means to carry out the attack, to the point that the attackers in one of the real attacks prepared scripts for insertion into the database of the processing center. It was prepared in advance, they knew which tables needed to be inserted, what needed to be inserted. Also, during this time, gold cards can be prepared in advance in order to withdraw these funds, prepare accounts or even open organizations or purchase these organizations to whose accounts funds will be withdrawn. The second part is carried out in order to transfer money to cryptocurrency or electronic money as quickly as possible after the withdrawal of money, and withdraw it from the accounts of those organizations or those accounts to which these funds will be delivered.

According to statistics, the average time for the organization to identify an incident from the beginning of the attack, from the moment of penetration of the attack, takes 272 days. That is, for almost a year, attackers can stay in the organization, remaining undetected and continuing their destructive activities. At the same time, unfortunately, penetration into an organization and the seizure of infrastructure can take attackers minutes. Most, almost 90% of organizations are subject to attacks, capture within minutes, not even hours, and the detection of these attacks takes months. Only a small number of organizations, about 3%, are able to detect attacks for up to an hour.

If we talk about the banking network, then often the purpose of research by attackers is a payment gateway, and the search for a payment gateway can be carried out either by scanning or by capturing the administrator and studying the documentation at the administrator's workplace.

Let's look at one of the real attacks on the bank, which was crowned with success for hackers. In this case, the attackers' target was the payment gateway. The attackers penetrated the network, found this payment gateway, got to the payment gateway, tried to form a payment – they failed. They waited until the administrator came to the payment gateway, stole his authentication data, got to the administrator's workstation, took the documentation for the payment gateway from the administrator's workstation, and the attack subsided for about a month and a half, because the attackers studied this documentation. Then they returned to this payment gateway, assembled their new payment gateway from scripts nearby, and sent payments from the payment infrastructure they had already collected.

A simple PC user may mistakenly think that the danger is far away ... but it is not. Attackers will always find their advantage, even when it seems to you that there is nothing left to take. Use an antivirus, regularly check your computer for malware, monitor your actions on the Internet, and you will not be afraid of any threats.