Systems Imitation Attack
By: Ian Thomson
The systems imitation attack is a hybrid information security attack designed to attack a targets critical system on all levels of the security triad (confidentiality, integrity and availability) by producing a duplicate of the operational system or software in a lab environment, then subjecting the mockup to vigorous attack in order to assess potential weaknesses. Perpetrators of this attack are commonly motivated by privilege escalation or pure data theft, and more often then not are users with some form of access to the system. Although the primary goals of this attack vary with the modus operandi of the attacker, the methods are strikingly similar from attack to attack. |
Commonly those perpetrating in this attack will attempt to copy ghost images or backup files of the operational system or workstation in order to gain as much intelligence as possible on the way the system is designed and operated. System documentation and other technical documents may also be targets as they tend to include system details. Commonly low paid IT operators or helpdesk staff that interacts with the backups of systems will be responsible in attacks of this nature as they tend to be more socially and psychologically disposed to privilege escalation attacks1.
In all cases the object of a systems imitation attack is to gather enough backup files or ghost images to extract a working or near working copy of the system in a virtual environment, this allows the attacker to engage in attacks on the virtual system to discover what is effective and what is not when planning a real live attack on the live system, a single backup tape may contain critical operating parameters or configuration files that have system passwords already listed or other system information stored.
In cases of industry specific software it may be preferable to acquire a “blank” copy often licensed from the same company that makes the targets system, a system that works the same way as the targets system does but without the valuable information, a system of this type would succeed in the goals of systems imitation as it would still allow a attacker to participate in penetration testing exercises. Regardless of the success of the attackers penetration testing exercises the attacker would still gain valuable insight in the operations and procedures of the system.
In a alternate context were the primary goal is to steal as much data as possible, acquiring a copy of the backup is preferable, often times there is very little security on the backup systems and if a technician removes a backup tape before leaving and returns it the next morning few would notice.
The scope of this attack is limited by the size of the system, few attackers would attempt to replicate a large scale system that operates across multiple servers, however this attack would be very successful in small to medium sized organizations especially if the perpetrator of the attack is someone who works in IT even in a limited capacity.
Most of the content in this article is based on my own experiences and the experiments I have conducted, as far as I am aware this is a new idea in the field of IT security so for that reason there is very little content in this article I can cite as reference. If you have any comments please do not hesitate to contact me.