The scenario is an attacker sends an email with an attachment that is a malicious PDF the contains executable code if viewed on Adobe Reader, in this scenario the code will cause a denial of service.
The attacker will create a malicious payload in this scenario it is a PDF file that contains code that will take advantage of (exploit) the discovered vulnerability in a number of Adobe products. The PDF file is attached to an email which is then sent to the victim (could be a known individual in a targeted attack or to a large group of email addresses the attacker has obtained). The recipient would receive the email and the attacker is hoping that the PDF file will be opened by the recipient using a version of one of the affected Adobe products allowing the code to execute and cause a denial of service attack.
For the more technical I have based this on a actual reported vulnerability CVE-2016-1009 which affects Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC Classic before 15.006.30121, and Acrobat and Acrobat Reader DC Continuous before 15.010.20060 on Windows and OS X and allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. [https://www.cvedetails.com/cve/CVE-2016-1009/] [https://helpx.adobe.com/security/products/acrobat/apsb16-09.html]
The scenario is illustrated in the diagram below.
The threat agent, attack, attack vector, vulnerability, exploit and attack surface area relating to this scenario are described in the table below.
Term
|
Definition
|
Example
|
Threat agent
|
an individual or
group that can manifest a threat. It is fundamental to identify who would
want to exploit the assets of a company, and how they might use them against
the company
|
Attacker
|
Attack
|
Any kind of
malicious activity that attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the information itself
|
Denial of Service
|
Attack vector
|
is a path or means
by which a hacker (or cracker) can gain access to a computer or network
server in order to deliver a payload or malicious outcome.
|
email
|
Vulnerability
|
Weakness in an
information system, system security procedures, internal controls, or implementation that could be exploited or
triggered by a threat source.
|
Adobe Reader DC Classic (v15.006.30119)
|
Exploit
|
a piece of
software, a chunk of data, or a sequence of commands that takes advantage of
a bug or vulnerability in order to cause unintended or unanticipated
behaviour to occur
|
Malicious PDF containing executable code that exploits CVE-2016-1009
|
Attack surface area
|
is the sum of the all vulnerabilities where an attacker can try malicious activity
|
All instances of the vulnerable version of Adobe Reader DC Classic (v15.006.30119)
|
Hopefully the scenario and the examples of what the terms mean in the context scenario help explain the usage of the terms by cyber security professionals.
In this scenario to defend themselves the victims need to identify if they are vulnerable and the attack surface area and then implement controls to remediate the vulnerability.
In order to identify if there are vulnerable organisations would need to know the software and version installed on all their assets (workstations, laptops, tablets, servers) and then monitor security feeds such as those from CERTS or Adobe to identify vulnerabilities within the assets as part of their vulnerability management programme. Alternatively they can conduct internal vulnerability assessments of their assets to identify vulnerabilities within them. This relies on the tool being able to identify the vulnerability (up to date signatures) and access rights to the assets to scan the installed software. A build review looking at security will only detect vulnerabilities within the build and not within software installed or updated by users after the build has been deployed.
Once a vulnerability has been discovered the attack surface area for that vulnerability can be identified by examining all assets for affected software.
This attack can be remediated by implementing the following
These are covered by the CIS Critical Security Controls
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 8: Malware Defenses
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 19: Incident Response and Management
In this scenario to defend themselves the victims need to identify if they are vulnerable and the attack surface area and then implement controls to remediate the vulnerability.
In order to identify if there are vulnerable organisations would need to know the software and version installed on all their assets (workstations, laptops, tablets, servers) and then monitor security feeds such as those from CERTS or Adobe to identify vulnerabilities within the assets as part of their vulnerability management programme. Alternatively they can conduct internal vulnerability assessments of their assets to identify vulnerabilities within them. This relies on the tool being able to identify the vulnerability (up to date signatures) and access rights to the assets to scan the installed software. A build review looking at security will only detect vulnerabilities within the build and not within software installed or updated by users after the build has been deployed.
Once a vulnerability has been discovered the attack surface area for that vulnerability can be identified by examining all assets for affected software.
This attack can be remediated by implementing the following
- Software patching programme to ensure all security patches and updates are installed as soon as possible after release by vendors but after testing to ensure no unforeseen side affects
- A vulnerability monitoring programme to identify when vulnerabilities become publicly notified
- The use of anti-malware software with updated signatures and scanning engine to scan all incoming attachments.
- User education to ensure users are aware of the danger of viewing attachments on unexpected emails.
These are covered by the CIS Critical Security Controls
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 8: Malware Defenses
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 19: Incident Response and Management