CIA attacks mitigation technologies
Confidentiality Attacks and Mitigation Technologies
Packet Sniffing
Intercepting and analyzing raw network traffic to steal unencrypted data (e.g., credentials).
Encryption (TLS) VPN
Encryption (TLS) renders intercepted data useless to the attacker, as it is encrypted and cannot be read without the decryption key.
Port Scanning
Scanning for open ports to identify vulnerable services for future exploitation.
Access Controls (Firewalls) Rate Limiting
Access Controls via firewalls block unsolicited incoming traffic, closing ports and making systems invisible to scanners.
Wiretapping / MITM
Secretly monitoring or altering communication between two parties.
Encryption (TLS, PGP) Certificate Pinning
Encryption ensures that even if communications are intercepted, the content remains confidential and tamper-evident.
SQL Injection
Injecting malicious code into a database query to extract unauthorized information.
Input Validation Prepared Statements Access Controls (RBAC)
Access Controls (RBAC) ensures database users have the least privileges necessary, limiting the amount of data that can be exfiltrated even if injection occurs.
SSL/TLS Stripping
Forcing a victim's browser to use unencrypted HTTP instead of HTTPS to facilitate interception.
HTTP Strict Transport Security (HSTS) Encryption (TLS)
HSTS is a header that forces the browser to strictly use HTTPS, preventing the downgrade to HTTP.
Brute-Force Attacks (implied in port scanning)
systematically submitting credentials to gain access.
Rate Limiting Access Controls (AAA)
Rate Limiting locks an account or introduces delays after a few failed login attempts, making brute-force attacks impractical.
Data Exfiltration (The result of many attacks)
The unauthorized transfer of data from a system.
Data Loss Prevention (DLP) Encryption SIEM
DLP tools monitor and block attempts to send sensitive data outside the network, preventing the success of the attack.
Privilege Escalation (often a step in an attack chain)
Gaining higher-level access to view confidential data.
Access Controls (IAM, RBAC, AAA)
RBAC (Role-Based Access Control) enforce the principle of least privilege, ensuring users and systems can only access the data absolutely necessary for their function.
Key Observations:
Encryption is the cornerstone of protecting data in transit (e.g., from sniffing, wiretapping) and is highly effective against passive interception attacks.
Access Controls are fundamental for protecting data at rest. They form the primary defense against unauthorized access, whether from external attackers or insider threats.
DLP and SIEM are reactive/detective controls. They may not prevent the initial attack vector (like SQLi) but are critical for preventing the final exfiltration of data and alerting security teams.
Defense-in-Depth is essential. No single technology is a silver bullet. For example, mitigating SQL Injection requires Input Validation (a process) to stop the attack and Access Controls (RBAC) to limit the damage if the attack succeeds.
Integrity Attacks and Mitigation Technologies
Session Hijacking
Taking over a user's active session to perform unauthorized actions or alter data.
Digital Signatures SIEM + Logging Access Controls
Digital Signatures on session tokens or critical transactions can verify their authenticity, preventing an attacker from forging valid requests. SIEM can detect anomalous behavior from a hijacked session (e.g., a user performing actions from two different geographic locations at once).
Man-in-the-Middle (MITM)
Intercepting and altering communications between two parties.
Digital Signatures Hashing (HMAC)
Digital Signatures provide non-repudiation and integrity. If a signed message is altered in transit, the signature verification will fail, alerting the recipient to the tampering. HMAC can ensure the integrity of a specific message.
Data Tampering via Malware
Malicious software (e.g., ransomware, rootkits) that corrupts, encrypts, or falsifies data.
Hashing (SHA-256) Backups Version Control
Hashing allows for integrity verification. By comparing a current file hash (e.g., SHA-256) to a known good hash, you can detect any unauthorized changes. Backups provide a known-good restore point to recover unaltered data.
SQL Injection
Injecting malicious code to modify, delete, or corrupt database records.
Input Validation Access Controls (Least Privilege)
Access Controls applying the principle of least privilege to database accounts can prevent an attack from succeeding. For example, a web application account should not have DELETE permissions, limiting the damage of an injection.
General Unauthorized Modification
Any attempt to alter data without permission.
Access Controls (RBAC, Audit Logs) Version Control
Access Controls (Audit Logs) do not prevent the change but provide a detailed record of who made what change and when, enabling detection, investigation, and reversion. Version Control systems like Git allow for easy identification of changes and rolling back to a previous, untainted state.
Key Observations:
Detection and Verification are Key: Unlike confidentiality, which focuses on prevention (encryption), integrity relies heavily on the ability to detect changes. Technologies like Hashing and Digital Signatures are critical for verifying that data has not been altered.
Non-Repudiation: Digital Signatures are the strongest control, as they not only verify integrity but also prove the origin of the data, preventing a sender from denying having sent it.
The Role of Recovery: Because integrity attacks aim to corrupt data, recovery is a core mitigation. Backups and Version Control are essential for restoring systems to a known good state.
Layered Defense is Critical: Effective integrity protection uses a combination of:
Preventive controls (Input Validation, Access Controls) to stop unauthorized changes.
Detective controls (Hashing, SIEM, Logging) to identify changes that occur.
Corrective controls (Backups, Version Control) to restore integrity after an attack.
Availability Attacks and Mitigation Technologies
SYN Flood Attack
Exploits the TCP handshake to exhaust server resources, denying new legitimate connections.
DDoS Protection Services Load Balancers
DDoS Protection Services (e.g., Cloudflare) automatically detect and filter out malicious SYN flood traffic before it reaches the origin server, absorbing the attack.
ICMP Flood (Ping Flood) Attack
Overwhelms a target's network bandwidth with ICMP Echo Requests.
DDoS Protection Services Rate Limiting
Rate Limiting on network devices can throttle the number of ICMP packets processed per second, preventing the device's CPU from being overwhelmed. DDoS Protection scrubs this high-volume traffic in the cloud.
Distributed Denial-of-Service (DDoS)
A large-scale, coordinated attack from a botnet to cripple a target with massive traffic.
DDoS Protection Services Load Balancers High Availability Systems
DDoS Protection is the primary defense, designed to absorb and mitigate multi-vector attacks at the network edge. High Availability Systems ensure that if one node fails, others can take over, maintaining service.
Ransomware Attack
Encrypts data to deny access to it, demanding payment for restoration.
Immutable Backups SIEM
Immutable Backups are the ultimate defense. They cannot be altered or encrypted by attackers, guaranteeing a clean restore point to recover availability without paying the ransom. SIEM can detect the anomalous file encryption activity and alert admins.
Physical Infrastructure Sabotage
Physically destroying hardware (servers, cables) to halt operations.
High Availability (HA) / Redundancy Backups
High Availability Systems with geographically redundant data centers ensure that if one physical location is compromised, another can automatically take over, preventing downtime.
Key Observations:
Layered Defense (On-Prem vs. Cloud): Mitigating volumetric attacks (floods, DDoS) requires scaling resources beyond what a single organization can typically handle. Cloud-based DDoS protection services are essential as they operate on a massive scale to absorb traffic.
The Criticality of Recovery: For attacks like ransomware that directly destroy data, recovery is the primary mitigation. Modern strategies like the 3-2-1 Backup Rule and especially immutable backups are non-negotiable for ensuring availability.
Redundancy is Key: High Availability (HA) and Load Balancers work together to ensure no single point of failure. If one server is overwhelmed or fails, traffic is distributed to healthy ones, maintaining service continuity.
Detection and Prevention: SIEM systems play a crucial role in detecting the early signs of an availability attack (e.g., unusual traffic spikes, rapid file encryption), allowing for a faster response to mitigate impact. Access Controls (MFA) prevent attackers from easily gaining the privileged access often needed to deploy ransomware.
Last updated