This paper (placed at the end for readability) describes 37 different types of actors that may Cause Information System Failure (Threats), 94 different Mechanisms by Which Information Systems are Caused to Fail (Attacks), and 140 different Mechanisms Which May Prevent, Limit, Reduce, or Mitigate Harm (Defenses). These are gathered from many different sources. Where a single source for a single item is available, it is cited in the text. The most comprehensive sources used are not cited throughout the text but rather listed here. [Cohen95] [Neumann95] Other major sources not identified by specific citation are listed here. [Bellovin92] [Bishop96] [Bellovin89] [Cheswick94] [Cohen91] [Cohen94-2] [Denning82] [Feustal73] [Hoffman90] [Knight78] [Lampson73] [Landwehr83] [Linde75] [Neumann89] [Spafford92]

We describe a cause-effect model of information system attacks and defenses based on the notions that particular threats use particular attacks to cause desired consequences and successful defenders use particular defensive measures to defend successfully against those attacks and thus limit the consequences. Human defenders and attackers also use a variety of different viewpoints to understand and analyze their attacks and defenses, and this notion is also brought to bear. We then describe some analytical methods by which this model may be analyzed to derive useful information from available and uncertain information. This useful information can then be applied to meeting the needs of defenders (or if turned on its head attackers) to find effective and minimal cost defenses (or attacks) on information systems. Next we consider the extension of this method to networks and describe a system that implements some of these notions in an experimental testbed called HEAT.

A Cause-Effect Model of Information System Attacks and Defenses:

There is a common notion of cause and effect that has been debated in philosophical terms many times over the ages. Some believe in fate - the happenings of the universe are predetermined. Some believe in chance - God plays dice with the Universe. Regardless of the underlying nature of things, as a fundamental assumption to further work in this area, we take the position that the world works through a system of causes, mechanisms, and effects. Thus we have the picture of systems shown in figure 1.

In this depiction of our assumption, we assert that Causes (also called threats) use Mechanisms (Previously published under the name Attacks and also called Attack Mechanisms) to produce Effects (also called consequences). Protective Mechanisms (also called Defenses) are used to mitigate harm by acting to limit the causes, mechanisms, or effects.

Our schemes of describing Causes, Mechanisms, Effects, and Defenses, are based on the collection of sets of specific causes, mechanisms, effects, and defenses into names groupings, but underlying each of these sets there are specific actors, mechanisms, and consequences that could be analyzed at a detailed level. Since the sets we describe are not strictly classification schemes, there are many-to-many mappings between specifics and sets in our descriptions.

The viewpoints in our model represent the notion that there may be many properties of elements of our model that can be related, analyzed, and used by people and by automation to deal with the issues of information protection.

We believe that the value in this particular model lies in two areas; the reduction of complexity from a model based on all of the specifics allows meaningful computations to be performed in reasonable times, while the increased differentiation over simplified models containing only a few items (e.g., corruption, denial of services, information leakage) allows useful results to be derived. This belief will, we hope, be justified by the analyses we are able to perform.

We also feel it is important to note that this is not the only model of this sort available today. Many other authors have tried to form similar models and we have borrowed freely from them. Some of the models we have considered in our efforts include John Howard's model, the other models he cited and analyzed in his work, and Donn Parker's Model, particularly in the area of consequences.

The specific mappings used in our analysis vary with time, in large part because attackers and defenders are always learning, and in smaller part because new mechanisms are being discovered over time. We also find new ways of correltating issues over time, and this adds new viewpoints. The current viewpoints include:

• Process: Prevention, Detection, and Reaction
• Impact: Integrity, Availability, and Confidentiality
• Domain: Physical, Informational, Systemic
• Sophistication: Theoretical, Demonstrated, Widespread
• Organizational: Management, Policy, Standards, Procedures, Documentation, Audit, Testing, Technical Safeguards, Personnel, Incident Handling, Legal, Physical, Awareness, Training, Education, Organization

The size of the mapping today is on the order of 37x94/3 links from threats to attacks, 94x140/3 links from attacks to defenses, and 28x250/3 links between these items and the viewpoints. The actual count today is about 7,000 links which is stored as a numerical table for analysis purposes. While it is impractical to provide that entire table here, it can be attained from the principal author in electronic form and can be viewed as a linked database on the Internet at http://all.net/

Some Analytical Methods Applicable to the Cause-Effect Model:

Given the above model of cause and effect, we have generated a set of analytical techniques that enable us to do three things:

• Based on the work on medical diagnosis that forms the basis of the Mycin system, we have created an indications capability that predicts causes and correlated mechanisms based on a detected set of mechanisms.
• Based on the notion of covering table, we have analyzed methods for determining an optimal cover for defending against a set of causes.
• Based on syntax and semantics theory, we have created a linguistic problem and solution generator that produces sets of feasible attack and defense scenarios based on a user-specified linguistic question.

Indications and Warnings Analysis:

For indications and warnings it is desirable that, based on the information available, a prediction be produced that (1) indicates the possible causes of the observed information and ranks those causes in order of confidence that they could be a cause, (2) based on those indications, predicts other observable mechanisms and consequences associated with those causes, and (3) provides the means to warn potential defenders and victims of consequences prior to those consequences.

The analysis we perform is based on analysis of a set of observed mechanisms. Given a set of mechanisms that are known or thought to be in use, we reverse the cause-effect model to produce a ranking of all causes that could be associated with each of the observed effects. This ranking is based on the confidence level associated with each observed phenomena and the correlation between capabilities and characteristics of the causes and observed mechanisms.

In the current implementation, a selection of mechanisms is made from a menu of checkboxes using a Web browser. For example, we might select the following set of observed mechanisms:

"false updates", "insertion in transit", "perception management" and "replay attacks"

With this selection, analysis yields several results:

• Corruption of information appears to be the major goal of these attacks
• The sophistication level of the attacker is substantial, and they likely have some special expertise, but they are not using techniques that are never seen elsewhere.
• The most well-matched threat profiles include hackers, private investigators, crackers for hire, cyber-gangs, crackers, insiders, professional thieves, foreign agents and spies, military organizations, global coalitions, nation states, economic rivals, government agencies, tiger teams, and information warriors.
• Less likely are maintenance people, vendors, reporters, competitors, extortionists, and consultants.
• Club initiates, organized crime, activists, and customers are less likely still, followed by deranged people, vandals, infrastructure warriors, drug cartels and police.
• Finally, these mechanisms have no correlation with known capabilities and intent of hoodlums, nature, paramilitary groups, terrorists, or whistle blowers.

Given the resulting metric associated with each cause, we then produce an aggregate metric for each of the mechanisms within the capability and characteristics of those causes. The result is a metric associated with each mechanism indicating how closely it matches the observed phenomena within the context of the model. For the example above:

Salami attacks, kiting, strategic or tactical deceptions, race conditions, dependency analysis and exploitation, reflexive control, breaking key management systems, man-in-the-middle, induced stress failures, audit suppression, illegal value insertion, call forwarding fakery, call forwarding fakery, restoration process corruption or misuse, backup theft, corruption, or destruction, process bypassing, wire closet attacks, repair-replace-remove information, electronic interference, desychronization and time-based attacks, modeling mismatches, environment corruption, inadequate notice exploitation, undocumented or unknown function exploitation, invalid values on calls, get a job, modification in transit, infrastructure interference, and testing are reported as the most highly correlated mechanisms to those observed.

Given the resulting metric associated with each mechanism, we then produce an aggregate metric for each of the consequences that can result from each of those mechanisms. The result is a metric associated with each consequence indicating how closely it matches the observed phenomena within the context of the model.

These results have been used for several different purposes:

• The metrics on mechanisms are used to determine optimal selection of sensors to differentiate or detect while limiting impact on normal operations.
• The metrics associated with attack mechanisms are used as weightings in the covering analyses described above to optimize the design or selection of flexible defenses so as to minimize the effectiveness of further attacks within a budget.
• The analysis of consequences has been extended (as described later) to a networked environment in the form of analyzing the impact of an acquired level of access to one system on the spread of an attack from system to system.

Covering Analysis:

The covering analysis we used is based on the covering analysis used in optimization. The notion of covering analysis is that we have a set of attacks and a set of defenses, where each attack has a metric indicating the relative consequence of its use, each defense has a metric indicating the relative cost of its use, and a covering table indicates whether or to what extent each defense mitigates the consequences of each attack. The analytical challenge is to find an efficient mathematical method for determining an optimal selection of defenses. Optimality can be determined against a set of different measures to produce different results. We have examined two particular measures; (1) minimize the cost for achieving a particular total level of consequence, and (2) minimizing the consequence given a particular budget for defense.

The classic set covering problem has been widely studied because of it's use in airline crew scheduling. We can formulate the defense-allocation problem as a generalization of the set cover problem. Table entries represent the probability that a particular defense can prevent a particular attack. If we assume attack consequences are independent and defense probabilities are independent, then we can calculate the expected consequence from the full set of attacks.

Although this computation is significantly more complicated than classic set cover, we can modify much of the previous work on set cover for this setting. In particular, since set cover is a restrictive special case of the defense-allocation problem, hardness results for set cover apply directly. Thus theoretically, we cannot approximate the best defense set to within a factor of log d, where d is the number of defenses. However, exhaustive methods may be practical for the size of instances generated by small-to-medium sized networks. We have generalized the greedy iterative methods which are asymptotically optimal for set cover. It is also possible that they remain asymptotically optimal in the more general setting. If we also specify a target consequence for each attack rather than all attacks combined, this problem can be modeled as an integer program similar to the set-cover integer program, and therefore, one can apply a generalized versions of the vast number of exact and heuristic methods tuned for this application.

An implementation of covering analysis based on the greedy algorithm is currently implemented. Based on the above example, and with the additional constraints that we wish only to detect corruption and do so with only commercially available mechanisms, we get the following list of potential detection defense mechanisms:

• known-attack scanning
• program change logs
• time, location, function, and other similar access limitations
• filtering devices
• searches and inspections
• redundancy
• deceptions
• procedures
• auditing
• audit analysis
• augmented authentication devices (time or use variant)
• security marking and/or labeling
• classifying information as to sensitivity
• document and information control procedures

The covering analysis indicates that these methods have the potential of detecting all of the identified mechanisms, indicates that the defenses with the best coverage are (1) time, location, function, and other similar access limitations, (2) redundancy, and (3) filtering devices and that in combination, these cover almost all of the identified attack mechanisms. The detailed results of the covering table indicate which classes of defense mechanisms cover which classes of attack mechanisms and use coloring to indicate uncovered attack mechanisms.

Linguistic Analysis:

The third extension is to describe techniques that can be used to analyze systems based on this model. In this extension, we treat the set of all cause, mechanism, effect, defense, and viewpoint sequences as the set of legal statements within a language. We then take a user-specified sentence in the form of menu selections from the set of possible causes, mechanisms, effects, defensive capabilities, and viewpoints, and produce all valid sentences within the language that meet those specifications. A simple example is the input phrase (selected from menus):

"Any attacker uses content-based attacks to deny services - Use widespread (off-the-shelf) prevention defenses to assure availability."

Based on this question, the systems responds with the following set of applicable attack and defense sentences:

"Activists, club initiates, consultants, crackers for hire, customers, cyber-gangs, economic rivals, foreign agents and spies, global coalitions, government agencies, hackers, information warriors, military organizations, nation states, private investigators, professional thieves, reporters, tiger teams, and vendors use content-based attacks to deny services.

• Audit analysis can be used for detection.
• Authorization limitation can be used for prevention or reaction.
• Filtering devices can be used for detection or prevention.
• Known-attack scanning can be used for detection or prevention or reaction.
• Redundancy can be used for detection or prevention or reaction.
• Searches and inspections can be used for detection or reaction."

The Extension of These Results to Networked Systems:

The fourth extension is to use these techniques to analyze networked systems. In this analysis, we generate an attack graph by identifying the vulnerabilities of each of a set of systems within a network and characterizing the way in which those systems can communicate. The attack graph is, in essence, the set of all possible sequences of mechanisms that an attacker can use to achieve a particular goal within a network. We analyze attack graphs and defense postures (sets of defensive mechanisms that can be placed in the network) to (1) increase the minimum cost of attack within a fixed budget for defense and (2) minimize the cost of defense for a given attack budget. We then do an analysis of this graph to find, for example, a minimum cost cut to the attack graph where cuts are used to represent the effect of protective mechanisms.

The attack graph method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The analysis system requires a database of common attacks broken into atomic steps, specific network configuration and topology information, and an attacker profile. The attack information is then "matched" with the network configuration information and attacker profile to create a "superset" attack graph. Nodes in this graph identify a stage of attack (e.g., the class of machines the attacker has accessed and the privilege levels compromised). Arcs in this graph represent the paths through which mechanisms can be used to change the stage of attack. By assigning costs representing level-of-effort for the attacker (or alternatively probabilities of success) to the arcs, graph analysis algorithms such as shortest-path algorithms can be used to identify the attack paths with the lowest cost (or highest probability) of success. Defense postures (i.e., sets of defensive mechanisms that can be placed in the network) can also be analyzed for their impact on cost (or probability) to increase the minimum cost (or maximum probability) of attack within a fixed budget for defense or minimize the cost (or probability) of successful defense for a given attack budget.

Once the attack graph has been generated, we can also apply analysis methods to determine high-risk attack paths. The graph may also be used to run simulations of attacks and defense both in a batch mode for optimizing a set of fixed defenses or in a real-time mode for predicting the impacts of future attacks given a current situation. This then forms the basis for simulation components of a proposed capability for model-based situation anticipation and constraint for flexible defenses as well as a potential method for use in indications and warnings against information systems and networks.

The CID System:

An automated system (named CID) demonstrates these analyses in useful application. CID is integrated with a set of specially configured hardware, software, and rooms and the HEAT computer network to provide a cyber-warfare experimentation, analysis, training, and gaming environment called the Cyberwarfare Center. In order to understand the role of CID in this environment, we will begin by describing the environment and its uses.

HEAT is a computer network located at Sandia National Laboratories in California. It was originally designed for experimentation with heterogeneous MIMD parallel processing. HEAT consists of more than 60 networked computers (10 each of Suns, SGIs, IBMs, HPs, DECs, and a larger number of PCs) running a wide range of operating systems and versions, intended to provide a rich environment for testing computer and network security systems and methods. To our knowledge, this is the largest computer security testbed in service today, and it is used on a daily basis to test attacks and defenses.

In order to manage attacks and defenses in HEAT at an affordable cost, automation was needed. Coincidentally, an earlier version of CID was, at that time, being rewritten to operate on a combination of an Oracle database server and a Netscape web server. This left several computers previously used for CID development available for use in controlling HEAT. This control is complex enough, and watching what is happening on more than 60 computers simultaneously requires so much display space, that a 'situation room' was constructed for the purposes of being able to carry out this effort. The capabilities of this room included several projection displays, a small network of computers, and a set of tables and chairs. Given the constraints of space and other facilities, the room was designated for multiple uses, including instruction, strategic gaming, and experimentation with HEAT. Thus the Cyberwarfare Center emerged.

Because experiments on attack and defense against live computer networks requires many samples of attack and defense systems, CID, which already had a substantial collection of tools and a database capability was called into service for coordinating the experimental capabilities needed for work on HEAT, the demonstration capabilities and course materials used in training, the scenarios used for gaming, and the analysis used for experimenting with automated flexible defenses. Today, CID is used for all of these purposes and also forms the core of a repository for research and analysis in information security at Sandia's California site.

CID Management of HEAT

In order to manage HEAT, CID provides a Web-based interface that permits a menu selection of the actions to be performed along with check boxes for the HEAT machines the operation is to be performed on. For example, in order to launch automated attacks against a set of HEAT machines, the user might select "FTP attacks" against the checked machines. Those attacks would then be run with results reported to the browser. The table below depicts this interface with bold italics used in place of check boxes.

Similar interfaces either exist or are being completed to allow control of processes, control of defenses in the form of wrapper programs, audit extraction and analysis, and attacks that simulate modeled threat profiles. In addition to this manual sort of management, tools are being contemplated for automating the placement and control of defenses based on a technique called model-based situation anticipation and constraint.

This management interface can run on multiple machines simultaneously, thus allowing an attacker and a defender to participate in a simulated cyber-battle with the attacker granted only attack capabilities and the defender granted only defensive capabilities based on access controls available in CID. For demonstrations, the attack and defense can run on different displays in the cyberwafare center’s training and control facility with the center screen reserved for projecting briefing material related to the demonstrated attacks and defenses. Through the use of collaborative tools, attackers and defenders in separate gaming suites can be observed from the control facility with each on a different screen. Game control functions including sending briefing, status reports, orders, and other information to the participants is handled via the central display, observers or referees can watch the process from the central site, and trainees can watch the battle either as it happens or in replay. This permits attackers and defenders to review their actions in much the same way as other sorts of exercises provide feedback.

Future experiments are anticipated using automated and human defenses against automated and human attackers both for training humans and for testing automated technologies.

Other Features of CID

In addition to the elements described above, CID provides several important features. In each of the examples above, as well as throughout CID, details of each of all technical terms are available by pressing on the mouse button. This drill-down capability includes citations to relevant literature which may also have embedded citations. We are in the process of scanning in all of the references related to material in CID for instantaneous access, thus allowing rapid literature search and analysis. CID also has a search engine to allow general searches of content and drill-down material for the purpose of finding examples and other related information. Under attacks and defenses, drill-down capabilities lead to specific examples of techniques, in some cases including source code for attacks and defenses that can be applied directly against HEAT or elsewhere. Detailed drill-down is also provided to allow intel-based detailing of threats and linkage of case examples to all elements of the database. In coming implementations, additional capabilities will be provided for linking alternative classification schemes into CID and allowing the same analysis of those schemes as is provided for CID's internal schemes. In such an online collection, access controls are also required to allow need-to-know access to specific details. CID currently has limited access control on all records and is being augmented to allow fine-grained access control to all database elements including access controlled search and analysis. This permits a user with limited access to do all of the analytical functions based only on the knowledge available, while users with more complete access may find better solutions.

Summary, Conclusions, and Future Work

The use of a cause-effect model for analyzing attacks and defenses in computer networks appears to have a bright future. Initial results seem to indicate that computational complexity can be effectively traded off against model resolution and that this allows analysis of complex networks for interesting security properties to be done. The creation of tools in combinations with experimental testbeds has allowed much of this work to be validated through experiments, but clearly this work is still in its infancy. Future work is currently being proposed to move forward from the initial results shown here toward the design and implementation of increasingly automated and integrated tools for analyzing and managing larger networks more effectively.

Properties of the Classification Scheme

The classes described by this classification scheme are not orthagonal. For example, a virus may also be a Trojan horse, may contain a time bomb, and may exploit a privileged program to do damage.

Property2: synergistic -

The classes described herein have synergisms so that standard statistical techniques may not be effective in analyzing them. For example, if two attacks are each 90they become 99while two defenses that are 90combined and may even hinder each others' performance.

Property3: non-specificity -

The classes described are, for the most part, non-specific to an architecture or situation. Actual attacks and defenses, however, are quite specific, and the devil - as they say - is in the details.

Property4: descriptive only -

The classes described here are described descriptively and - with a few notable exceptions - have not been thoroughly analyzed or even defined in a mathematical sense.

Property5: limited applicability -

Each class described here may or may not be applicable in or to any particular situation. While threat profiles and historical information may lead us to believe that certain items are more or less important or interesting, there is no scientific basis today for believing that any of these classes should or should not be considered in any given circumstance. This sort of judgement is made today entirely on the basis of a judgement call by decision makers.

Property6: incompleteness -

The classes given here are almost certainly incomplete in covering the possible or even realized attacks and defenses. This is entirely due to the author's and/or reviewers' lack of comprehensive understanding at this time.

Actors that may Cause Information System Failure (Threats)

Employees, board members, and other internal team members who have legitimate access to information and/or information technology.

Threat2: private investigators -

Private individuals or corporate entities that investigate on a for-fee basis.

Threat3: reporters -

People who work for newspapers, news magazines, television, radio, or other media elements.

Threat4: consultants -

People who work under their own control to provide contract services to others.

Threat5: vendors -

People who sell things to you.

Threat6: customers -

People who you buy things from.

Threat8: competitors -

Other individuals or companies in the same or similar businesses and who stand to gain from your loss or who can gain economic advantage by taking advantage of you.

Threat9: whistle blowers -

People who believe that crimes are being committed and that they have a duty to report them to the proper authorities.

Threat10: hackers -

People who enjoy using computers and exploring the information infrastructure and systems connected to it.

Threat11: crackers -

People who maliciously break into information systems and intentionally cause harm in doing so.

Threat12: club initiates -

People who break into information systems as part of a cerimony to become members of clubs.

Threat13: cyber-gangs -

Groups who roam the information infrastructure breaking into systems and doing harm for fun and profit.

Threat14: tiger teams -

People hired to demonstrate vulnerabilities in systems by exploiting those vulnerabilities.

Threat15: maintenance people -

People who typically have access to physical locations in order to do routine maintenance tasks.

Threat16: professional theives -

People who make their living from stealing things.

Threat17: hoodlums -

People who hurt other people in order to get what they want.

Threat18: vandals -

People who damage things for the fun of it.

Threat19: activists -

People who believe in a cause to the point where they take action in order to forward their ends.

Threat20: crackers for hire -

Crackers who get paid to break into systems and do harm.

Threat21: deranged people -

People who are not as in control over their mental faculties as most other people.

Threat22: organized crime -

Organized groups of professional criminals.

Threat23: drug cartels -

Groups that combine forces in order to manufacture and sell drugs.

Threat24: terrorists -

People who attempt to induce terror in others in order to forward their cause.

Threat25: industrial espionage experts -

People who specialize in harming companies to the benefit of other companies.

Threat26: foreign agents and spies -

People who professionally gather information and commit sabotage for governments.

Threat27: police -

People tasked with enforcing laws.

Threat28: government agencies -

Groups that work as parts of government.

Threat29: infrastructure warriors -

People who specialize in destroying enemy infrastructure.

Threat30: economic rivals -

Companies, groups, and governments that compete on a large scale with your companies, groups, and governments.

Threat31: nation states -

National governments - countries.

Threat32: global coalitions -

Global groups that work together toward common goals.

Threat33: military organizations -

Government-sponsored armed and organized groups.

Threat34: paramilitary groups -

Privately-sponsored armed and organized groups.

Threat35: information warriors -

People who specialize in attacking information systems as part of government-sponsored military operations.

Threat36: extortionists -

People who extort money or goods by threatening harm if not paid off.

Threat37: nature -

Things fall apart. Stuf happens. Nature calls. People die.

Mechanisms by Which Information Systems are Caused to Fail (Attacks)

Erroneous entries or missed entries by designers, implementer, maintainers, administrators, and/or users create vulnerabilities exploited by attackers. Examples include forgetting to eliminate default accounts and passwords when installing a system, incorrectly setting protections on network services, and a wide range of other minor mistakes that can lead to disaster. > http://pc31.ca.sandia.gov:84:/I/I24

Attack2: power failure -

Failure of electrical power causes computer and peripheral failures leading to loss of availability, sometimes requiring emergency response, and otherwise disrupting normal operations. [Winkelman95] [Agudo96] [NSTAC96] [Dagle96]

Attack3: cable cuts -

A cable is cut resulting in disrupted communications, usually requiring emergency response, and otherwise disrupting normal operations.

Attack4: fire -

A fire occurs causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack5: flood -

A flood occurs causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack6: earth movement -

The Earth moves causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack7: solar flares -

Changes on the surface of the sun cause excessive amounts of radiation to be delivered, typically resulting in noise bursts on radio communications, disrupted communications, and other changed physical conditions.

Attack8: volcanos -

A volcano erupts causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack9: severe weather -

Severe weather conditions (e.g., hurricane, tornado, winter storm) occur causing physical damage and permanent as well as temporary faults, requiring emergency response, and otherwise disrupting normal operations.

Attack10: static -

Static electricity builds up on surfaces and causes transient or permanent failures in components.

Attack11: environmental control loss -

Environmental controls required to maintain proper operating conditions for equipment fails causing disruption of services. Examples causes include air conditioning failures, heating failures, temperature cycling, smoke, dust, vibration, corrosion, gases, fumes, chemicals.

Attack12: relocation -

Relocation of equipment causes physical harm to equipment and different exposures of equipment to physical and environmental vulnerabilities.

Attack13: system maintenance -

System maintenance causes period of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations. Maintenance can also be exploited by attackers to create forgeries of sites being maintained, to exploit temporary openings in systems created by the maintenance process, or other similar purposes. Maintenance can accidentally result in the introduction of viruses, by leaving improper settings, and by other similar accidental events. > http://pc31.ca.sandia.gov:84/I/I34

Attack14: testing -

Testing stresses systems inducing a period of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations.

Attack15: inadequate maintenance -

Inadequate maintenance results in uncovered failures over extended periods of time, possibly inducing a period of time when systems operate differently than normal and may result in temporary or permanent inappropriate or unsafe configurations. > http://pc31.ca.sandia.gov:84/I/I34

Attack16: Trojan horses -

Unintended components or operations are placed in hardware, firmware, software, or wetware causing unintended and/or inappropriate behavior. Examples include time bombs, use or condition bombs, flawed integrated circuits, additional components on boards, additional instructions in memory, operating system modifications, name overloaded programs placed in an execution path, added or modified circuitry, mechanical components, false connectors, false panels, radios placed in network connectors, displays, wires, or other similar components.

Attack17: dumpster diving -

Waste product is examined to find information that might be helpful to the attacker.

Attack18: fictitious people -

Impersonations or false identities are used to bypass controls, manage perception, or create conditions amenable to attack. Examples include spies, impersonators, network personae, fictional callers, and many other false and misleading identity-based methods.

Attack19: protection missetting exploitation -

Mis-set protections on files, directories, systems, or components are exploited to examine, modify, delete, or otherwise disrupt normal operation.

Attack20: resource availability manipulation -

Resources are manipulated so as to make functions requiring those resources operate differently than normal. Examples include e-mail overflow used to disrupt system operation, [Cohen93] file handle consumption used to prevent audits from operating, [Cohen91] and overloading unobservable network paths to force communications to use observable paths.> http://pc31.ca.sandia.gov:84/I/I37

Attack21: perception management a.k.a. human engineering -

Causing people to believe things that forward the goal. Examples include tricking a person into giving you their password or changing their password to a particular value for a period of time, talking your way into a facility, and causing people to believe in religious doctrine in order to get them to behave as desired.

Attack22: spoofing and masquerading -

Creating false or misleading information in order to fool a person or system into granting access or information not normally available. Examples include operator spoofing to trick the operator into making an error or giving away a password, location spoofing to trick a person or system into believing a false location, login spoofing which creates a fictitious login screen to get users to provide identification and authentication information, email spoofing which forges email to generate desired results, and time spoofing which creates false impressions of relative or absolute time in order to gain advantage.

Attack23: infrastructure interference -

Interfering with infrastructure so as to disrupt services and/or redirect activities. Examples include creating an accident on a particular road at a particular place and time in order to cause a shipment to be rerouted through a checkpoint where components are changed, taking down electrical power in order to deny information services, modifying a domain name server on the Internet in order to alter the path through which information flows from point to point, and cutting a phone line in order to sever communications.

Attack24: infrastructure observation -

Examining the infrastructure in order to gain information. Examples include watching air ticketing information in order to see when particular people go to particular places and using this as an intelligence indicator, tapping a PBX system in order to record key telephone conversations, and watching for passwords on the Internet in order to gain identification and authentication information to multiple computers.

Attack25: insertion in transit -

Insertion of information in transit so as to forge desired communications. Examples include adding transactions to a transaction sequence, insertion of routing information packets so as to reroute information flow, and insertion of shipping address information to replace an otherwise defaulted value.

Attack26: observation in transit -

Examination of information in transit. Examples include telephone tapping, network tapping, and I/O buffer watching.

Attack27: modification in transit -

Modification of information in transit so as to modify communications as desired. Examples include removing end-of-session requests and providing suitable replies, then taking over the unterminated communications link, modification of an amount in an electronic funds transfer request, and rewriting Web pages so as to reroute subsequent traffic through the attacker's site.

Attack28: sympathetic vibration -

Creating or exploiting positive feedback loops or underdamped oscillatory behaviors so as to overload a system. Examples include electrical or acoustic wave enhancement, the creation of packets in the Internet which form infinite communications loops, and protocol errors causing cascade failures in telephone systems.

Attack29: cascade failures -

Design flaws in tightly coupled systems that cause error recovery procedures to induce further errors under select conditions. Examples include the electrical cascade failures in the U.S. power grid, [WSCC96] telephone system cascade failures causing widespread long distance service outages, [Pekarske90] and inter-system cascades such as power failures bringing down telephone switches required to bring back up power stations.

Attack30: bribes and extortion -

Promises or threats that cause trusted parties to violate their trust. Examples include bribing a guard to gain entry into a building, kidnaping a key employee's family members to gain access to a computer system, and using sexually explicit photographs to convince a trusted employee to provide insider information.

Attack31: get a job -

An attacker gets a job in order to gain insider access to a facility. Examples include getting a maintenance job by under-bidding opponents and then stealing and selling inside information to make up for the cost difference, the planting of spies in intelligence agencies of competitors, and other similar sorts of moles.

Attack32: password guessing -

Sequences of passwords are tried against a system or password repository in order to find a valid authentication. Examples include running the program "crack" on a stolen password file, guessing passwords on network routers and PBX switches, and using well-known maintenance passwords to try to gain entry.

Attack33: invalid values on calls -

Invalid values are used to cause unanticipated behavior. Examples include system calls with pointer values leading to unauthorized memory areas and requests for data from databases using system escape characters to cause interprocess communications to operate improperly.

Attack34: undocumented or unknown function exploitation -

Functions not included in the documentation or unknown to the system owners or operators are exploited to perform undesirable actions. Examples include back doors placed in systems to facilitate maintenance, undocumented system calls commonly inserted by vendors to enable special functions resulting in economic or other market advantages, and program sequences accessible in unusual ways as a result of improperly terminated conditionals.> http://pc31.ca.sandia.gov:84/I/I35

Attack35: inadequate notice exploitation -

Lack of adequate notice is used as an excuse to do things that notice would normally have prohibited or warned against. Examples include unprosecutable entry via normally unused services, password guessing through an interface not providing notice, and Web server attacks which bypass any notice provided on the home page.

Attack36: excess privilege exploitation -

A program, device, or person is granted privileges not strictly required in order to perform their function and the excess privilege is exploited to gain further privilege or otherwise attack the system. Examples include Unix-based SetUID programs granted root access exploited to grant attackers unlimited access, access to unauthorized need-to-know information by a systems administrator granted too-flexible maintenance access to a network control switch, and user-programmable DMA devices reprogrammed to access normally unauthorized portions of memory.

Attack37: environment corruption -

The computing environment upon which programs or people depend for proper operation is corrupted so as to cause those other programs to operate incorrectly. Examples include manipulating the Unix FS environment variable so as to cause command interpretation to operate unusually, altering the PATH (or similar) variable in multi-user systems to cause unintended programs to be used, and manipulation of a paper form so as to change its function without alerting the person filling it out. In the physical domain, this includes the introduction of gasses, dust, or other particles, chemicals, or elements into the physical environment. In the electromagnetic realm, it includes waveforms. In the human sense, sound, smell, feel, and other sensory input corruption is included.

Attack38: device access exploitation -

Access to a device is exploited to alter its function or cause its function to be used in unanticipated ways. Examples include removing shielding from a wire so as to cause more easily received electromagnetic emanations, reprogramming a bus device to deny services at a hardware level, and altering microcode so as to associate attacker-defined hardware functions with otherwise unused operation codes.

Attack39: modeling mismatches -

Mismatches between models and the realities they are intended to model cause the models to break down in ways exploitable by attackers. Examples include use of the Bell-LaPadula model of security [Bell73] as a basis for designing secure operating systems - thus leaving disruption uncovered, modeling attacks and defenses as if they were statistically independent phenomena for risk analysis - thus ignoring synergistic effects, and modeling misconfigurations as mis-set protection bits - when the content of configuration files remains uncovered.

Attack40: simultaneous access exploitations -

Two or more simultaneous or split multi-part access attempts are made, resulting in an improper decision or loss of audit information. Examples include the use of large numbers of access attempts over a short period of time so as to cause grant/refuse decision software to act in a previously unanticipated and untested fashion, the execution of sequences of operations required for system takeover by multiple user identities, and the holding of a resource required for some other function to proceed so as to deny completion of that service.

Attack41: implied trust exploitation -

Programs operating in a shared environment inappropriately trust the information supplied to them by untrustworthy programs. Examples include forged data from Domain Name Servers in the Internet used to reroute information through attackers, forged replies from authentication daemons causing untrusted software to be run by access control software, forged Network Information Service packets causing wrong password entries to be used in authenticating attackers, and network-based administration programs that can be fooled into forwarding incorrect administrative controls.

Attack42: interrupt sequence mishandling -

Unanticipated or incorrectly handled interrupt sequences cause system operation to be altered unpredictably. Examples include stack frame errors induced by incorrect interrupt handling, the incorrect swapping out of the swapping daemon on unanticipated conditions, and denial of services resulting from improper prioritization of interrupts.

Attack43: emergency procedure exploitation -

An emergency condition is induced resulting in behavioral changes that reduce or alter protection to the advantage of the attacker. Examples include fires, during which access restrictions are often changed or less rigorously enforced, power failures during which many automated alarm and control systems fail in a safe mode with respect to some - possibly exploitable - criteria, and computer incident response during which systems administrators commonly deviate - perhaps exploitably - from their normal behavioral patterns.

Attack44: desychronization and time-based attacks -

Systems that depend on synchronization are desynchronized causing them to fail or operate improperly. Examples include DCE servers that may deny services network-wide when caused to become desynchronized beyond some threshold, cryptographic systems which, once desynchronized may take a substantial amount of time to resynchronize, automated software and systems maintenance tools which may make complex decisions based on slight time differences, and time-based locks which may be caused to open or close at the wrong times.

Attack45: imperfect daemon exploits -

Daemon programs designed to provide privileged services upon request have imperfections that are exploited to provide privileges to the attacker. Examples include Web, Gopher, Sendmail, FTP, TFTP, and other server daemons exploited to gain access to the server from over a network, internal use only daemons such as the Unix cron facility exploited to gain root privileges by otherwise unprivileged users, and automated backup and recovery daemons exploited to overwrite current versions of programs with previous - more vulnerable - versions.

Attack46: multiple error inducement -

The introduction of multiple errors is used to cause otherwise reliable software to fail in unanticipated ways. Examples include the creation of an input syntax error with a previously locked error-log file resulting in inconsistent data state, the premature termination of a communications protocol during an error recovery process - possible causing a cascade failure, and the introduction of simultaneous interleaved attack sequences causing normal detection methods to fail. [Hecht93] [Thyfault92]

Attack47: viruses -

Programs that reproduce and possibly evolve. Examples include the 11,000 or so known viruses, custom file viruses designed to act against specific targets, and process viruses that cause denial of service or thrashing within a single system.

Attack48: data diddling -

Modification of data through unauthorized means. Examples include non-database manipulation of database files accessible to all users, modification of configuration files used to setup further machines, and modification of data residing in temporary files such as intermediate files created during compilation by most compilers.

Attack49: van Eck bugging -

Electromagnetic emanations are observed from afar. Examples include the tapping of Scotland Yard by a reporter to demonstrate a $100 remote tapping device and observed emanations from financial institutions indicative of pending trades.

Attack50: electronic interference -

Jamming signals are introduced to cause failures in electronic communications systems. Examples include the method and apparatus for altering a region in Earth atmosphere, ionosphere, and/or magnetosphere, and common radio jamming techniques.

Attack51: PBX bugging -

Point Branch eXchanges or similar switching centers are attacked in order to exploit weaknesses in their design allowing connected telephone instruments to be tapped. Examples include on-hook bugging of hand-held instruments, open microphone listening, and exploitation of silent conference calling features.

Attack52: audio/video viewing -

Audio and video input devices connected to computers for multi-media applications are exploited to allow attackers to look at and listen to events at remote locations. Examples include most versions of video and audio equipment currently connected to multi-media workstations and some video-phone systems.

Attack53: repair-replace-remove information -

Repair processes are exploited to extract, modify, or destroy information. Examples include computer repair shops copying information and reselling it and maintenance people introducing computer viruses.

Attack54: wire closet attacks -

Break into the wire closet and alter the physical or logical network so as to grant, deny, or alter access. Examples include wire tapping techniques, malicious destruction of wiring causing service disruption, and the introduction of video tape players into surveillance channels to hide physical access.

Attack55: shoulder surfing -

Watching over peoples' shoulders as they use information or information systems. Examples include watching people as they enter their passwords, watching air travelers as they use their computers and review documents while in flight, and observing users in normal operations to understand standard operating procedures.

Attack56: data aggregation -

Legitimately accessible data is aggregated to derive unauthorized information. Examples include getting the total departmental salary figures just before and after a new employee is hired to derive the salary of the new hire, attending a wide range of unclassified but private meetings in a particular area in order to gain an overall picture of what work a group is doing, and tracking movements of many people from a particular organization and correlating that information with job titles and other events to derive intelligence indicators.

Attack57: process bypassing -

Bypassing a normal process in order to gain advantage. Examples include retail returns department employees entering false return data in order to generate refund checks, use of computer networks to generate additional checks after the legitimate checks have passed the last integrity checks, and altering pricing records to reflect false inventory levels to cover up thefts.

Attack58: content-based attacks -

The content sent to an interpretive mechanism causes that mechanism to act inappropriately. Examples include Web-based URLs that bypass firewalls by causing the browser within the firewall to launch attacks against other inside systems, macros written in spreadsheet or word processing languages that cause those programs to perform malicious acts, and compressed archives that contain files with name clashes causing key system files to be overwritten when the archive is decompressed.

Attack59: backup theft, corruption, or destruction -

Backups protected less comprehensively than on-line copies of information are attacked. Examples include the placement of magnetic devices in backup storage areas in order to erase or corrupt magnetic backups, the infection of backup media by computer viruses, and the theft of backup media being disposed near the end of its lifecycle.

Attack60: restoration process corruption or misuse -

The process used to restore information from backup tapes is corrupted or misused to the attackers advantage. Examples include the creation of fake backups containing false information, alteration of tape head alignments so that restoration fails, and the use of privileged restoration programs to grant privilege by restoring protection settings or ownerships to the wrong information.

Attack61: hangup hooking -

Activity termination protocols fail or are interrupted so that termination does not complete properly and the protocol is taken over by the attacker. Examples include modem hangup failures leaving logged-in terminal sessions open to abuse, interrupted telnet sessions taken over by attackers, preventing proper protocol completion as in the Internet SYN attacks so as to deny subsequent services, and refusing to completely disconnect from a call-back modem at the CO, causing the call-back mechanism to become ineffective.

Attack62: call forwarding fakery -

Call forwarding capabilities are abused. Examples include the use of computer controlled call forwarding to forward calls from call-back modems to that attackers get the call-backs, forwarding calls to illegitimate locations so as to intercept communications and provide false or misleading information, and the use of programmable call forwarding to cause long distance calls to be billed to the forwarding party's account.

Attack63: input overflow -

Excessive input is used to overrun input buffers, thus overwriting program or data storage so as to grant the attacker undesired access. Examples include sendmail overflows resulting in unlimited system access from attackers over the Internet, Web server overflows granting Internet attackers unlimited access to Web servers, buffer overruns in privileged programs allowing users to gain privilege, and excessive input used to overrun input buffers causing loss of critical data so as to deny services or disrupt operations.

Attack64: illegal value insertion -

Values not permitted by the specification but allowed to pass the implementation are used to cause abnormal results. Examples include negative dates producing negative interest which accrues to the benefit of the attacker, cash withdrawal values which overflow signed integers in balance adjustment causing large withdrawals to appear as large deposits, and pointer values sent to system calls that point to areas outside of authorized address space for the calling party.

Attack65: residual data gathering -

Data left as a result of incomplete or inadequate deletion is gathered. Examples include object reuse attacks like the DOS undelete command in insecure operating systems, electromagnetic analysis of deleted media to regain deleted bits, and electron microscopy techniques used to extract overwritten data.

Attack66: privileged program misuse -

Programs with privilege are misused so as to provide unauthorized privileged functions. Examples include the use of a backup restoration program by an operator to intentionally restore the wrong information, misuse of an automated script processing facility by forcing it to make illicit copies of legitimate records, and the use of configuration management tools to create vulnerabilities. \pointto{http://pc31.ca.sandia.gov:84:/I/I104> http://pc31.ca.sandia.gov:84:/I/I101

Attack67: error-induced misoperation -

Errors caused by the attacker induce incorrect operations. Examples include the creation of a faulty network connection to deny network services, the intentional introduction of incorrect data resulting in incorrect output (i.e., garbage in - garbage out), and the use of a scratched and bent diskette in a disk drive to cause the drive to permanently fail.

Attack68: audit suppression -

Audit trails are prevented from operating properly. Examples include overloading audit mechanisms with irrelevant data so as to prevent proper recording of malicious behavior, network packet corruption to prevent network-based audit trails from being properly recorded, and consuming some resource critical to the auditing process so as to prevent audit from being generated or kept. > http://pc31.ca.sandia.gov:84:/I/I77

Attack69: induced stress failures -

Stresses induced on a system cause it to fail. Examples include paging monsters that result in excessive paging and reduced performance, process viruses that consume various system resources, and large numbers of network packets per unit time which tie up systems by forcing excessive high-priority network interrupt processing.

Attack70: hardware failure - system flaw exploitation -

Known hardware or system flaws are exploited by the attacker. Examples include a hardware flaw permitting a power-down instruction to be executed by a non-privileged user, causing an operating system to use results of a known calculation error in a particular microprocessor for a key decision, and sending a packet with a parameter that is improperly handled by a network component. > http://pc31.ca.sandia.gov:84/I/I55

Attack71: false updates -

Causing illegitimate updates to be made. Examples include sending a forged update disk containing attack code to a victim, interrupting the normal distribution channel and introducing an intentionally flawed distribution tape to be delivered, and substituting a false update disk for a real one at the vendor or customer site.

Attack72: network service and protocol attacks -

Characteristics of network services are exploited by the attacker. Examples include the creation of infinite protocol loops which result in denial of services (e.g., echo packets under IP), the use of information packets under the Network News Transfer Protocol to map out a remote site, and use of the Source Quench protocol element to reduce traffic rates through select network paths.

Attack73: distributed coordinated attacks -

A set of attackers use a set of vulnerable intermediary systems to attack a set of victims. Examples include a Web-based attack causing thousands of browsers used by users at sites all around the world to attack a single victim site, a set of simultaneous attacks by a coordinated group of attackers to try to overwhelm defenses, and an attack where thousands of intermediaries were fooled into trying to gain access to a victim site.

Attack74: man-in-the-middle -

The attacker positions forces between two communicating parties and both intercepts and relays information between the parties so that each believes they are talking directly to the other when, in fact, both are communicating through the attacker. Examples include attacks on public key cryptosystems permitting a man-in-them-middle to fool both parties, attacks wherein an attacker takes over an ongoing telecommunications session when one party decides to terminate it, and attacks wherein an attacker inserts transactions and prevents responses to those transactions from reaching the legitimate user.

Attack75: selected plaintext -

The attacker gets one of the parties to encrypt or sign one or more messages of the attacker's choosing, thus causing information about the victim's system to be revealed. Examples include causing a user of the RSA signature system to reveal their secret key through a series of signatures, the introduction of malicious commands into the data entry stream of a victim who is blindly following directions of a remote person claiming to be assisting them, and inducing a bank to make a series of attacker-specified transactions so as to cause cryptographic protocols, methods, or keys to be revealed.

Attack76: replay attacks -

Communicated information is replayed and causes unanticipated side effects. Examples include the replay of encrypted funds transfer transmissions so as to cause multiples of an original sum of money to be transferred, replay of coded messages causing the repeated movement of troops, replay of transaction sequences that simulate behavior so as to cover up actual behavior, and the delayed replay of events such as races so as to deceive a victim.

Attack77: cryptanalysis -

Cryptographic techniques are analyzed so as to find methods to break codes used to secure information. Examples include frequency analysis for breaking monoalphabetic substitution ciphers, index of coincidence analysis for breaking polyalphabetic substitution ciphers, the breaking of the Enigma cipher in World War II through mathematical and optical techniques combined with knowledge of keys and key usage, exhaustive attacks on the DES encryption standard, code-listeners for breaking many analog speech encoding systems, and improved factoring for breaking cryptosystems based on modular arithmetic.

Attack78: breaking key management systems -

Keys in cryptographic systems are managed by imperfect management systems that are attacked in order to gain access to keying materials. Examples include attacks based on inadequate randomness in key generation techniques, exploitation of selected plaintext attacks against inadequately implemented automated encryption systems, and breaking into computers housing keying materials.

Attack79: covert channels -

Channels not normally intended for information flow are used to flow information. Examples include widely known covert channels in secure operating systems, time-based covert channel exploitation in encryption engines, and covert channels created by the association of movements of people with activities.

Attack80: error insertion and analysis -

Errors are induced into systems to reveal values stored in those systems. Examples include recent demonstrations of methods for inducing errors so as to reveal keys stored in smart-cards and other similar key-transportation devices, the introduction of multiple errors into redundant systems so as to cause the redundancy to fail, and the introduction of errors designed to cause systems to no longer be used in critical applications.

Attack81: reflexive control -

Reflexive reactions are exploited by the attacker to induce desired behaviors. Examples include the creation of attacks that appear to come from a friend so as to cause automated response systems to shut down friendly communication, induction of select flaws into the power grid so as to cause SCADA systems to reroute power to the financial advantage of select suppliers, and the use of forged or interrupted signals so as to cause friendly fire incidents.

Attack82: dependency analysis and exploitation -

Interdependencies of systems and components are analyzed so as to determine indirect effects and attack weak points upon which strong points depend. Examples include attacking medical information systems in order to disrupt armed forces deployments, attacking the supply chain in order to corrupt information within an organization, and attacking power grid elements in order to disrupt financial systems.

Attack83: interprocess communication attacks -

Interprocess communications channels are attacked in order to subvert normal functioning. Examples include the introduction of false interprocess signals in a network interprocess communications protocol causing misbehavior of trusted programs, the disruption of interprocess communications by resource exhaustion so as to prevent proper checking or reduce or eliminate functionality, and observation of interprocess communications stored in shared temporary data files so as to gain unauthorized information.

Attack84: below-threshold attacks -

Attack detection based on thresholds of activity that differentiate between attacks and similar non-malicious behaviors is exploited by launching attacks that operate below the detection threshold. Examples include breadth-first password guessing attacks, breadth-first port scanning attacks, and low bandwidth covert channel exploitations.

Attack85: peer relationship exploitation -

The transitive trust relationships created by peer-networking are exploited so as to expand privileges to the transitive closure of peer trust. Examples include the activities carried out by the Morris Internet virus in 1988, the exploitation of remote hosts (.rhosts) files in many networks, and the exploitation of remote software distribution channels as a channel for attack.

Attack86: inappropriate defaults -

Unchanged default values set into systems at the factory or in a standard distribution process are known to and exploited by attackers to gain unauthorized access. Example include default passwords, default accounts, and default protection settings. \pointto{http://pc31.ca.sandia.gov:84/I/I107> http://pc31.ca.sandia.gov:84/I/I102

Attack87: piggybacking -

Exploiting a (usually false) association to gain advantage. Examples include walking into a secure facility with a group of other people as one of the crowd, acting like an ex-policeman to gain intelligence about ongoing police activities, and adding a floppy disk to a series of floppy disks delivered as part of a normal update process.

Attack88: collaborative misuse -

Collaboration of several parties or identities in order to misuse a system. Examples include creation of a false identity by one party and entry of that identity into a computer database by a second party, provision of attack software by an outsider to an insider who is participating in an information theft, partitioning of elements of an attack into multiple parts for coordinated execution so as to conceal the fact of or source of an attack, and the providing of alibis by one party to another when the collaborated in a crime.

Attack89: race conditions -

Interdependent sequences of events are interrupted by other sequences of events that destroy critical dependencies. Examples include the change of conditions tested in one step and depended upon for the next step (e.g., checking for the existence of a file before creating it interrupted by the creation of a file of the same name by another owner), changes between one step in a process and another step assuming that no such change has been made (e.g., the replacement of a mounted file system previously loaded with data in a start-up process), and waiting for non-locked resources available in one step but not in the next (e.g., the mounting of a different tape between an initial read-through and a subsequent restoration).

Attack90: strategic or tactical deceptions -

Deceptions are generally categorized as comprising of concealment, camouflage, false and planted information, ruses, displays, demonstrations, feints, lies, and insight (as described in [Dunnigan95] Jim (James F.) Dunnigan and Albert A. Nofi, Victory and Deceit - Dirty Tricks at War, William Morrow and Co., 1995.) Examples include the creation of a questionnaire asking for detailed information security backgrounds under the auspices of a possible contract used to determine what expertise is available at a particular company to defend against a particular type of attack (a ruse), the creation of a false front organization such as a garbage collection business in order to gain access to valuable information often placed in the trash (camouflage) and the claim of having special capabilities in your upcoming product in order to force other vendors to work in that area even though you never intend to enter into it (a feint).

Attack91: combinations and sequences -

Many attacks combine several techniques synergisticall