, ,

The concept of information technology security hardening is hardly new. The basic idea is take a stock piece of infrastructure (machine, software, electricity generator or other utility) and make it more resistant to attack by reducing its attack surface, implementing physical or logical restrictions to its accessibility or some other process or technology to reduce the likelihood of it being maliciously compromised.

As such, security hardening is a standard tool in protecting IT assets. Security weakening, however, takes the opposite approach.

An attacker wishes to reduce the level of protection in place guarding IT assets, as a precursor to an attack. The attacker chooses an indirect approach, one designed to exhaust the targets defensive capability and deny the target the ability to prevent the ensuing attacks. Peter O’Toole pulled this off in the 60’s film “How to Steal a Million“. In order to steal a statue, he repeatedly triggers the alarms, causing what appears to be false positives for the security team. Eventually, they disable the alarms, allowing the robbery to be performed more effectively.

The general characteristics of security weakening are:

  1. Intent to disable or weaken existing security measures as a precursor to an attack
  2. Intent to hide the weakening phase, preventing identification of a larger attack strategy
  3. Intent to trick the target into intentionally remove controls in an effort to reduce operational disruption due to activation of restrictive security mechanisms

An example security weakening phase on a web application might involve:

  1. Overwhelming security staff’s ability to recognize positive attack signatures by triggering them in seemingly innocuous payloads. This weakening may be extended by security or administrator staff to encompass IDS / IPS systems.
  2. Reducing the security level of the authorization process by denying access to large numbers of legitimate users through misuse of account lockout policies. That is, applications which enforce mandatory account lockouts on a predefined number of failures can be turned on themselves if an attacker can cause a large number of users, or a small number of influential users to be repeatedly negatively affected.

These two weakening activities can be achieved relatively painlessly over a period of weeks, perhaps including an intentional peak in malicious false positive security events on the target to coincide with expected major traffic spikes. Which online retailer would risk Black Friday sales to an evidently over-zealous security policy which anyway had never been loved or accepted by any one but “those annoying security guys”.

Security weakening is relatively inexpensive and easily accomplished by an attacker and can be used in parallel to other activities such as reconnaissance. It can be difficult to detect, and even more difficult to correctly identify as part of a larger, impending security attack. Some ways organizations might be able to defend against security weakening strategies:

  1. Treat an increase in the incidence of what might appear to be false positive security control violations as suspicious. This presupposes the target’s ability to identify, evaluate and measure the rate of event notifications.
  2. Carefully evaluate any proposed weakening of a security policy in order to identify a potential hidden actor at play as part of a directed weakening effort.
  3. Include weakening strategies in your attack scenarios and exercises to see if you can actively use these strategies to remove, disable, circumvent or generally weaken your control mechanisms.

Your comments and improvements are welcome!