Threat Trees

Main Tree

  1. Luring Attacks - luring a user to the wrong site so that he connects to address not owned by party he believes it to be owned by

    1. Attacker registers domain names similar to that of the legitimate domain and waits for users to mistype or mis-remember a URL.
    2. Attacker convinces user to bookmark the impersonated site's address with misleading information
      1. Attacker constructs misleading page title which the browser will automatically copy into the default bookmark name.
    3. Attacker lures victim using a link in another application
      1. Email
      2. IM
      3. VOIP
      4. Voice (e.g. calls purporting to be from site's security department)
    4. Attacker inserts or replaces links provided by other sites users trust (e.g. search engines)
    5. After user initiates a connection to the correct address, the attacker attacker intercepts communications to that address and forges responses from that address
      1. Compromise a DNS server on route from root to requested domain
      2. Intercept DNS request and replace query response with forged response
      3. Insert data into user's hosts file so that DNS query is not required (out of scope---attacker this powerful easily insert spyware)
      4. Countermeasure: HTTPS - See HTTPS Threat Tree

    6. Intercept and replace communications between client and the address of the legitimate site
      1. Take control of a system through which communications is routed
      2. Create a wifi access point and lure users to it
      3. Attack the infrastructure through which routes are established (BGP-based attacks)
  2. Site Impersonation Attacks - an attack in which the attacker attempts to mimic someone else's website. Potential goals include credential theft (e.g. password theft), theft of other private information from user (bank account and routing numbers), or forging information sent to user (e.g. fake news story that will cause user to buy or sell stock).

    1. Address spoofing
      1. Attacker registers confusing domain name
        1. semantic attacks (e.g.,"")
        2. syntax attacks (e.g., "", use of non-ASCII characters)
      2. Attacker takes advantage of browser vulnerabilities
    2. Page Spoofing
      1. attacker copies content and indicators from legitimate website content into the content of an attack page (may add, remove or replace security indicators)
      2. attacker uses pop-up windows that mimic legitimate site
      3. attacker presents warning or error messages (e.g., to confuse user, to justify why security indicators/information is missing)
    3. Chrome Spoofing
      1. attacker copies chrome elements (e.g., green EV address bar), entire chrome window or dialog boxes into the content of a website (also known as Picture in Picture Attacks)
      2. attacker mimics customized chrome content (when customization is used as an anti-spoofing technique, the attacker may use an educated guess to replicate customization
      3. attacker exploits flaws in GUI logic to control what is displayed in chrome elements (e.g. in the title bar, status bar or address bar)
  3. Cross-site request forgery - (see Wikipedia)- causing a user to unwittingly send, to a legitimate site, a request containing data that he/she would not otherwise intend to send (e.g. to perform an action that he/she did not intend to take).

    1. Attacker may first convince user to login to the target legitimate website (possibly in a separate window or tab).
      1. [Sequential first step] Attacker constructs a link or form with field values that replicate those that would be sent if user legitimately wanted to perform this action.
      2. [Sequential second step] Attacker causes the browser to send this link to the legitimate website.
    2. Induce user to submit form data
      1. Lure user to click on link to cause GET request with attacker-specified parameters
      2. Lure user to click on form that will send HTTP POST request with attacker-specified parameters
      3. Uses javascript to automatically send the form (form.submit())
      4. If user is not already logged in, attacker may rely on the user login when reaching the site. Many sites will then process the form data from the initial request.
  4. Cross-site scripting- the injection of code into vulnerable web applications, which copy this code into web content in a form that would allow it to be executed when read by another user. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. (This definition borrows heavily from that of Wikipedia.) Potential goals include session hijacking (e.g. stealing a session cookie), credential theft (e.g. password theft), theft of other private information from user (bank account and routing numbers), or forging information sent to user (e.g. fake news story that will cause user to buy or sell stock).

    • [First sequential step] Construct content to appear on legitimate site
      1. Create an attack script to execute in other users' browsers
        1. Use the script to instruct other user's browsers to send script-accessible credentials (e.g. cookies) or other data to the attacker
        2. Use the script, which will execute in other user's browsers within the site's domain context, in order to execute actions as that user or to gather additional data. (For example, adding the attacker as a trusted user/friend/administrator as was the case with the MySpace worm.)

        3. Use the content or script to exploit a vulnerability in the browser
      2. Create content intended to appear to the user as if is content generated entirely by the legitimate site (and not a rendering of other user's input).
        1. Create HTML for a fake login form or information request form which, when submitted, directs data to attacker.
        2. Create HTML content with other misleading information that might affect user behavior (e.g. a fake news story that could cause a stock's price to rise or fall).
    • [Second sequential step] Inject content into pages served by legitimate site
      1. Use a cross-site request forgery attack (see above)
        • Cross-site scripting attacks that use this approach are known as type 1 attacks.
      2. Insert the script yourself into content that the site will serve to other users (e.g. a discussion group posting).
        • Cross-site scripting attacks that use this approach are known as type 2 attacks
  5. Network-based eavesdropping- a passive attack in which the attacker collects network traffic and reads the data sent between the client and the website. Potential goals include session hijacking (e.g. stealing a session cookie), credential theft (e.g. password theft), theft of other private information from user (bank account and routing numbers)

    1. Attacker gains physical access to network and installs monitoring hardware/software
    2. Attacker establishes rogue network (e.g. public WiFi access point) and waits for victims to join it

Branches that may be out of scope

  1. Browser Exploits
  2. Man in the Middle (MITM) attacks
  3. Malware/Spyware Attacks
    1. keyloggers
    2. screen loggers
    3. altering the users local DNS hostfile (sometimes referred to as "pharming")
    4. "transaction generator" - malware that hijacks a legitimate login session to send requests or transactions
  4. Credential database compromise
    1. Browser credential store
    2. Server store
      1. insider attacks
      2. external breach
  5. Masquerading attack
    1. reuse of credentials to masquerade as user
  6. Dictionary Attacks
    1. online
    2. offline
  7. Web timing attacks - using the time it takes a website to respond to determine information about the user (e.g., if they have an account at a particular website)

Uncategorized attacks

This section serves as a repository for attacks that have not yet been folded into the structure above.

  1. Iframe attacks- are these covered by cross site scripting above?
    1. attacker forces arbitrary URL to be displayed on a visible iframe at legitimate page
    2. attacker uses hidden iframe to inject content into legitimate page, capture user input, etc
  2. DNS attacks
    1. cache poisoning
  3. Cryptographic attacks
    1. Attacks on the protocol (SSL/TLS)
    2. Attacks on the encryption methods
  4. system take-over attacks (install something on the system the user agent is running on which could be used later)
  5. Social Engineering Attacks (not covered above, but these are within scope)
    1. Re-enrollment attack- convince user to re-enroll their account or machine (e.g., to answer challenge questions in sitekey)
    2. Convince users they are already logged in