Today, criminals are smarter than ever before, and malicious programs are more sophisticated. Modern malware can infect a target PC and remain undetected for a long time, the advance of computing power makes it possible to crack difficult passwords in a fraction of seconds. The motive behind the majority of cyberattacks nowadays is not to damage your machine, but instead to steal your money, to access your private information, or to acquire your login credentials. Conceptually, cybersecurity risks can be divided into two main categories: passive and active attacks, in this article, we will briefly talk about the difference between these two types and give some illustrative examples for each one.
In a passive attack, an intruder monitors a system and network communications and scans for open ports and other vulnerabilities. For example, they might exploit an unpatched system or take advantage of an expired certificate on a security device (In fact, the Equifax data breach was a aided by an expired certificate that wasn’t discovered by the company’s security team).
Once the intruder has infiltrated the network, they can collect information in a couple of ways. In a footprinting passive attack, the intruder will try to collect as much intelligence as they can to use it later to attack the target system or network in a later step. An example is when an intruder records network traffic using a packet analyzer tool, such as Wireshark, for later analysis.
Installing a keylogger is another sort of passive attack, where an intruder waits for the user to enter their credentials and records them for later use.
The two most common use cases of passive attacks are:
- Traffic analysis: In this type, an attacker monitors communication channels to collect a range of information, including human and machine identities, locations of these identities and types of encryption used, if applicable.
- Release of message contents: In this type, an attacker will monitor an unprotected communication medium—like unencrypted email or telephone call—and intercept it for sensitive information.
Other types of passive attacks include “passive reconnaissance,” where an attacker tries to gain important information about the target organization connected to the internet without sending any traffic (packets) to the target server or network. An example of such type of attack include browsing a website contents for relevant information (such as employee contact information) that can be used in active attacks or finding files that have been left unprotected on a target server, such as meeting papers or intellectual property.
Detecting a passive attack is very difficult and impossible in many cases because it does not involve data alteration in any way. However, you can implement protective measures to stop it, including:
- Using encryption techniques to scramble messages, making it unreadable for unintended recipient. Two types of encryption can be implemented in this case:
- Symmetric keys (same key on both ends)—we still have a problem in exchanging the secret key secretly.
- Public-key encryption where each party (whether it is a user, program or system) involved in the communication has two keys, one pubic and one private that must be kept secret. An example of this type is using SSL/TLS certificates(HTTPS) that are used to ensure the validity of machine identities between a web server and someone’s browser.
- Avoid posting sensitive information publicly (e.g. private and company information) that can be used by outside hackers to invade your private network.
Figure 1 – Passive attack (Traffic analysis)
An active attack involves using information gathered during a passive attack to compromise a user or network. There are many types of active attacks. In a masquerade attack, an intruder will pretend to be another user to gain access to the restricted area in the system. In a replay attack, the intruder steals a packet from the network and forwards that packet to a service or application as if the intruder were the user who originally sent the packet. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are also examples of active attacks, both of which work by preventing authorized users from accessing a specific resource on a network or the internet (for example, flooding a web server with more traffic than it can handle).
Unlike a passive attack, an active attack is more likely to be discovered quickly by the target upon executing it. The following are some protective measures against this type of attack:
- A random session key can be generated which is only valid for one transaction at a time, this should effectively prevent a malicious user from re-transmitting the original message after the original session ends.
- Using one-time passwords, this helps to authenticate transactions and sessions between communicating parties. This guarantee that even though an attacker was successful in recording and retransmitting the captured message again, the associated password will expire by then.
- Using Kerberos authentication protocol (Usually used in Microsoft Windows Active Directory) which supports many countermeasures against different types of replay attacks.
Figure 2 – Demonstration of Active attack (Modification of a message)
Cybersecurity risks can be broadly segmented into two types: passive and active attacks. In a passive attack, no modification of data occurs and the target does not know about its occurrence, unless they have a system that monitors and protects machine identities. In an active attack, system resources and data are modified or otherwise damaged system, affecting its normal operations. Although a user will more likely become aware of an active attack than a passive one, the root cause of active attacks are hard to determine without proper monitoring and protection of human and machine identities.