Enterprise / Government End Users Network Operators /Network Providers / Communications Sector Hacker / Hacktivist / Attacker / Nation States / Criminal orgs / Exploit ‐ Community Ecosystem to TCP/IP Layers to Cyber Attack Mapping Ecosystem category * Content producers/distributors * App developers/distributors * Operating Systems * Databases * Websites * Cloud (SaaS, PaaS+D36) Operator * OTT Operators * Network HW/SW/OS/CPE Vendors * Web Browsers * eCommerce Cos. * Edge Device Cos. * End User/Consumer * Relay Service Providers * Anti‐Virus/Security HW‐Firewall Vndrs * Public Safety Networks * Dark Exploit Websites * Open Source Community * Electronic Payment Networks * Backbone Network Operators * Access Network Operators * Wireless Network Operators * Internet Service Providers * CDN Operators * Business VPN/VoIP Operators * OTT Operators * Utilities (private utility networks) * Cloud (NaaS) Operator * Internet Service Provider * Network HW/SW/OS/CPE Vendors * Edge Device Cos. * Social Media Cos. * Relay Service Providers * Anti‐Virus/Security HW‐Firewall Vndrs * Public Safety Networks * Electronic Payment Networks * Backbone Network Operators * Wireless Network Operators * Utilities (private utility networks) * Cloud (IaaS) Operator * Internet Service Provider * Business VPN/VoIP Operators * Network HW/SW/OS/CPE Vendors * Edge Device Cos. * Anti‐Virus/Security HW‐Firewall Vndrs * Public Safety Networks * Backbone Network Operators * Access Network Operators * Wireless Network Operators * Utilities (private utility networks) * Network HW/SW/OS/CPE Vendors * Edge Device Cos. * Internet Service Infras/Clearinghouse * Anti‐Virus/Security HW‐Firewall Vndrs * Public Safety Networks CSRIC WG4 ‐ Ecosystem Feeder Group TCP/IP Layers & Protocols APPLICATION HTTP, SMTP, SIP, INAP BGP, DHCP, DHCPv6, DNS, FTP, ONC/RPC, HTTP, IMAP, IRC, LDAP, NTP, POP, RTP, RTSP, RIP, SNMP, SOCKS, SSH, Telnet, TLS/SSL, XMPP TRANSPORT TCP, UDP, RUDP, DCCP, CTP, RSVP, TLS, WAP, WTLS INTERNET IP (IPv4 & IPv6), ICMP, ICMPv6, ECN, IGMP, IPsec DNS, DNSSec, MPLS NETWORK ACCESS/LINK ARP/InARP, NDP, OSPF, Tunnels (L2TP), PPP, MAC(Ethernet), xDSL, ISDN, FDDI, DOCSIS, 802.11n, LTE‐VoLTE, SS7, CDMA, GSM, 2G, 3G Cyber Attack / Threats * SQL/LDAP Injection * Email malware/Phishing attacks * HeartBleed/SSL Attacks * BrutPOS‐Botnet against POS terminals * RAM Scraping malware * Cross‐Site Scripting (XSS) * Cross‐Site Request Forgery (CSRF) * Application Layer DDoS (e.g., malformed packet) * Masquerade Attacks & Exploits * Fraud/Theft/Customer record breaches * Distributed ‐Distraction DDoS Attacks * DNS Spoofing * CallerID Spoofing * Authentication/Certificate spoofing * Zero‐Day/Watering hole attacks * Password theft & Keylogger Attacks * POS Intrusions/Trojans * DEV kit & SDK Exploits * Bitcoin Theft & spoofing * Rootkit Injection & Operations * USB 'Thumb‐drive' injections & exploits * Zeus/Citadel "Man‐in‐browser" attacks * DNS Reflection Attacks * Fraud/Theft/Customer record breaches * Man‐in‐the‐Middle (MITM) * DDoS (e.g., traffic flooding, SYN flooding) * Eavesdropping * Network Reconnaissance * Session Hijacking/Session Poisoning * UDP Floods * DDoS Attacks (e.g., traffic flooding, amplification ‐ Smurf)) * IP Address Spoofing * DNS Cache Poisoning * Malformed Packet Attacks (e.g., Teardrop, Ping of Death, etc.) * Fraud/Theft * ICMP Redirect & Flooding * DNS Spoofing & Reflection Attacks * MAC Address Spoofing & Flooding * ARP Cache Poisoning/ARP Spoofing * CallerID Spoofing * WiFi Intercept exploits * DDoS Attacks * SS7 (point code) Address Spoofing Definitions Key: Acronym/Term DDoS SQL LDAP Zero‐Day Attack DEV SDK Rootkit Man‐In‐Middle Attack DNS ICMP MAC Address Spoofing ARP Spoofing UDP POS SYN Flood SSL SS7 DNS Reflection/Redirection Descriptions Source Distributed denial‐of‐service (DDoS) attacks are sent by two or more persons, or bots Originally based upon relational algebra and tuple relational calculus, SQL consists of adata definition language and a data manipulation language. The scope of SQL includes data insert, query, update and delete, schema creation and modification, and data access control. http://en.wikipedia.org/wiki/Denial‐of‐service_attack#Distribute The Lightweight Directory Access Protocol (LDAP) is an open, vendor‐ neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network A zero‐day (or zero‐hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.[1] It is called a "zero‐day" because the programmer has had zero days to fix the flaw Dev or indev software, applications or other pieces of computer software still in alpha or beta stages of development, or alternatively, a neutral build or nightly build, a version of a software which represents the current state of its source code, which could be unstable or buggy http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Prot A software development kit (SDK or "devkit") is typically a set of software development tools that allows the creation of applicationsfor a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar development platform A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer The man‐in‐the‐middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the tt k The Domain Name System (DNS) translates easily memorized domain names to the numericalIP addresses needed for the purpose of locating computer services and devices worldwide. The Domain Name System is an essential component of the functionality of the Internet. http://en.wikipedia.org/wiki/Software_development_kit The Internet Control Message Protocol (ICMP) is one of the main protocols of the Internet Protocol Suite. It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached MAC spoofing is a technique for changing a factory‐assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address is hard‐coded on a network interface controller (NIC) and cannot be changed. However, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing ARP spoofing is a technique whereby an attacker sends fake ("spoofed")Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP addressof another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without prior communications to set up special transmission channels or data paths Point of sale (also called POS or checkout) It is the point at which a customer makes a payment to the merchant in exchange for goods or services. A SYN flood is a form of denial‐of‐service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. Signalling System No. 7 (SS7) is a set of telephony signaling protocols which are being used to set up most of the world's public switched telephone network (PSTN) telephone calls. The main purpose is to set up and tear down telephone calls. Other uses include number translation, local number portability, prepaid billing mechanisms, short message service (SMS), and a variety of other mass market services. http://en.wikipedia.org/wiki/Internet_Control_Message_Protoco DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards. http://en.wikipedia.org/wiki/SQL http://en.wikipedia.org/wiki/Zero‐day_attack http://en.wikipedia.org/wiki/Dev#Technology http://en.wikipedia.org/wiki/Rootkit http://en.wikipedia.org/wiki/Man‐in‐the‐middle_attack http://en.wikipedia.org/wiki/Domain_Name_System http://en.wikipedia.org/wiki/MAC_spoofing http://en.wikipedia.org/wiki/ARP_spoofing http://en.wikipedia.org/wiki/User_Datagram_Protocol http://en.wikipedia.org/wiki/Point_of_sale http://en.wikipedia.org/wiki/SYN_flood http://en.wikipedia.org/wiki/Secure_Sockets_Layer http://en.wikipedia.org/wiki/Signalling_System_No._7 http://en.wikipedia.org/wiki/DNS_hijacking ed_attack tocol ol