An attack or exploit path can be selected through a variety of mechanisms. If you consider that the OSI 7 Layer Model is indicative of a model of network behavior (how technology of networked systems work). Then you can use it to determine exploit paths from the top to the bottom of the stack. The same OSI 7 Layer model can be loosely applied to the IBM operating system model as depicted below.
The depiction shows the common operating system model, DOD network model, OSI 7 Layer model, and the different applications (how the layer is used). Two more layers can be added inclusive of layer 8 (the human mind), and layer zero the kinetic action (bombs). The explanation of how this series of layers are used is important to understand the network centric and human centric aspects of cyber warfare.
When a person accesses a web page link they are hitting a key stroke (or mouse click) that is interpreted by the device operating interface layer of the operating system model, passes up through the model to the user application, then down from the application layer of the OSI 7 layer model as a “get”. That “get” is then passed through the OSI 7 layer model to a network that transfers it across the Internet to a particular server and back up into the OSI 7 layers until the server responds back. An attack can be generated against any of those layers in any of the use cases we might come up with. This is what is called a wicked problem. Why a wicked problem? Inherently the level of chaos inside of the system (what we’ve described) is so high that no amount of security can possibly close all aspects to attack. When network centric exploitation doesn’t work there is always bombs and bullets. To make matters worse all of this as an attack strategy will also work against SCADA as shown in the figure above.
A research process was created as seen below The research involving an extensive team used the taxonomy mixing the common OSI 7+2 layer model, and the McCumber Cube Model. A set of results were examined after applying this taxonomy to forty-five thousand vulnerabilities, over two thousand elements as found in the security technical implementation guides, the intelligence process, over one hundred actual events over a ten year period, and in excess of three hundred well known hacker tools. This allows for an extensive capacity to cross-reference between detected, detecting, active attack, and results with a goal oriented approach to understanding the completeness of the domain.
The process is fairly well defined though some details may be lightly touched upon for this overview. The data gathered is the result of undergraduate students with that level of knowledge applying the rule sets of classification in a fairly muddled domain of knowledge. It is fully expected that other entities might get substantially different results following the same process. To be sure a larger team would be needed to do this with a high assurance level.
x
x
x
x
x
x
x
x