Anomaly ATTACK. ACK ACK!! NO ACK NO ACK NO-
The Anomaly Attack.
Heck is that?
Well, an Anomaly Attack is an idea I came up with when thinking about Big Data and how it was utilized and being delivered into very real CDNs and buckets. Fantastic. How do we use every-day normal people data to develop a capability that can be leverages against entire nation states? Well my dude - have I got for you!
Imagine that you can have an individual named Jane.
Let’s say Jane has her data on Instagram, Facebook, Twitter - some shit or the other right?
Well I got to thinking - when it came to the idea or concept of “where is Jane’s data going into?”
We figured that one out - CDNs!
So - what’s the attack S1REN?
Well let’s presume that Jane has stories and posts that she unknowingly has had collected by data services or advertisers. Not only do we as payload specialists know WHERE that data would be going and buckets but we ALSO know what TYPE of data that is.
Fun stuff? Big Data ain't my niche.
But payloads are.
Jane’s data could contain (much like those post.) - much like this set of data is categorized and put into something known as a “data set”.
No clue bro.
It’s okay - stay tuned.
So, when automated software or AI comes along to what it believes is eventually just regular “hey check out my kitten” type of posts from social media posts etc - I want to now pretend then Jane is a very very very malicious actor.
Lets suppose even further than we’ve enumerated out Jane is actually just like me! A malicious user.
Jane would then fall into a category or data set that is similar to being like a lion’s den.
What exists in a lions den?
Bones. Bones of things that Jane has eaten.
So, attacker having consumed to much knowledge - so much information!
How does this becomes a next level attack?
Lets say an archeologist comes along and is interested in Jan’s bone-data.
We’ll call this man Jim.
Jim goes into the cave completely invisible and notices all of ‘information’ or skeletal data that Jane has consumed.
What if Jane is always one step ahead of Jim?
How can that be?
What if Jane knew she would be categorized like others similar to her. (Think post data classification)
What if she anticipated Jim searching through all of her bone or ’skeletal data’.
So Jim is the target from SEEMINGLY random blog posts or social media posts of which were consumed by big advertisers to be passed to authorities like JIM in super data buckets.
How does JIM get bit?
Simple - JIM comes across with his magnifying glass a particular bone that - ‘ZZZZZZZ’.
Lets suppose that this bone will be called ‘sweet tooth’.
Sweet tooth data is going to contain intentional character codes and reference points for the anticipated data set analysis tools and read-activity performed by these systems.
I know what you’re thinking - you have no PoC S1REN.
Hey man - it’s something you can just sip on, k Mama?
Hey guys, glad to see you’re here again because of my super cute kitten <READ SYNTAX OF JIM>
Expectancy of Jim goes back to our “sweet tooth” data.
ANOMALY ATTACK. <-- This would be the first poisoned set of data. Interval of time 0.
Notice in the above set of data/information how we went from pre-known aspects that I had literally just typed out into words or series of characters that trigger the data types to be put into separate special repositories.
I’m glad you enjoyed this segment. ANOMALY ATTACK (Slight mutation in anomaly data this time around).
Notice the second insertion - this interests Jim.
With knowledge of what read primitives are utilized by Jim’s "magnifying glass" to determine WHERE and what CLASS of data - well the idea is that by the time he attempts to learn from Jane’s data - he is infected.
Imagine a typical deserialization attack - the differences are small, but the delivery method is not your traditional request being sent over TCP/IP directly to a victim machine but rather entire data sets with the purpose of corruption (effective service denial).
By triggering Jim’s attention in Jane’s den of bone data - we have created a ‘Capability Condition’ that did not exist before. We have, as Jane, effectively poisoned data that took the class of citizen or individual Jane was and utilized that “best guess” scenario to effectively create a Capability Condition Point.
After establishing this Capability Condition Point - we can imagine Jane looking back at JIM and suddenly he is now visible. Not directly ever to the individual herself - but rather through an assumption (Our Capability Condition Point).
This effect or idea is titled an Anomaly Attack for the simple reason that when data interpretation comes around beyond server-side purpose we introduce an Anomaly (set of characters, data) to poison JIM’s tools for data integration systems.
So what does the data look like?
That’s why it’s an Anomaly Attack.
Being able to literally piece out the data is next to impossible and the idea is only known to the attacker his or herself.
- Super content|<INTEREST CONTENT>|
Trigger of JIM’s interest.
Condition Point set (Jane knows at this point).
Reference or de-reference back to initial Capability Point.
e.g. Thanks for having me along at the theme park today! (DATA out of Jane's Ordinary - Mutated - Technical Reveal Data perhaps)
The next part requires time and ‘tapering’ of the data slowly released over social media to the point where Jim can’t help but look or have analysis capability look back... and back... and back...and
(And you see where this goes).
An anomaly is created. Trigger point (payload release) occurs upon inspection of manual person (JIM’s real life counter part?).
Sip on that one.