The Irari rules for declaring a cyberattack ‘sophisticated'

These eight rules to help classify attacks are also guidelines to better security programs.

Organizations hit by a cyberattack have reason to call the attack "sophisticated." But calling an attack sophisticated doesn't make it sophisticated. We have put our heads together and come up with some rules for determining whether an attack is sophisticated, and we have put our names together (Ira and Ari) to give these rules a name: the Irari rules. If any of the following conditions occur, the attack is not sophisticated:

  • The attack used malware that should have been detected.
  • The attack targeted a known vulnerability.
  • Multifactor authentication was not in use on the targeted systems.
  • The attack exploited static passwords on critical servers.
  • A strong, comprehensive awareness program was not in place, if phishing was involved.
  • Detection mechanisms were not in place or were ignored.
  • Proper network segmentation was not in place.
  • User and administrator accounts that were exploited had excessive privileges.

If a bank leaves a bag of money sitting in the lobby, it doesn't matter if it is stolen by a master criminal or a street thug. Anyone with minimal skill and intent could do it. When an organization claims that an attack against it was sophisticated, it wants to imply that it was difficult to stop. But in case after case, although the organization of the attacks might appear sophisticated, the actual attack was fairly basic.

Even the FBI characterized last year's attack against Sony as sophisticated. Don't be fooled. Yes, administrator credentials were apparently hard-coded into the malware. Nonetheless, the malware's presence should have been detected. And the presence of the administrator credentials suggests several possibilities, none of them indicative of a sophisticated attack: 1) The Sony hack relied on a phishing attack, which better awareness might have prevented; 2) passwords were not changed frequently enough, if at all; and 3) there was a lack of multifactor authentication in use on critical systems. So, even if the attacker was the most skilled hacker in the world, the same results could have been accomplished by anyone with time and far-from-sophisticated skills.

Attacks like the one against Sony are the new normal. All organizations should expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities. What, then, does it take for an attack to rise above the new normal and be truly sophisticated?

Well, first, let's consider attacks that clearly are sophisticated. The Equation group, assumed to be tied to the National Security Agency, was able to go undetected for 14 years. It used malicious software to exploit zero-day vulnerabilities, impossible to detect and difficult to remove. It established excellent covert channels for communications back to its controllers. The Equation group was able to launch basically unstoppable attacks even against top-tier security programs. The nature of those attacks is very different from those that hit Sony and Target, for example.

From what we know about attacks by the Equation group, none of the Irari rules trip them into unsophisticated territory. Although we could have come up with additional rules, we believe that our list encapsulates almost all non-sophisticated attacks for the moment.

A closer look

Here's a breakdown of the eight Irari rules.

The malware used should have been detected. If the malware used is known well enough to be detected by anti-malware or antivirus software, then the attack cannot be classified as sophisticated. The attack could have been detected with properly configured and maintained tools available. Even if a sophisticated attacker was involved, an attack that uses detectable malware shows a lack of respect for the victim's security program.

The attack exploited vulnerabilities where a patch was available. If an attack exploited a vulnerability that could have been patched, the attack cannot have been sophisticated. A sophisticated attack would never rely on exploiting a vulnerability that could have been prevented. The fact that the known vulnerability existed on the exploited system demonstrates that anyone could have launched the attack.

Multifactor authentication was not in use on critical servers. Multifactor authentication is a common countermeasure for advanced security programs. It prevents a wide variety of potential attacks, including social engineering and password guessing. No attack against an organization whose critical servers don't use multifactor authentication can be considered sophisticated.

Static passwords were used in attacks on critical servers. Even with multifactor authentication in place, passwords should be changed frequently. Static passwords on critical accounts is just a poor security practice and represents an unsophisticated security program, and their presence eliminates the possibility of a sophisticated attack.

If phishing was involved, there was no awareness program in place that went beyond phishing simulations and computer-based training. While we will acknowledge that there are some spearphishing messages that are very sophisticated, and even the most aware people might fall prey to them, these are rare. Exponentially more frequently, the organization's security awareness program is poor, if it exists at all. Security awareness programs that focus on computer-based training and phishing simulations are examples of poor awareness programs.

Detection mechanisms that could have stopped the attack in progress were not in place or were ignored. In the case of the Target hack, administrators apparently reported that their FireEye system detected unusual activity and were told to ignore it by management. In the case of the Sony hack, detectable malware on the network went undetected. Also, terabytes of Sony's most valuable data were exfiltrated and went completely undetected. When you have data that is so valuable, it is inexcusable not to have mechanisms in place to monitor for potential compromises.

There was poor network segmentation that allowed the attackers to jump from low-value networks to critical systems. Businesses want to save money by having seamless connections to all systems. While the Target hack is infamous for the attackers jumping from a vendor network to the point-of-sale systems, it is not unique. There are plenty of incidents that demonstrate that industrial control systems, even and especially in critical infrastructures, are on poorly protected business networks.

User accounts that were compromised had excessive privileges. It is very common for standard user accounts to have access to data and systems privileges that they don't need. Many organizations give employees administrator privileges on their PCs. This allows what should otherwise be a contained compromise that is easy to investigate to become a major incident. This again is the sign of a poor security program.

As you can see, the measure of an attack's sophistication is based upon the layers of security it had to bypass. And time and again, attacks that have been described as sophisticated should have been stopped at multiple points.

Why is it important that attacks be properly characterized? Claims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.

Pointing this out is not a case of blaming the victim. An organization that is attacked is not the bad guy. But organizations faced with the new normal do have a responsibility to deflect attacks that can be deflected, just as homeowners are expected to put locks on their doors and windows.

In fact, more sophisticated security programs should become the new new normal.

Ira Winkler is president of Secure Mentem and author of the book  Spies Among Us. Ira and Araceli Treu Gomes  can be contacted through Ira's Web site, They will be doing a full presentation on these rules at the RSA Conference this Friday, April 24.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityCybercrime & Hacking

More about FBIFireEyeNational Security AgencyRSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ira Winkler and Araceli Treu Gomes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts