Contrasting active and passive attacks reveals distinct cyber threat tactics. Passive attacks are characterized by perpetrators surreptitiously scanning systems and intercepting data, yet they refrain from altering any information. This stealthy approach aims to exploit vulnerabilities or uncover entry points without alerting system defenses. Active attacks, however, involve attackers proactively attempting to manipulate the accessed information. Their objectives often include gaining unauthorized access, elevating privileges, or impacting system integrity and availability. Essentially, data gathered in passive attacks can often serve as a precursor to a more aggressive and compromising active attack.
The internet is full of risks! Whenever you go online, there is a possibility that you will encounter a risk. Within that range of risks, there are different types of computer threats with varying associations of damaging effects. For example, some threats may damage or corrupt your installed operating system and force you to reinstall it. Another type may steal your credentials and saved passwords. Still, other threats may not bring any harm to your PC; instead, they will track your online activities and invade your privacy.
Today, criminals are smarter than ever before, and malicious programs are more sophisticated. Modern malware can infect a target PC and remain undetected for a long time, the advance of computing power makes it possible to crack difficult passwords in a fraction of seconds. The motive behind the majority of cyberattacks nowadays is not to damage your machine, but instead to steal your money, to access your private information, or to acquire your login credentials. Conceptually, cybersecurity risks can be divided into two main categories: passive and active attacks. In this article, we will briefly talk about the difference between these two types and give some illustrative examples for each one.
What is a passive attack?
In a passive attack, an intruder monitors a system and network communications and scans for open ports and other vulnerabilities. For example, they might exploit an unpatched system or take advantage of an expired certificate on a security device (In fact, the Equifax data breach was aided by an expired certificate that wasn’t discovered by the company’s security team).
Once the intruder has infiltrated the network, they can collect information in a couple of ways. In a footprinting passive attack, the intruder will try to collect as much intelligence as they can to use it later to attack the target system or network in a later step. An example is when an intruder records network traffic using a packet analyzer tool, such as Wireshark, for later analysis.
Installing a keylogger is another sort of passive attack, where an intruder waits for the user to enter their credentials and records them for later use.
The two most common use cases of passive attacks are:
- Traffic analysis: In this type, an attacker monitors communication channels to collect a range of information, including human and machine identities, locations of these identities and types of encryption used, if applicable.
- Release of message contents: In this type, an attacker will monitor an unprotected communication medium—like unencrypted email or telephone call—and intercept it for sensitive information.
Other types of passive attacks include “passive reconnaissance,” where an attacker tries to gain important information about the target organization connected to the internet without sending any traffic (packets) to the target server or network. An example of such a type of attack includes browsing a website's content for relevant information (such as employee contact information) that can be used in active attacks or finding files that have been left unprotected on a target server, such as meeting papers or intellectual property.
Detecting a passive attack is very difficult and impossible in many cases because it does not involve data alteration in any way. However, you can implement protective measures to stop it, including:
- Using encryption techniques to scramble messages, making them unreadable for any unintended recipients. Two types of encryption can be implemented in this case:
- Symmetric keys (same key on both ends)—we still have a problem exchanging the secret key secretly.
- Public-key encryption where each party (whether it is a user, program or system) involved in the communication has two keys, one public and one private that must be kept secret. An example of this type is using SSL/TLS certificates(HTTPS) that are used to ensure the validity of machine identities between a web server and someone’s browser.
- Avoid posting sensitive information publicly (e.g. private and company information) that can be used by outside hackers to invade your private network.
- Figure 1 - Passive attack (Traffic analysis)
What is an active attack?
An active attack involves using information gathered during a passive attack to compromise a user or network. There are many types of active attacks. In a masquerade attack, an intruder will pretend to be another user to gain access to the restricted area in the system. In a replay attack, the intruder steals a packet from the network and forwards that packet to a service or application as if the intruder were the user who originally sent the packet. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are also examples of active attacks, both of which work by preventing authorized users from accessing a specific resource on a network or the internet (for example, flooding a web server with more traffic than it can handle).
Unlike a passive attack, an active attack is more likely to be discovered quickly by the target upon executing it. The following are some protective measures against this type of attack:
- A random session key can be generated which is only valid for one transaction at a time, this should effectively prevent a malicious user from re-transmitting the original message after the original session ends.
- Using one-time passwords helps to authenticate transactions and sessions between communicating parties. This guarantees that even though an attacker was successful in recording and retransmitting the captured message again, the associated password will expire by then.
- Using Kerberos authentication protocol (Usually used in Microsoft Windows Active Directory) which supports many countermeasures against different types of replay attacks.
The most common types of active attacks are:
- Masquerade attacks. Cybercriminals use a manipulated, spoofed or stolen identity to gain unauthorized access to systems, or authorization to conduct certain privileged actions. They may use identifiers, such as device, digital signature, network address or certificate to impersonate legitimate access identification.
- Modification of message attacks. Cybercriminals take advantage of security weaknesses in email protocols to inject malicious content into the email message. They may modify some portion of a message, such as the packet header address, to delay, reorder or direct a message to a different destination.
- Repudiation attacks. Cybercriminals attempt to change the authoring information of malicious actions by logging the wrong data in log files. They use this to deny or repudiate actions that they have taken, such as making a transaction or sending a message.
- Replay attacks. Cybercriminals eavesdrop on a secure network communication, intercept it and resend it under the cloak of authentic messages. They capture this transmitted authentication or access control information to gain unauthorized access.
- Denial of service attacks. Cybercriminals make a system or network unavailable to its intended users by overwhelming it with traffic or requests that consume resources. They prevent legitimate users from accessing information systems, devices, or other network resources.
Active attack vs passive attack
|Intercepts connections to modify information
|Monitors, copies and saves information for future malicious use
|Can use information collected through passive attacks
|Only collects information such as passwords, and messages
|Requires physical control of media or network
|Simply observes communication in media or network
|Difficult to restrict from entering systems or networks
|Relatively easier to prohibit than active attacks
|Informs victim of the attack
|Does not inform victim of the attack
|Aims to harm the ecosystem
|Aims to learn about the ecosystem
|Threatens integrity and availability
|Can damage systems and resources
|Does not harm systems
|Can be easily detected
|Very difficult to detect
|Requires focus on prevention
|Requires focus on detection
Cybersecurity risks can be broadly segmented into two types: passive and active attacks. In a passive attack, no modification of data occurs and the target does not know about its occurrence unless they have a system that monitors and protects machine identities. In an active attack, system resources and data are modified or otherwise damaged, affecting its normal operations. Although a user will more likely become aware of an active attack than a passive one, the root cause of active attacks is hard to determine without proper monitoring and protection of human and machine identities.
(This post has been updated. It was originally published on July 1, 2020.)