Network attacks
Refers to patterns of nefarious actions that can alter or undermine a resource, an agent or an organization, [open network]].
This page is concerned with the means that nefarious agents employ to extract benefits for themselves, breaking the social contract in an organization, exploiting various weaknesses, lacks in the organizational structure. Understanding attack vectors helps organization designers/builders to put in place measures that can block attack actions, by tweaking elements of the organizational structure. It is not concerned with the psychological predispositions of these actors that lead them to act in such ways. Measures in the social/cultural domain, motivation and incentive structure and governance can have a more direct effect on the psychological predisposition of agents to consider such actions in the first place.
Note that the work below contains content and leads formulated by AI (ChatGPT). Some material can be imported and remixed from other sources. In short, this is a text that has been inspired from various sources but digested by a human agent for more adequacy and clarity.
Background
This fits into the work Sensoricans do in collaboration with the Internet of Production Alliance, where we explore various ways to align agencies in material peer production networks.
Definitions and clarifications
An attack on a peer production network is a deliberate act by an agent (individual or organization) to alter or undermine its operations, often for personal gains or satisfaction.
Attacks can be directed at the artifacts that are produced by the network (hardware or software for example, you can call them products if they are destined for market-based transactions), at agents involved in peer production processes, at the organization / open network, by attacking an agent or the organization's infrastructure (physical or virtual), it's processes or its resources (physical or not, tangible or not), or at the larger ecosystem by undermining the position (ex. reputation, credibility) of the organization / open network or by manipulating policies, standards, ecosystem protocols and services to benefit some stakeholders more than others.
Attacks can originate from within the membrane of an organization / open network or from outside.
Attacks can be passive (ex. surveillance) or active (ex. causing direct damage).
Pattern | Originates | Target |
---|---|---|
Compromised credentials / Unauthorized Access: An attacker gains access to an organization / open network, to restricted areas or equipment using stolen or weak credentials. Exploits access, governance related to access, credentials, reputation and trust systems, either tech based or non. | Outside of an organization | Organization |
Impersonation: An attacker pretending to be someone else, with legitimate access to a process or facility to gain unauthorized access. See also deep fake. Exploits identity, trust, credentials systems. | Outside of an organization | Organization, Can affect agent |
False representation: An attacker falsely represents an open network, i.e. portrays himself as an agent / participant exerting some level of control over the network, to non-affiliated parties, partners or stakeholders, to undercut network affiliates from opportunities. Open networks do not have formal representation by default. A representative of an open network can exist only in some circumstances, as a delegate, designated through a formal process. Exploits identity, trust, credentials systems | Outside or inside of an organization | Organization |
Fake news: spreading disinformation, misinformation, lies. Exploits information systems, media | Outside or inside of an organization | Organization, can affect agents if about them. |
Sybil: An attacker using multiple identities to gain more influence within the organization / open network, for example gaming governance or influencing decision making. Exploits identity, trust, credentials systems | Outside or inside of an organization | Organization |
Proxy Attack: Refers to circumstances where an underlying attacker / bad actor has enrolled others to perform an attack upon an intended victim, thereby seeking to remain undiscovered / secretly unable to be discovered and/or associated with the attack that is performed upon a target. | Outside or inside of an organization | Organization |
Privilege Escalation: An attacker using privilege escalation to expand his reach within an organization. In horizontal attacks, he gains access to adjacent processes; in vertical attacks, he gains higher privileges within the same process. To prevent privilege escalation organizations must employ strict adherence to the “principle of least privilege” (PoLP). In PoLP, all participants are given only the minimum levels of access needed to perform their functions. Exploits governance and methods used for benefit redistribution. | Inside of an organization | Organization |
Phishing: This is a type of social engineering attack that involves sending fraudulent messages that appear to be from a legitimate source in order to trick participants. Exploits information and communications infrastructure, its filtering and moderation rules. | Outside of an organization | Organization |
Overwhelming solicitation: An attacker overwhelming an organization / open network with requests in order to exhaust its resources, paralyze its activities. We see this often in forums, when they are invaded by scammers. Exploits information and communications infrastructure, its moderation rules. | Outside of an organization | Organization |
Theft, fraud: An attacker stealing resources or data. Exploits access systems, governance related to access, reputation systems. | Outside or inside of an organization | Organization, Can affect agents |
Vandalism: An attacker defacing or damaging physical resources, infrastructure. Exploits access systems, governance related to access. | Outside or inside of an organization | Organization, Can affect agents |
Malicious Insiders: An attacker with malicious intent can exploit his access. Exploits access systems, governance related to access, reputation systems. | Inside of an organization | Organization Can affect agents |
Negligent Insiders: Agent who inadvertently does damage through carelessness or lack of awareness. | Inside of an organization | Organization Can affect agents |
Sabotage: Deliberate physical damage to equipment or infrastructure, such as cutting cables or destroying hardware. Exploits process stewarding, peer verification and quality control systems | Organization, ecosystem | Processes, can affect the organization. |
Impairment: Attacker engages in obstructive behaviour and/or strategic works that seek to instigate circumstances where the person becomes flooded with problems, Revoking their ability to earn income / obtaining / removing their customer base / income sources. The objective process will seek to ensure that the target is made incapable. | Organization, ecosystem | Agent or organization |
Discrimination: This can refer to the act of treating someone unfairly or unfairly denying them access to resources or opportunities based on their race, ethnicity, gender, sexual orientation, age, or other protected characteristic. | Inside of an organization | Agent |
Obstruction: This refers to the act of interfering with access to processes, restricting access, impairing openness. It can include activities such as tampering with evidence, credentials, reputation. | Inside of an organization | Agent, affects organization |
Gamification: Intended to ensure the target is unable to do anything about a series of behaviors that intend to cause harm and/or immobilization; in-order for the attacker to gain advantage and/or successfully achieve an outcome that was originally the work of the victim of this sort of attack, but is later misappropriated elsewhere - at which stage, there is no legal remedy that is able to resolve the harms caused to the victim of the attacks. These behaviors in-turn relate to obstruction and other issues relating to both civil and criminal matters of concern. | Inside of an organization | Agent, affects organization |
Resource Overuse / Freeriding / Parasitizing, Vampire: Overutilization of shared resources in material peer production networks that can lead to depletion.
Exploits resource planning tools and methods, governance related to access. Drainage of assets |
Inside of an organization | Resources, affects the organization, can affect agents |
Harvesting: refers to agents that engender others to do useful work that they seek to consume without any consideration about compensation or other forms of acknowledgement or more broadly, consideration. | Inside of an organization | Resources, affects the organization, can affect agents |
Inadequate Quality Assurance: Lack of quality control measures in the production process can result in subpar products or services. Exploits resource planning tools and methods. | Inside of an organization | Resources, affects the organization, can affect agents |
Competition: The attacker is a participant that acts in a non-transparent, not-inclusive and non-collaborative way, undermining or obfuscating other participants’ achievement, to gain an advantage over other participants, to gain influence. Exploits economic models, gaming, reputation systems | Inside of an organization | Processes, can affect the organization. |
Taking the spotlight: The attacker is a participant that forces his way into a favorable position to unfairly gain visibility or recognition within the organization / open network or beyond it. This is somewhat similar to Competition. This happens often in settings with no reputation mechanisms or credentials. Exploit benefit redistribution schemes, governance. | Inside of an organization | Organization Can affect agents |
False Attribution: An agent not respecting licensing agreements, hindering access to designers, creators, obfuscates the provenance of the work in question extending prior to the works that it is based upon. Exploits licensing. | ||
Versioning: whilst there's various forms of it, the underlying notion is that a group of people (often unpaid) start a body of work, which is later progressed by others who may be employed and their employers (or investors) see the merit of the works; then as future works are produced, they act to version-out the original creators, making it impossible to see the history of how something came about; and in-turn also, the relationships to whomever was involved at a time earlier to the commercialisation of derivatives from a project. | Inside or outside of an organization | Agents, organization, associated with resources. |
Removal or changing of records: the deletion of evidence relating to wrong-doing for the purpose of making the claim that the wrong-doing was never done at all. | Inside or outside of an organization | Agents and organization |
Ego-driven forking / process and resource splitting: The attacker is a participant. Forking a venture can be desirable when it adds diversity, but can be detrimental to an organization / open network when the gains don't cover the losses due to a split of attention and resources. The attacker operates a fork based on "mine is better than yours" ego-centric drives, without an economic rationale. We see this in the crypto and web3 space, which have inherited from the corporate competitive culture. Exploits governance, planning, coordination, collaboration, synergy and stigmergy systems. | Inside of an organization | Processes, can affect the organization. |
Undesirable proliferation: The attacker is a participant that deliberately and unjustifiably multiplies options, processes, channels of communication and action, documentation, to defocus, delay a process, perhaps with the intention of undermining or derailing the process. Exploits | Inside of an organization | Processes, can affect the organization. |
Social engineering: This is a type of attack that exploits individual participants. It involves manipulating people into performing actions that are not in their best interest. See also Social Attack Vectors. Exploits trust systems and mechanisms, either tech-based or non | Agents | Can affect the organization |
Conflict within the community: The attacker is a participant inciting disruptive disagreements, disputes, lack of cooperation. | Agents | Can affect the organization |
Corruption: Bribery, embezzling funds, or using important roles for personal gain. In bribery an attacker attempts to persuade individuals for personal gains, by providing tangible incentives. | Agents | Can affect the organization |
Collusion / Conspiracy: An attacker that forms a secret group within an organization / open network with a different agenda. They share the benefits. | Agents | Can affect the organization |
Majority attack- accumulation of voting power | Agents | Can affect the organization |
The secret: An agent makes false allegations about a target agent in a manner that is not made known to the target; that is intended to elicit or invoke a behavior that is harmful to the target and thereby/thereafter untrue or malignantly illustrated in a wrongful manner. Related to unfair peer pressure. Inside and outside of an organization | Agents | Can affect the organization |
Social attacks: directed towards specific agents. | Agents | Can affect the organization |
Character assassination: Attacking someone's character online, often through spreading false or malicious information about them, can damage their reputation and credibility, and can make it more difficult for them to work effectively. | Agents | Can affect the organization |
Gaslighting: Manipulating someone into doubting their own perceptions or memories, often through the use of manipulation and deception, can undermine their confidence and make it more difficult for them to speak up or advocate for themselves. | Agents | Can affect the organization |
Bullying: Using aggressive or abusive behavior to intimidate or dominate others can create a toxic work environment and make it more difficult for people to do their jobs effectively. | Agents | Can affect the organization |
Exclusion: Excluding someone from important conversations or decisions, or versioning them out of documentation that they were involved in creating, can undermine their contributions and make it more difficult for them to work effectively. | Agents | Can affect the organization |
Harassment: Harassment, including sexual harassment, can create a hostile work environment and make it more difficult for people to do their jobs effectively. | ||
Psychological Attack & Psyops: attacker used psychological means, fear for example, Manipulation in-order to mute freedom of thought and engender outcomes that support the objectives of the attackers. | Agents | Can affect the organization |
Discrimination: Discrimination on the basis of race, religion, gender, nationality, or any other protected characteristic can create an unfair and hostile work environment, and can make it more difficult for people to succeed in their careers. | Agents | Can affect the organization |
Entrapment: the attacker sets up an agent or an organization for an undesirable and punishable action, to discredit or incapacitate. | Agents | Can affect the organization |
Blackmailing: producing and using damaging information against an agent or an organization to extort favors. | Agents | Can affect the organization |
Intimidation: This refers to the act of threatening or coercing another agent in order to influence their actions or decisions. | Agents | Can affect the organization |
Violation of privacy: This can refer to the unauthorized collection, use, or disclosure of personal information, particularly in the context of critical public sector entities like police or social security offices. | Agents | Can affect the organization |
Reversal: The illustrated concept of a 'reversal', is about circumstances where a bad actor has knowingly engaged in activities that have harmed the target, and when questioned about it either makes claims about being the victim or otherwise seeks to isolate the target. | Agents | Can affect the organization
Inside and outside of an organization |
Pattern | Originates | Target |
---|---|---|
Unaffiliated vendors and service providers: An attacker with no skin in the game that has access to sensitive processes and can compromise them. Exploits security and governance systems, trust. | Ecosystem | Organization and network |
Ecosystem / Sapping: The attacker badmouths an organization / open network, undermines interfaces between it and other agents (partners, stakeholders, regulatory bodies, etc) within the ecosystem. We've seen this with crypto, some unfairly associating it with criminal activity, also exaggerating energy consumption and environmental damage, with the intention to undermine trust, adoption. Exploits media to affect branding, image, social trust. | Ecosystem | Organization and network |
Legal and Regulatory / Intellectual Property trolling: The attacker engages in legal actions and disputes related to copyright, patents, or trademarks. Exploits the legal system, laws, regulations, policies, treaties. | Ecosystem | Organization and network |
Legal and Regulatory / Compliance Issues: The attacker engages in harassment for (apparent) failing to adhere to relevant regulations and standards can result in fines and legal consequences. Ex. weaponizing government regulations against cryptocurrency, use of regulatory agencies for unfair competition. Exploits the legal system, laws, regulations, policies, treaties. | Ecosystem | Organization and network |
Market Fluctuations / Economic Downturn: The attacker manipulates economic conditions, market manipulations, induced recessions or inflation, and can impact the availability of resources and funding. Exploits markets, transactional systems, media, regulations. | Ecosystem | Organization and network |
Environmental Factors: Induced disasters like floods, fires, power outages can disrupt material networks. Exploits infrastructure, regulations and policies | Ecosystem, | Organization and network |
Pattern | Originates | Target |
---|---|---|
Zero-day vulnerabilities: These are vulnerabilities in software or hardware that are unknown to the creator / developer and have not yet been patched. An attacker can exploit that. | Exploits design and architecture of artifacts | Outside of an organization and even the network
Resources |
Compromised credentials: This is when an attacker gains access to a resource using stolen or weak credentials. Exploits information systems and social recognition or reputation. | Outside of an organization and even the network | Resources |
Misconfigurations: These are errors in system configuration that can be exploited by attackers to gain unauthorized access. Exploits artifacts to harm users or/and discredit designers / producers. Exploits design and architecture of artifacts. | Outside of an organization and even the network | Resources |
Distributed Denial of Service (DDoS): This is a type of attack that involves overwhelming a system with traffic in order to make it unavailable to users.
Exploits design and architecture of artifacts and infrastructure (IT), to incapacitate processes, transactions, services. || Outside of an organization and even the network || Resources, IT infrastructure | ||
SQL Injection: Exploiting vulnerabilities in web applications to gain unauthorized access to databases.Exploits design and architecture of IT infrastructure. | Outside of an organization and even the network | Resources |
Man-in-the-Middle (MitM) Attacks: Intercepting and potentially altering communication between two parties.Exploits communication systems. | Outside of an organization and even the network | Resources |
Supply Chain / Compromised Components: Attackers infiltrate the supply chain to introduce malicious hardware or software.Exploits logistics systems, information systems. | Outside of an organization and even the network | Resources |
Malware and viruses: These can be embedded software that are designed to harm or surveil the user. Exploits design and architecture of artifacts, logistics systems, security systems associated with artifacts, software and hardware. | Outside of an organization and even the network | Resources |
False Attribution: An agent not respecting licensing agreements, hindering access to designers, creators, obfuscates the provenance of the work in question extending prior to the works that it is based upon. Exploits licensing. | Inside or outside of an organization | Agents, organization, associated with resources. |
Supply Chain / Counterfeit Components: The use of counterfeit or substandard parts in manufacturing processes. Exploits design and architecture of artifacts, logistics systems, markets | Outside of an organization and even the network | Resources |