Concrete difference between faults and attacks

Question

I don't know if it is the good place to ask this question but I believe it is OK. My question is simple: how can one make a difference between a fault and between an attack? A denial of service could be cause by both, what may be considered as injection of data could be a device that is not working properly and so on. I see many recent papers about this topic, and they usually consider faults and attacks as the same thing. Do you guys have experience about this? Is it really possible to make a difference between an attack and a fault?

Answer 1

Attacks involve an adversary. Faults are technical failures. Hence, if you have an issue, you must find the root cause. If the server has a broken power supply, but nobody entered the server room, itˋs most likely a fault. If you find phishing mails, unexpected vpn logins, indicators for CnC traffic and suspicious accesses to your server with unexpected shutdowns, it‘s more likely an attack. That being said, you cannot always distinguishe a fault from an attack disambigiously. At the and of the day you must be confident enough to say it‘s one or the other to make the right conclusions (ensure, that the issue wont happen again, extend monitoring, change parts in advance, hunt an adversary, ...)

Answer 2

An attack is the external action with an intent that goes against owner's interests. It is a category decided outside a technical realm. If I see application suddenly allocating all the RAM as a cause of user's input, I can judge whether it was an attack only when I consider the user's intent. John loaded a big file hoping for a useful result. Not an attack. The same person loads the same file tomorrow, this can be a DoS attack now (they hope for 5 minutes extra stackexchange browsing when the app dies again; HNQ probably).

With a considerable effort, you can divide the faults: a fault that is a consequence of external action (such as some user entering the data into the application) versus a fault that happens without such external cause. The second kind cannot be caused by attack, which follows straight from the definition.

Some attacks cause faults (of the first kind), some don't.