RE: how to verify whether an attack attempt is successful?

From: David J. Meltzer (djm@intrusec.com)
Date: 01/17/03

  • Next message: Ron Gula: "RE: how to verify whether an attack attempt is successful?"
    From: "David J. Meltzer" <djm@intrusec.com>
    To: <focus-ids@securityfocus.com>
    Date: Fri, 17 Jan 2003 12:08:56 -0500
    
    

    Certainly the techniques of combining vulnerability assessment data with
    attack information is an excellent way to determine success. However,
    some specific pitfalls you need to be aware of when using this approach
    are:

    - Vulnerability data is never as recent as the attack; just because a
    system wasn't vulnerable yesterday to a vulnerability and it got
    attacked today, doesn't mean it wasn't vulnerable at the time of attack.
    Of course, some vulnerabilities are quite unlikely to have been
    introduced in any given period of time (Solaris exploits against a
    Windows server), but others could easily have been.

    - The alternative approach, scanning for a vulnerability AFTER an
    attack, is even more dangerous to false-negative results on remote
    access vulnerabilities since an attacker cognizant of this being done
    would instantaneously 'fix' the vulnerability so it appeared to fail.
    On less serious vulnerabilities where an attacker wouldn't have access
    to do this, it is a fairly reliable approach, though.

    - Just because an attack was made against a specific vulnerability and
    that vulnerability exists on a machine does not mean that the attack was
    succesful. Case in point many vulnerability scanners will 'trigger' IDS
    alerts on systems without ever actually exploiting the vulnerabilities;
    also many exploits are very dependent on specific systems and versions
    and an attacker may be using the wrong exploit (eg wrong shellcode in an
    overflow) for a vulnerability.

    - With the advent of more behavioral intrusion prevention software,
    there is the potential for a lot of ambiguity in defining whether a
    system is vulnerable to attack or not. If a system is running a
    vulnerable service, but it is also running a host IPS that catches and
    stops the vulnerability from being exploited, is that a vulnerability or
    not? (for that matter, if its behind an in-line network IPS and there
    is no internal threat). Some scanning tools might say yes, some might
    say no. Some experts might say yes, some might say no. I'd say, its
    still a vulnerability, but a lower priority one than if it was more
    easily exploitable, but I doubt any security scanner out there can make
    that same judgement for you. How your tools answer these questions will
    play into the accuracy and usefulness of the 'success' metrics your IDS
    can generate.

    > In general it's impossible to determine the success of attacks with
    only a network IDS
    > (NIDS).
    In many situations, you can determine success by looking at the
    bidirectional communication between attacker and system. The behavior
    of a vulnerable system compared to that of a non-vulnerable system to an
    attack is often different and well-defined, although figuring this out
    is a lot more engineering work than writing a signature or analyzing
    unidirectional communication, and there are evasive measures attackers
    could use to avoid the appearance of success.

    -Dave

    -------------------
    David J. Meltzer
    djm@intrusec.com
    CTO, Intrusec, Inc.

    -----Original Message-----
    From: detmar.liesen@lds.nrw.de [mailto:detmar.liesen@lds.nrw.de]
    Sent: Thursday, January 16, 2003 2:28 AM
    To: yzhai@unity.ncsu.edu; focus-ids@securityfocus.com
    Subject: RE: how to verify whether an attack attempt is successful?

    ->Is there any technology developed in this direction?

    Sure there is.

    With some attacks you can determine whether or not the attack was
    successful because the system under attack responds in an
    attack-specific way. Snort has some attack-responses rules, but none of
    these ever triggered on my network and I haven't yet had a closer look
    at those rules, so I don't know if they are really useful.

    In general it's impossible to determine the success of attacks with only
    a network IDS (NIDS).

    What you can do at network level is to compare detected attack-attempts
    with information from a vulnerability-database. The vulnerability
    information can be gathered by using VA tools like nessus.

    Thus you can always determine whether or not the system under attack is
    vulnerable to that specific attack. If so, you can be damned sure that
    the attack succeeds.

    However, this is not a 100% reliable way. But such things are never very
    reliable. They are an aid at analysing events more quickly and
    accurately because you gain a better "signal-noise-ratio".

    But Host based IDSs can do this quite accurately because they utilize
    more than just packet-stream information.

    Host based IDSs look into log files, check file system - integrity (i.e.
    if any files have been modified) and they can also analyse system- and
    api-calls at kernel level.

    HTH,

    Detmar Liesen



    Relevant Pages