RE: Are sophisticated attacks just FOOD?

From: Golomb, Gary (GGolomb_at_enterasys.com)
Date: 07/01/04

  • Next message: NAVTEJ KOHLI: "IDS VS. IPS: Which is Better???"
    Date: Thu, 1 Jul 2004 15:51:48 -0400
    To: "Sam Heshbon" <sheshbon@yahoo.com>, <focus-ids@securityfocus.com>
    
    

    >
    > I had a big discussion with my boss who claims most of the IPS, SIM
    and
    > other new tools are just a
    > hype protecting from sophisticated threats, which only exist in labs.

    Lol... I definitely agree the marketing of such tools focuses on those
    types of attacks. I think vendors are notoriously guilty of having an
    over-lab centric focus. That's not a bad thing since I'd hope your
    vendor of choice makes decisions proactively by researching what can be
    accomplished in a lab before it becomes a threat in the wild. However,
    I'm not sure how well most vendors actually balance lab threats from the
    real-world evolutions of attacks in the wild.

    > He thinks multi staged attacks and so on do not often happen in the
    wild

    Take the time to read and fully understand
    http://62.131.86.111/analysis.htm. This is just a recent example, but
    randomly pick any calendar week in the past and I'm sure people on this
    list could come up with similar examples that are client or server
    based.

    > and shows our firewall's
    > logs as evidence.

    I've heard this argument before and it's kind of funny. Firewalls stop
    all the basic problems and let everything else right though, so the
    point of a firewall log in this type of discussion only strengthens the
    case for more robust technologies.

    Look at how network security has changed over time. Many networks are so
    locked down that the only way in OR out is though a small handful of
    protocols like HTTP, SMTP, etc. This has impacted two major areas:

    - Business; since now applications can only ride over a few protocols,
    most everything has been (is being) moved to those protocols - namely
    web. This can be seen in everything from all the major web portal
    applications that most organizations run (hi: Citrix, database connected
    web apps, etc!), to file sharing and chat applications which tunnel all
    their traffic in normal HTTP requests. This impacts:

    - Attackers; even though there's only a few windows open to the inside
    of the network, they are now very juicy targets containing more valuable
    information than they ever stored before. This can be seen in majority
    of vulnerability research that has been done over the past couple of
    years - exploiting web-centric applications. Additionally, with the
    deployment of "strong" firewalling technologies like NAT, the ability to
    reach in from the outside and touch someone directly has almost been
    removed completely. Well, almost, see the link above! Actually, by
    targeting clients as opposed to servers (where fewer eyes are watching
    anyways), problems like NAT go away making multistaged client exploits
    very lucrative for quickly harvesting a large number of compromised
    systems.

    The point is, even if you pick one protocol like HTTP and allow only
    that through, the attacks will increase in sophistication to exploit the
    resources that are available. In other words, you firewall logs aren't
    going to show you anything since it's happily passing the bad stuff
    right along side the good stuff since it all is normal looking web
    traffic anyways.

    > claims it's a script kiddy and the fact we have never seen a breach
    means
    > it is not a real threat

    If I close my eyes, I'll never see anything either. (Actually, I see
    stuff, but we won't go there...)

    The goals nowadays are not website defacement for name recognition like
    they were years ago. Name recognition has gone away for all the same
    reasons that few vulnerability researches publicly disclose findings
    anymore. That includes making it blatantly obvious that a system is
    compromised.

    > I'm looking for statistical data showing how frequent sophisticated
    > attacks and advanced tools are
    > evolved and what there damage is to the corporate.

    I'd love to hear the difference between sophisticated and not. (Then
    again, I could see a subject like this spiraling out of control in no
    time.)

    Just because the exploitation of a vulnerability has been automated so
    it can be accomplished on a mass scale with little effort does not make
    it any less sophisticated in my book. Some people call it script kiddy,
    I call it efficient. Whether it's efficiency of mass exploitation, or
    simply sharing with others the ability to exploit - it's working.
    Ironically, I'd call any attack that works despite the presence of
    protective firewalling-type technologies sophisticated. Without a more
    advanced system auditing the traffic that does get through (SIM, HIPS,
    etc.), well, you see where this is going...

    Anyways, just some thoughts of mine, not my employers, etc, etc...

    -gary

    -----
    Gary Golomb
    Research Team Lead
    Dragon IDS Group
    Enterasys Networks

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: NAVTEJ KOHLI: "IDS VS. IPS: Which is Better???"

    Relevant Pages

    • RE: Off-Topic: perfect firewall (was Re: IDS is dead, etc)
      ... other sort) of attacks that are so completely new that no IDS would ... Only protocols that we _thought_ we ... Only pertains to rule-based IDS. ... that's all we use....since there is no 'silver bullet' IDS (or firewall), ...
      (Focus-IDS)
    • Re: linux robust?can build application layer firewall on linux?
      ... a firewall is a firewall is a firewall. ... It isn't even a firewall in and of itself - a stateful packet filter ... HTTP, FTP, SMTP, POP3, IMAP4, SSH are all application protocols. ... They are not applications. ...
      (comp.os.linux.networking)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • RE: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... Regarding ICMP backdoors, this technique was first use by some skilled guy ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ...
      (Pen-Test)