On Tue, 30 Jul 2002 20:57:04 EDT, Toby Miller <tmillerat_private> said: > Here's the scoop. I have come up with a model to help rate attackers. I want > this model to eventually profile attackers but we need to take one step at a > time. This model is nowhere near done and I need the community's help. > Please read the paper and if you have any comments please send them to me. > The link is http://www.incidents.org/detect/rating.html. An interesting concept, and probably worthy of further development, sooo.... ;) Overall comment - you seem confused as to whether you are developing a matrix to assess "risk" on your part, or "skill" on the attacker's part. Note that if you're assessing "risk", a lot of things don't score points until you've already been 0wned (for instance, points for rootkits), so it's closing the barn door after the critters escape.... You may want to split it into two separate ratings. You also need to consider the difference between random and targeted attacks - remember that the upper echelons of hackers (those scoring over 40 or so on your scale) will mostly be doing targeted attacks against a specific machine. These will likely be complicated attacks, involving social engineering, privilege escalation, and multiple steps to reach the goal (for instance, whacking a webserver by first targeting a developer's workstation). Sectional commentary: Opsys: The opsys matrix doesn't make much sense - there are 3 *BSD variants listed, and the only difference is that trying to whack a OpenBSD *from a Solaris box* counts for more - but attacking from an OSX box scores the same. Similarly, I dont see why a *BSD trying to whack a Linux 2.2 scores *more* than a 2.4. In addition, everybody who didn't just fall out of a tree knows you want to launch your attack from an untrackable throwaway, prefereably one with little or no concept of logging. So if you see an inbound connection from a Win95 box, it may be a pathetically clueless script kiddie - or a professional that knows about the power of an open Wingate proxy.... If you're trying to evaluate the *skill* of the attacker, point should only be scored in this section for a *successful* attack. If you're trying to evaluate *risk*, the table needs to be reversed - if you're running Win95 and the attacker is on OpenBSD, you score a 5 because you're in deep, but if you're an OpenBSD and the attacker is on a Windows box, score a 1 (except see the previous paragraph about proxies) I'll overlook the possibility that the attacker is running a custom IP stack that looks like something else (see the Linux "IP Personality" kernel hacks for an example) For a targeted attack, the type of opsys doesn't matter for skill - if he's going after your payroll server, you (and he) are stuck with whatever opsys it's running. It *does* matter for risk - if your payroll server is on a tradtionally leaky system, you have a problem. Recon: You missed an *entire* set of intelligence-gathering here - portscanners are NOT the end-all, especially for targeted attacks. For instance, you should be able to make some educated guesses about what I'm running based on the mail headers I emit - since I know that securityfocus's ezmlm strips Received: headers, I'll clue you in that one of them will show I'm running Sendmail 8.12.5, which tells you something about the system. Troll a newsgroup or mailinglist - you might get lucky and find your victim hostname attached to a posting "I'm running Frobbix 1.9 and.." Remember a lot of places have "Our Services" pages. If you can score 5 points just for having a stealthy portscanner, there should be a 6 or 7 point score for "obviously had us pegged in detail before sending a single packet". I'd say at least 10 points if the *first* packet is a 0-day buffer overflow with all the offsets right - that's either incredible skill or incredible luck. Wardriving. Say hello to the guys at Best Buy. And remember that there's a known passive attack (by Shamir and company) on WEP to get all the keys ;) The attack: Maybe I'm low on caffeine, but I'm failing to see the difference between "not reported before" scoring 1 point and "new attack" scoring 2, for a total of 3. Also, if a recon was performed, and the attack was *still* not applicable, there should be a -2 score for gross stupidity. ;) "is this a common attack" should be rephrased to "this week's popular attack", a skilled attacker may try a formerly-popular attack just to be retro. You need a discussion of how to score an attacker who has multiple tools. If the first 14 packets are some tool that EVERY script kiddie is running this week, and then after a pause while he reloads, you get 8 packets you've NO idea what they are suddenly do a major can-opener on your box (or worse, your box just falls over with *NO* trace on the IDS ;) what do you score it as? I could make a case that even if you *do* see a 0-day exploit with no use of "common" tools first, that it's STILL a script kiddie who managed to get hold of a script that's not come out of underground yet - a *skilled* hacker wouldn't use his best tool first because he wants to save it for when the usual stuff doesn't work. You have *no* discussion of alternate attacks that might be employed if it were a targeted attack. For instance, calling the help desk and claiming you're the VP and need your password reset so you can get into the network (this one doesn't even have to be targeted - enough people send out "out of office" messages when you post to a mailing list, and provide enough info to make the attack work), or dumpster-dive to find papers with passwords or even a PC that still has SSH keypairs on it (you *did* low-level wipe the disks rather than just 'format c:'/'mkfs', right? And you *did* use a good passphrase for the key, right? ;) And exploiting these would probably not trigger your IDS at *all* - they look like perfectly legal logons, complete with proper passwords/ keys. For targeted attacks, there's always the use of Outlook as a trojan-delivery system. ;) Tools used: You overlook the case of a worm that installs a rootkit. ;) How many points do you score for "we booted of alledgedly clean media and STILL can't see what happened"? Or "attacker managed to trojan the distribution"? Go read Ken Thompson's Turing Award lecture, and ponder how close to being a member of the tinfoil-helmet brigade you are ;) Actually, this *does* matter in The Real World - witness the recent MacOSX Software Update exploit. Destination IP: If you're trying to evaluate "risk", you have the score for 'latest patches" (yes=2) backwards - a no should get points. (as an aside, while I was writing this, ISS issued an advisory against Sun's RPC - how do you score this? ;) 23 points max - wrong, if you score "up", "patches", and all 4 of "personal information", that *does* make 23 - but you almost certainly need to score another 5 points for "data of company interest" at that point. If you score "data of company interest" and "network related" on the same machine, it's either a one-server company or you have a serious config problem. If it's "data of national interest", you may have some explaining to do to the guys in dark suits and sunglasses from a three-letter agency ;) Final score: This possibly reflects *your* risk level. It does NOT reflect the attacker's skill - note that a "basic user" with 21 points can end up in "advanced hacker" by tripping over the right/wrong IP and scoring 23 points. Other than that, it looks good, and is a good start. I look forward to commenting on a revised version. ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 15:47:53 PDT