Re: Rating Attackers

From: H C (keydet89at_private)
Date: Thu Aug 01 2002 - 06:17:10 PDT

  • Next message: Conjuror: "Re: Anyone know this rootkit (rootkits?)"

    > Overall comment - you seem confused as to whether
    > you are developing a matrix
    > to assess "risk" on your part, or "skill" on the
    > attacker's part. 
    Either way, I think that something like trying to
    determine the "skill" of an attacker is extremely
    subjective, and perhaps not even quantifable in terms
    of a matrix.  Say you're getting script kiddie scans
    from a variety of sources over a period of weeks. 
    Each of these may be seen as separate incidents, b/c
    they come from such widely geographically dispursed
    locations.  But what if the entire thing is all part
    of a single attacker's probing your site
    using "victim" systems he's already compromised,
    perhaps he's gauging your reactions (ie, is the
    "victim" machine used to probe taken off the Net,
    etc), or perhaps he's flooding your site w/ traffic
    (and filling your logs) so that you won't notice his
    real intent.  
    Given such situations, something viewed a several
    extremely poor attacks may be all part of one much
    larger, well thoughtout attack.  Or, vice versa.  But
    without knowing, how does one quantify this?
    > You may want to split it into two separate ratings. 
    > You also need to consider
    > the difference between random and targeted attacks -
    Right...such as a full-b0re whisker scan vs a scan
    target to IIS servers (which you may have)...or even a
    targeted scan, but one aimed at IIS when you're
    running Apache...
    > remember that the
    > upper echelons of hackers (those scoring over 40 or
    > so on your scale) will
    > mostly be doing targeted attacks against a specific
    > machine.  These will
    > likely be complicated attacks, involving social
    > engineering, privilege
    > escalation, and multiple steps to reach the goal
    > (for instance, whacking
    > a webserver by first targeting a developer's
    > workstation).
    This is a good point, though I haven't seen such a
    thing, nor do I know anyone who has...but it is a
    possibility.  How does one rate the "skill" of an
    attacker who targets a system, and penetrates it by
    getting a job as an admin at the company she's
    Another question is how do you rate guys like Lamos? 
    In some of his interviews, he's made it clear that
    it's more a matter of persistence than skill...he
    reportedly used a browser to access the NYTimes site. 
    Again, "skill" doesn't necessarily related directly to
    "persistence"...though Lamos arguably has both to some
    > Similarly, I dont see why a *BSD trying to whack a
    > Linux 2.2 scores *more* than a 2.4.
    Good points.  I'm not all that clear on why Win9x gets
    such a low score, either.  After all, if you install a
    Win98 machine and disable file sharing, what score
    would anyone get for being able to access the system
    remotely, regardless of the os used by the "attacker"?
     Script kiddies are installing Linux more and more,
    and many distros install a heck of a lot of services,
    whereas for the most part, Win9x installs file
    sharing, and that's just about it.
    > In addition, everybody who didn't just fall out of a
    > tree knows you want to
    > launch your attack from an untrackable throwaway,
    > prefereably one with little
    > or no concept of logging.  So if you see an inbound
    > connection from a Win95
    > box, it may be a pathetically clueless script kiddie
    > - or a professional that
    > knows about the power of an open Wingate proxy....
    Exactly...but how do you know?  And that goes back to
    my earlier point...what if the "pro" uses several
    Win9x machines (and Linux, too) to launch a wide range
    of "attacks", but slips in from another venue that you
    don't notice.
    Another issue is the analyst themselves.  When I was
    the network security manager for a telecomm, I had to
    deal w/ one admin at the data center who had a...well,
    "different"...way of bringing incidents to the notice
    of the customer.  Well, first off, he wasn't supposed
    to.  Second, when we had one of those "tagged" ftp
    directory issues, he went to the customer and told
    them that their SAM database had been copied and
    cracked...with no evidence other than "that's what
    hackers do" to support his statement.
    > If you're trying to evaluate the *skill* of the
    > attacker, point should only
    > be scored in this section for a *successful* attack.
    hhhhmmmm...I don't know.  Other things need to be
    taken into consideration.  For example, at this point
    in time, an attack using the directory transversal
    exploit to IIS isn't particularly skillful...but it
    does lead to success, even for some automated tools.
    >  If you're trying to
    > evaluate *risk*, the table needs to be reversed - if
    > you're running Win95
    > and the attacker is on OpenBSD, you score a 5
    > because you're in deep, 
    I don't agree with that.  I think that kind of
    statement is based more on the quasi-religious
    argument about OS's, rather than on hard facts.  I've
    put Win95 systems on a raw DSL connection (no
    firewalls) and disabled file sharing...and never had a
    successful break-in, or even a virus.
    > You missed an *entire* set of intelligence-gathering
    > here - portscanners are
    > NOT the end-all, especially for targeted attacks.
    > For instance, you should be
    > able to make some educated guesses about what I'm
    > running based on the mail headers I emit - 
    However, these *can* be altered, in many cases.
    >  If you can score 5 points just for
    > having a stealthy
    > portscanner, there should be a 6 or 7 point score
    > for "obviously had us pegged
    > in detail before sending a single packet".
    And again, that's a subjective issue that's hard to
    quantify.  One analyst looking at the data may say
    what you said, while another would say, "no way, the
    guy got lucky."
    > Maybe I'm low on caffeine, but I'm failing to see
    > the difference between "not
    > reported before" scoring 1 point and "new attack"
    > scoring 2, for a total of 3.
    > Also, if a recon was performed, and the attack was
    > *still* not applicable,
    > there should be a -2 score for gross stupidity. ;)
    Agreed.  But then, how does one know that the grossly
    stupid activity isn't being purposely used to mask the
    really important attack...the one that gets in...
    > "is this a common attack" should be rephrased to
    > "this week's popular attack",
    > a skilled attacker may try a formerly-popular attack
    > just to be retro.
    Again, too subjective...who determines what's most
    popular this week?  Listings on  Posts
    to BugTraq?  Dude, we've got guys on the SF lists that
    can't properly format a Google search...
    > For targeted attacks, there's always the use of
    > Outlook as a trojan-delivery system. ;)
    This statement sort of makes my point regarding
    perspectives...on many infrastructures, such a
    targeted attack would rank extremely low in skill, and
    do nothing more than fill some log files.
    > You overlook the case of a worm that installs a
    > rootkit. ;)
    Perhaps not...while not specifically mentioned, it
    doesn't take a skilled attacker to launch a worm.  In
    fact, one would think that truly skilled individual
    would avoid the use of worms...they're too
    indiscriminate.  Think of a landscape w/ targets...the
    truly skilled attacker is more akin to a sniper than
    an infantry company on line, clearing the brush of
    everything in their path...
    Over all, some of the issues w/ the presented model
    are things like:
    - assessing the current posture of an organization is
    far too subjective.  I've dealt with admins who've
    claimed to be secure, only to find out that some
    anti-social 15 yr old 3000 miles away has had greater
    control of his server for 6 months than the admins in
    the office.
    - assessing an many times do we see the
    same questions in the SF lists...someone finds
    something odd running on a system after a portscan,
    and instead of running a port-to-process mapping tool,
    they go to the Internet to see which daemon _should
    be_ using that port?  We still see people who don't
    recognize Nimda, CR, or even just dir transversal
    attempts, or don't know what the "404" response code
    in their logs means.
    - as we've already discussed, there are far too many
    possibilities and variables to be able to accurately
    assess the "skill" level of a real attack...
    Do You Yahoo!?
    Yahoo! Health - Feel better, live better
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 08:32:08 PDT