> Overall comment - you seem confused as to whether > you are developing a matrix > to assess "risk" on your part, or "skill" on the > attacker's part. Either way, I think that something like trying to determine the "skill" of an attacker is extremely subjective, and perhaps not even quantifable in terms of a matrix. Say you're getting script kiddie scans from a variety of sources over a period of weeks. Each of these may be seen as separate incidents, b/c they come from such widely geographically dispursed locations. But what if the entire thing is all part of a single attacker's plan...by probing your site using "victim" systems he's already compromised, perhaps he's gauging your reactions (ie, is the "victim" machine used to probe taken off the Net, etc), or perhaps he's flooding your site w/ traffic (and filling your logs) so that you won't notice his real intent. Given such situations, something viewed a several extremely poor attacks may be all part of one much larger, well thoughtout attack. Or, vice versa. But without knowing, how does one quantify this? > You may want to split it into two separate ratings. > You also need to consider > the difference between random and targeted attacks - Right...such as a full-b0re whisker scan vs a scan target to IIS servers (which you may have)...or even a targeted scan, but one aimed at IIS when you're running Apache... > remember that the > upper echelons of hackers (those scoring over 40 or > so on your scale) will > mostly be doing targeted attacks against a specific > machine. These will > likely be complicated attacks, involving social > engineering, privilege > escalation, and multiple steps to reach the goal > (for instance, whacking > a webserver by first targeting a developer's > workstation). This is a good point, though I haven't seen such a thing, nor do I know anyone who has...but it is a possibility. How does one rate the "skill" of an attacker who targets a system, and penetrates it by getting a job as an admin at the company she's targeting? Another question is how do you rate guys like Lamos? In some of his interviews, he's made it clear that it's more a matter of persistence than skill...he reportedly used a browser to access the NYTimes site. Again, "skill" doesn't necessarily related directly to "persistence"...though Lamos arguably has both to some degree. > Similarly, I dont see why a *BSD trying to whack a > Linux 2.2 scores *more* than a 2.4. Good points. I'm not all that clear on why Win9x gets such a low score, either. After all, if you install a Win98 machine and disable file sharing, what score would anyone get for being able to access the system remotely, regardless of the os used by the "attacker"? Script kiddies are installing Linux more and more, and many distros install a heck of a lot of services, whereas for the most part, Win9x installs file sharing, and that's just about it. > In addition, everybody who didn't just fall out of a > tree knows you want to > launch your attack from an untrackable throwaway, > prefereably one with little > or no concept of logging. So if you see an inbound > connection from a Win95 > box, it may be a pathetically clueless script kiddie > - or a professional that > knows about the power of an open Wingate proxy.... Exactly...but how do you know? And that goes back to my earlier point...what if the "pro" uses several Win9x machines (and Linux, too) to launch a wide range of "attacks", but slips in from another venue that you don't notice. Another issue is the analyst themselves. When I was the network security manager for a telecomm, I had to deal w/ one admin at the data center who had a...well, "different"...way of bringing incidents to the notice of the customer. Well, first off, he wasn't supposed to. Second, when we had one of those "tagged" ftp directory issues, he went to the customer and told them that their SAM database had been copied and cracked...with no evidence other than "that's what hackers do" to support his statement. > If you're trying to evaluate the *skill* of the > attacker, point should only > be scored in this section for a *successful* attack. hhhhmmmm...I don't know. Other things need to be taken into consideration. For example, at this point in time, an attack using the directory transversal exploit to IIS isn't particularly skillful...but it does lead to success, even for some automated tools. > If you're trying to > evaluate *risk*, the table needs to be reversed - if > you're running Win95 > and the attacker is on OpenBSD, you score a 5 > because you're in deep, I don't agree with that. I think that kind of statement is based more on the quasi-religious argument about OS's, rather than on hard facts. I've put Win95 systems on a raw DSL connection (no firewalls) and disabled file sharing...and never had a successful break-in, or even a virus. > You missed an *entire* set of intelligence-gathering > here - portscanners are > NOT the end-all, especially for targeted attacks. > For instance, you should be > able to make some educated guesses about what I'm > running based on the mail headers I emit - However, these *can* be altered, in many cases. > If you can score 5 points just for > having a stealthy > portscanner, there should be a 6 or 7 point score > for "obviously had us pegged > in detail before sending a single packet". And again, that's a subjective issue that's hard to quantify. One analyst looking at the data may say what you said, while another would say, "no way, the guy got lucky." > Maybe I'm low on caffeine, but I'm failing to see > the difference between "not > reported before" scoring 1 point and "new attack" > scoring 2, for a total of 3. > Also, if a recon was performed, and the attack was > *still* not applicable, > there should be a -2 score for gross stupidity. ;) Agreed. But then, how does one know that the grossly stupid activity isn't being purposely used to mask the really important attack...the one that gets in... > "is this a common attack" should be rephrased to > "this week's popular attack", > a skilled attacker may try a formerly-popular attack > just to be retro. Again, too subjective...who determines what's most popular this week? Listings on Incidents.org? Posts to BugTraq? Dude, we've got guys on the SF lists that can't properly format a Google search... > For targeted attacks, there's always the use of > Outlook as a trojan-delivery system. ;) This statement sort of makes my point regarding perspectives...on many infrastructures, such a targeted attack would rank extremely low in skill, and do nothing more than fill some log files. > You overlook the case of a worm that installs a > rootkit. ;) Perhaps not...while not specifically mentioned, it doesn't take a skilled attacker to launch a worm. In fact, one would think that truly skilled individual would avoid the use of worms...they're too indiscriminate. Think of a landscape w/ targets...the truly skilled attacker is more akin to a sniper than an infantry company on line, clearing the brush of everything in their path... Over all, some of the issues w/ the presented model are things like: - assessing the current posture of an organization is far too subjective. I've dealt with admins who've claimed to be secure, only to find out that some anti-social 15 yr old 3000 miles away has had greater control of his server for 6 months than the admins in the office. - assessing an attack...how many times do we see the same questions in the SF lists...someone finds something odd running on a system after a portscan, and instead of running a port-to-process mapping tool, they go to the Internet to see which daemon _should be_ using that port? We still see people who don't recognize Nimda, CR, or even just dir transversal attempts, or don't know what the "404" response code in their logs means. - as we've already discussed, there are far too many possibilities and variables to be able to accurately assess the "skill" level of a real attack... __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 08:32:08 PDT