Firewall Wizards mailing list archives

Re: Application-level Attacks

From: Adam Shostack <adam () homeport org>
Date: Fri, 28 Jan 2005 15:38:01 -0500

On Sat, Jan 29, 2005 at 01:10:12AM +0530, Devdas Bhagat wrote:
| On 28/01/05 11:45 -0500, Adam Shostack wrote:
| > On Fri, Jan 28, 2005 at 09:24:12PM +0530, Devdas Bhagat wrote:
| > | On 27/01/05 18:56 -0800, Crispin Cowan wrote:
| > | > Shimon Silberschlag wrote:
| > | > 
| > | > > Today, when attacks are shifting towards using the already open ports 
| > | > > on the firewall, at the application level,
| > | > 
| > | > It is often said that contemporary attacks are migrating to 
| > | > application-level attacks. Can someone point me to data backing this claim?
| > | 
| > | Or the reverse, data showing that older attacks were not application
| > | layer attacks (packet flooding and the rare ping of death attact excepted).
| > 
| > I think that older attacks were not application-layer from a business
| > perspective; they may have been at one layer or another of the
| > technical stack, but they rarely attacked core business
| > functionality.  I think that a combination of technical factors (more
| 
| Was that because all that core business functionality was not on the
| Internet?
| From
| 
| "We have Internet connectivity, but we are only using it for email, and
| to put up a mostly static website for our customers, but nothing which
| is so critical that we cannot stand a bit of downtime".
| 
| to
| 
| "We have Internet connectivity and the bulk of our data entry is done
| through web applications and we get direct input from our business
| partners and sales people over the web, and email is now a business
| critical application and downtime is absolutely unacceptable.
| Oh, and the ordinary customer must also have a good "web experience" so
| we must not put in anything which could hamper the customer"
| 
| is a significant shift in business process and thought.

I think that part of the shift has to do with what's on the internet.
Kevin Poulsen's Porche hacks were 'application layer.'  He attacked
the phone system not to be cool with other phone phreaks, but to make
money.  So, you're right, these aren't new, and in fact security has,
historically been about protecting money.  But I believe that we're
seeing more of the technical attacks blended with the focus on cash,
and that's producing something new.

| 
| The exposure of applications has increased, but ye olde Sendmail bug
| and the BIND exploit du jour and the Internet Explorer sieve are still
| application layer bugs.
| 
| We have more applications exposed to the Internet, more complex
| applications at that, and of course we have more bugs because of that.
| 
| > money moved through internet systems) and social ones (attackers who
| > are in it for the money) combine to make a new type of attack.
| 
| Money was always a large reason for exploiting systems. Social
| engineering predates the Internet.
| 
| It isn't a new type of attack, just a facet of attackers gaining
| popularity in the general press.

Sure.  In the sense that nothing is ever new, its not new.  We stand
on the shoulders of giants.  In the sense that we moved from clever
attackers in the late 80s & early 90s to script kiddies in the late
90s, to zombies and phishing and spambots in the early 2000s, I think
there's an important shift happening.

| <snip>
| > list. And so I expect that what the SANS folks are talking about is
| > a rise in attacks against the business infrastructure, rather than
| > the technical infrastructure. If they're not, they should be.
| 
| How many of the previous attacks were not against the business
| infrastructure (regardless of the attackers intent, if it impacted
| business in any way, it was an attack on the business infrastructure)?

Feel free to define terms like this, and miss what I'm saying.

| Also, what proportion of the total attacks was against the business
| infrastructure then, and what is it now? (suitably accounting for the
| rise in logs analysis, IDS and IPS and awareness that such things are
| actually happening)

By your terminology, its all always been the same.  All attacks are
against the business infrastructure, from a stolen laptop that
prevents a salesguy from selling, to a web site defacement, to someone
stealing free phone service.  So 100%.

Adam
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Multiple firewalls from different manufactureres, (continued)
- - - Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 26)
    - Re: Multiple firewalls from different manufactureres Kevin (Jan 27)
    - Re: Multiple firewalls from different manufactureres Shimon Silberschlag (Jan 27)
    - Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
    - Re: Multiple firewalls from different manufactureres Devdas Bhagat (Jan 27)
    - Application-level Attacks Crispin Cowan (Jan 28)
    - Re: Application-level Attacks Adam Shostack (Jan 28)
    - Re: Application-level Attacks Devdas Bhagat (Jan 28)
    - Re: Application-level Attacks Adam Shostack (Jan 28)
    - Re: Application-level Attacks Devdas Bhagat (Jan 28)
    - Re: Application-level Attacks Adam Shostack (Jan 28)
    - Re: Application-level Attacks Frank Knobbe (Jan 28)
    - Re: Application-level Attacks Marcus J. Ranum (Jan 29)
    - Re: Application-level Attacks Adam Shostack (Jan 30)
    - Re: Application-level Attacks Frederick M Avolio (Jan 30)
    - Re: Application-level Attacks Adam Shostack (Jan 30)
    - RE: Application-level Attacks Bill Royds (Jan 30)
    - Re: Application-level Attacks Danny (Jan 28)
    - Re: Application-level Attacks Crispin Cowan (Jan 28)
    - Re: Application-level Attacks Paul D. Robertson (Jan 28)
    - Re: Application-level Attacks Marcus J. Ranum (Jan 29)

(Thread continues...)