IDS mailing list archives
RE: Are sophisticated attacks just FOOD?
From: "Golomb, Gary" <GGolomb () enterasys com>
Date: Thu, 1 Jul 2004 15:51:48 -0400
I had a big discussion with my boss who claims most of the IPS, SIM
and
other new tools are just a hype protecting from sophisticated threats, which only exist in labs.
Lol... I definitely agree the marketing of such tools focuses on those types of attacks. I think vendors are notoriously guilty of having an over-lab centric focus. That's not a bad thing since I'd hope your vendor of choice makes decisions proactively by researching what can be accomplished in a lab before it becomes a threat in the wild. However, I'm not sure how well most vendors actually balance lab threats from the real-world evolutions of attacks in the wild.
He thinks multi staged attacks and so on do not often happen in the
wild Take the time to read and fully understand http://62.131.86.111/analysis.htm. This is just a recent example, but randomly pick any calendar week in the past and I'm sure people on this list could come up with similar examples that are client or server based.
and shows our firewall's logs as evidence.
I've heard this argument before and it's kind of funny. Firewalls stop all the basic problems and let everything else right though, so the point of a firewall log in this type of discussion only strengthens the case for more robust technologies. Look at how network security has changed over time. Many networks are so locked down that the only way in OR out is though a small handful of protocols like HTTP, SMTP, etc. This has impacted two major areas: - Business; since now applications can only ride over a few protocols, most everything has been (is being) moved to those protocols - namely web. This can be seen in everything from all the major web portal applications that most organizations run (hi: Citrix, database connected web apps, etc!), to file sharing and chat applications which tunnel all their traffic in normal HTTP requests. This impacts: - Attackers; even though there's only a few windows open to the inside of the network, they are now very juicy targets containing more valuable information than they ever stored before. This can be seen in majority of vulnerability research that has been done over the past couple of years - exploiting web-centric applications. Additionally, with the deployment of "strong" firewalling technologies like NAT, the ability to reach in from the outside and touch someone directly has almost been removed completely. Well, almost, see the link above! Actually, by targeting clients as opposed to servers (where fewer eyes are watching anyways), problems like NAT go away making multistaged client exploits very lucrative for quickly harvesting a large number of compromised systems. The point is, even if you pick one protocol like HTTP and allow only that through, the attacks will increase in sophistication to exploit the resources that are available. In other words, you firewall logs aren't going to show you anything since it's happily passing the bad stuff right along side the good stuff since it all is normal looking web traffic anyways.
claims it's a script kiddy and the fact we have never seen a breach
means
it is not a real threat
If I close my eyes, I'll never see anything either. (Actually, I see stuff, but we won't go there...) The goals nowadays are not website defacement for name recognition like they were years ago. Name recognition has gone away for all the same reasons that few vulnerability researches publicly disclose findings anymore. That includes making it blatantly obvious that a system is compromised.
I'm looking for statistical data showing how frequent sophisticated attacks and advanced tools are evolved and what there damage is to the corporate.
I'd love to hear the difference between sophisticated and not. (Then again, I could see a subject like this spiraling out of control in no time.) Just because the exploitation of a vulnerability has been automated so it can be accomplished on a mass scale with little effort does not make it any less sophisticated in my book. Some people call it script kiddy, I call it efficient. Whether it's efficiency of mass exploitation, or simply sharing with others the ability to exploit - it's working. Ironically, I'd call any attack that works despite the presence of protective firewalling-type technologies sophisticated. Without a more advanced system auditing the traffic that does get through (SIM, HIPS, etc.), well, you see where this is going... Anyways, just some thoughts of mine, not my employers, etc, etc... -gary ----- Gary Golomb Research Team Lead Dragon IDS Group Enterasys Networks --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Are sophisticated attacks just FOOD? Golomb, Gary (Jul 04)