RE: Are sophisticated attacks just FOOD?

["Golomb, Gary" <GGolomb () enterasys com>]

> I had a big discussion with my boss who claims most of the IPS, SIM
and
> other new tools are just a
> hype protecting from sophisticated threats, which only exist in labs.

Lol... I definitely agree the marketing of such tools focuses on those
types of attacks. I think vendors are notoriously guilty of having an
over-lab centric focus. That's not a bad thing since I'd hope your
vendor of choice makes decisions proactively by researching what can be
accomplished in a lab before it becomes a threat in the wild. However,
I'm not sure how well most vendors actually balance lab threats from the
real-world evolutions of attacks in the wild. 

> He thinks multi staged attacks and so on do not often happen in the
wild

Take the time to read and fully understand
http://62.131.86.111/analysis.htm. This is just a recent example, but
randomly pick any calendar week in the past and I'm sure people on this
list could come up with similar examples that are client or server
based.

> and shows our firewall's
> logs as evidence. 

I've heard this argument before and it's kind of funny. Firewalls stop
all the basic problems and let everything else right though, so the
point of a firewall log in this type of discussion only strengthens the
case for more robust technologies.

Look at how network security has changed over time. Many networks are so
locked down that the only way in OR out is though a small handful of
protocols like HTTP, SMTP, etc. This has impacted two major areas:

- Business; since now applications can only ride over a few protocols,
most everything has been (is being) moved to those protocols - namely
web. This can be seen in everything from all the major web portal
applications that most organizations run (hi: Citrix, database connected
web apps, etc!), to file sharing and chat applications which tunnel all
their traffic in normal HTTP requests. This impacts:

- Attackers; even though there's only a few windows open to the inside
of the network, they are now very juicy targets containing more valuable
information than they ever stored before. This can be seen in majority
of vulnerability research that has been done over the past couple of
years - exploiting web-centric applications. Additionally, with the
deployment of "strong" firewalling technologies like NAT, the ability to
reach in from the outside and touch someone directly has almost been
removed completely. Well, almost, see the link above! Actually, by
targeting clients as opposed to servers (where fewer eyes are watching
anyways), problems like NAT go away making multistaged client exploits
very lucrative for quickly harvesting a large number of compromised
systems. 

The point is, even if you pick one protocol like HTTP and allow only
that through, the attacks will increase in sophistication to exploit the
resources that are available. In other words, you firewall logs aren't
going to show you anything since it's happily passing the bad stuff
right along side the good stuff since it all is normal looking web
traffic anyways. 

> claims it's a script kiddy and the fact we have never seen a breach
means
> it is not a real threat

If I close my eyes, I'll never see anything either. (Actually, I see
stuff, but we won't go there...) 

The goals nowadays are not website defacement for name recognition like
they were years ago. Name recognition has gone away for all the same
reasons that few vulnerability researches publicly disclose findings
anymore. That includes making it blatantly obvious that a system is
compromised. 

> I'm looking for statistical data showing how frequent sophisticated
> attacks and advanced tools are
> evolved and what there damage is to the corporate. 

I'd love to hear the difference between sophisticated and not. (Then
again, I could see a subject like this spiraling out of control in no
time.) 

Just because the exploitation of a vulnerability has been automated so
it can be accomplished on a mass scale with little effort does not make
it any less sophisticated in my book. Some people call it script kiddy,
I call it efficient. Whether it's efficiency of mass exploitation, or
simply sharing with others the ability to exploit - it's working.
Ironically, I'd call any attack that works despite the presence of
protective firewalling-type technologies sophisticated. Without a more
advanced system auditing the traffic that does get through (SIM, HIPS,
etc.), well, you see where this is going... 

Anyways, just some thoughts of mine, not my employers, etc, etc...

-gary



-----
Gary Golomb
Research Team Lead
Dragon IDS Group
Enterasys Networks



---------------------------------------------------------------------------

---------------------------------------------------------------------------