Defeating Correlation with Pretty Pictures

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So one thing I've noticed is that while everyone is using graphs
(inspired by Halvar) to look at programs, few people are using graphs
in their exploit frameworks. For example, right now, CANVAS is
basically a tree structure. 1.1.1.1 attacks 2.2.2.2 which attacks
3.3.3.3, etc. But networks aren't a tree structure. Networks are a
confusing graph. The host 3.3.3.3 is the same host for both 1.1.1.1
and 2.2.2.2, for example. Displaying your captured machines and their
knowledge of the world as a graph instead of a tree structure allows
the attacker to do more complex things with less brain-cycles.

For example, dragging a file from one host to another can take the
shortest route between those two nodes over your covert network. And
you should be able to establish multiple connections around your
covert network with a simple drag of the mouse. That way, if someone
pulls the plug on one of your nodes while you're hacking, you still
have another way to get deeper into the network. You just tell it to
route some other way, or make it do auto-route detection.

A lot of security products are championing correlation of attacks.
Well, they pretty much have for the last 6 years. I'm not sure how
much the correlation of attacks stuff got used in the market, but it's
been around, and there is that wacky govt project to do similar things
on a bigger scale (http://cryptome.org/traceback.htm). To combat this,
once you know that N nodes have the same world view with respect to a
third node, you can attack that third node from N nodes at once
(routed in Y ways over your covert network, ideally, but we don't have
this implemented).

In other words: if you go into next month's CANVAS and hack a few
boxes, say, box A and box B. It'll pop up two new Nodes. You can then
select those nodes, and a target C, and click on any exploit. That
exploit will hack box C by doing random connections from both box A
and box B. Right now this is most useful for simple things like
portscans, in which an IDS (or human with tethereal) does correlation
as part of their default setup. But as defenses get more complex with
regards to attack correlation, this will make their lives really hard. :>

And it's fun to see on the network. :>

- -dave

P.S. I killed the other threads. After you've shown that the emperor
has no clothes, all that's left is to point at his private parts and
make comments about his personal hygiene, which I felt was getting a
bit boring. Really all defense gets pretty boring pretty quickly.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEQ6ehB8JNm+PA+iURAlQLAJ9Q1KUAdZ5eOx9Xi+jm8m443INZhgCgv9m3
4i9I1OkHKZCboATplPl8dQ8=
=o3Tm
-----END PGP SIGNATURE-----