Re: On classifying attacks

[Shwaine <shwaine () shwaine com>]

On Thu, 28 Jul 2005, Daniel Weber wrote:

> I've seen a lot of classification schemes proposed on Bugtraq in the
> intervening years, some of them quite good.  (Search the archives for
> "taxonomy" or "classification".)  But unless they are -very- simple to
> use, they won't be taken up by the community.  If you can come up with
> a single word that imputes the concept of "malicious data that I can
> easily get onto the victim's machine and in front of the victim's
> eyes but requires him to run it," that would be a great step forward.
>
> Simplicity is key.  (Unlike this posting, which I did not have time
> to make shorter and simpler.)

(Apologies for the late reply, I've only just caught up on this thread)

Would that it were that simple. Then there would not be debates. You've 
somewhat captured the intuitive idea with your long phrase, that being 
that these exploits require user intervention of some fashion to succeed. 
Were I to take a real world phrase and apply it to the cyber realm, the 
closest that comes to mind is "booby trap", but this does not lend itself 
well to conveying the consequences of triggering a trap. Nor do I like 
applying classifications such as "remote to user" to exploits involving 
user interaction, as this phrase does not distinguish between automated 
attacks and those requiring user intervention, even though it does convey 
some of the requirements and consequences of the attack.

Realistically, these types of attacks encompass multiple components such 
as the delivery vector (e.g. webpage, email), level of user interaction 
(e.g. regular use of program, clicking attachment) and consequences (e.g. 
privileges obtained). A simple classification scheme along the lines of 
"remote to root" is not well suited to conveying all these details. From a 
modeling standpoint, breaking the attacks down into its components makes 
sense, but that is not always as useful from a user standpoint. The user 
might be more concerned about distinguishing exploits that can occur 
during normal use from those which require more social engineering as the 
former implies little to no user control over the risks (other than 
patching when a patch is available of course). Academically however, these 
might just be two branches rather far down on a taxonomy tree. So, I 
suppose it has to be asked if we just want catchy phrases to impress upon 
the user the severity of an issue so they patch or if we want an academic 
classification scheme. The two aims do not always align.

Melissa