RE: On classifying attacks

["Black, Michael" <black () EssexCorp com>]

Perhaps the current popularity of remote/local terms comes from the
Lincoln Labs studies done in 1998:
http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh_html/

Attacks were divided into four categories:
        denial of service
        probing/surveillance
        remote to local
        user to root attacks

In the email examples given so far (note that nothing of similarity was
in the LL study) they would all be "remote to local".
There's no need for trying to define a compound attack -- it serves no
purpose.  Plus the confusion that results from using just "remote" or
"local" should be more than obvious to anybody reading this thread.

If you don't want to use a formal taxonomy for talking about these
things you will always suffer from misunderstanding.  Dr Cowan makes
this point below -- he apparently calls the email portion "local" and
the social engineering "remote".

I believe the original intent of the two "remote to local" and "user to
root" classes was to distinguish the threat level.  "user to root"
implies that you only need worry about those people who have physical
access to the target, and "remote to local" meant you had to worry about
the millions of users on the internet.  Then end result being you
worried a heck of a lot more about "remote to local" than "user to root"
(although both provide root access).
_______________________________
Michael D. Black, MSIA, CISSP, IAM
Information Systems Security Officer
Essex Corporation
black () essexcorp com

-----Original Message-----
From: Crispin Cowan [mailto:crispin () novell com] 
Sent: Sunday, July 24, 2005 7:47 AM
To: Technica Forensis
Cc: Black, Michael; James Longstreet; Derek Martin;
bugtraq () securityfocus com
Subject: Re: On classifying attacks

Technica Forensis wrote:
> This really depends on the situation.  Say I write an exploit that
> when run as a user spawns a listening ssh service with root priv.  I
> get on the system however I do, download this file and exec it.  I
> think everyone would agree that is a local exploit.
> I send that same file as an email attachment to some dolt and peer
> pressure him into running it.  Just because I downloaded the file by
> emailing it to said dolt doesn't change the exploit from local to
> remote. It potentially changes it from 'exploit' to trojan, but it is
> still being executed locally.
>   
That sounds like a compound attack with 2 stages:

    * a social engineering attack to get the victim to run the code
          o can be very simple like "please run this code"
          o can be very sophisticated, like phishing attacks carefully
            crafted to resemble legitimate mail to get the user to click
            on something
    * a local attack that happens when you run the malware

What makes this compound attack "remote" is that the social engineering
attack is remote.

This makes most common viruses compound remote/local attacks with a
remote social engineering attack to somehow induce the user to run a
local attack. The exception to this is e-mail viruses that require no
social engineering because they can exploit some flaw in the preview
pane or such like so that the user only has to browse the mail to run
the malware.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com