Dailydave mailing list archives
Re: Custom defense
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 23 Aug 2004 23:09:25 -0400
I'm not entirely sure what you're advocating here, but I'm pretty sure that the ISS way involves a lot of writing protocol parsers, and I'm betting that in retrospect, "modeling" every DCE-RPC parser idiosyncrasy [un]known to man sounds like a pretty silly (a.k.a. dumb) idea. I'm even fairly confident that Marty and whichever guy that was BlackIce but now is ISS Proventia will figure out that even if you know it's NT 4 SP 6a, you still end up having to reverse engineer the whole dang thing to model it properly, which costs millions (and means you hold lots of state (==slow and complex)). Assuming I don't negotiate an encrypted session for my attack anyways, which'll knock the whole idea sideways from the get-go. I see protocol parsers, including ISS's, as custom defenses. They usually cost around 10K to bypass, and 50K to break entirely (Immunity is 2K per day per person, YMMV). But, oddly enough, an in-line IPS sometimes retails for MUCH MUCH MORE! I love Marty's graphical demos (and I'm sure I'd love ISS's demos too), but I don't think the price point is really there from a security standpoint. With ISS having most of the market (let's just be honest), it's pretty easy to make your money back from a custom attack standpoint. I also don't think the price point is there for your standard HIDS. They're all custom niche products, and cost even less to bypass, on average. But the market is so fragmented I'd really want to do some recon and find out what my target is using before spending the money on a custom attack. You can go broke bypassing them all just to have the one your target is running. What I do think is going to happen is much more API hooking. System call hooking is all well and good, but you really want to do it on the very top layer. I want to say "any high order bits in this character array in MSTASK's rpc server call?" Or, say, just hook all the MSRPC server functions and do some anomoly detection (not as good because of false positives that are impossible to debug). This means I want to hook things at run-time. I'm not sure why every HIDS out there hooks so low. Performance hits go down as you go up the stack. Make an economy of signatures that you trade like snort rules, and go from there. The price point to hit is 50 bucks a server per year. You could do it with a free (GPLed?) API hooker that accepted variable validation signatures on a subscription basis. Maybe Immunity will do that (but probably not, we're pretty busy). :> -dave On Mon, 2004-08-23 at 21:48, David Maynor wrote:
I dunno Dave....I am gonna have to go ahead and disagree with you on this one. If you believe in custom attacks then you are not a fan of the hype of companies like ISS. You see, ISS writes their sigs for the vulns, and not for exploits. People like Tipping Point claim this, but in fact don't. Further proof your custom attack market is not very large is the HIPS market. Lack of code coverage and poor design will keep players like Cisco and Entercept from ever stopping anything of any worth. What does this mean, why am I spouting it? Simple, its still the wild, wild, west. Custom attacks, generic attacks, they are all still owning everybody with out protection of REAL security companies********************** On Mon, 23 Aug 2004 17:02:48 -0400, Dave Aitel <dave () immunitysec com> wrote:So I think the real market for future security is in custom attacks and defenses. This is what I see people starting to work on, although they call it by many names (IPS, etc).
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Custom defense Dave Aitel (Aug 23)
- Re: Custom defense David Maynor (Aug 23)
- Re: Custom defense Dave Aitel (Aug 23)
- RE: Custom defense Mike Bailey (Aug 23)
- Re: Custom defense Andrew R. Reiter (Aug 24)
- <Possible follow-ups>
- RE: Custom defense Kohlenberg, Toby (Aug 23)
- RE: Custom defense info (Aug 24)
- RE: Custom defense Ron Gula (Aug 24)
- Re: Custom defense David Maynor (Aug 23)