Re: Custom defense

[Dave Aitel <dave () immunitysec com>]

I'm not entirely sure what you're advocating here, but I'm pretty sure
that the ISS way involves a lot of writing protocol parsers, and I'm
betting that in retrospect, "modeling" every DCE-RPC parser idiosyncrasy
[un]known to man sounds like a pretty silly (a.k.a. dumb) idea. I'm even
fairly confident that Marty and whichever guy that was BlackIce but now
is ISS Proventia will figure out that even if you know it's NT 4 SP 6a,
you still end up having to reverse engineer the whole dang thing to
model it properly, which costs millions (and means you hold lots of
state (==slow and complex)). Assuming I don't negotiate an encrypted
session for my attack anyways, which'll knock the whole idea sideways
from the get-go.

I see protocol parsers, including ISS's, as custom defenses. They
usually cost around 10K to bypass, and 50K to break entirely (Immunity
is 2K per day per person, YMMV). But, oddly enough, an in-line IPS
sometimes retails for MUCH MUCH MORE! I love Marty's graphical demos
(and I'm sure I'd love ISS's demos too), but I don't think the price
point is really there from a security standpoint. With ISS having most
of the market (let's just be honest), it's pretty easy to make your
money back from a custom attack standpoint.

I also don't think the price point is there for your standard HIDS.
They're all custom niche products, and cost even less to bypass, on
average. But the market is so fragmented I'd really want to do some
recon and find out what my target is using before spending the money on
a custom attack. You can go broke bypassing them all just to have the
one your target is running.

What I do think is going to happen is much more API hooking. System call
hooking is all well and good, but you really want to do it on the very
top layer. I want to say "any high order bits in this character array in
MSTASK's rpc server call?" Or, say, just hook all the MSRPC server
functions and do some anomoly detection (not as good because of false
positives that are impossible to debug). This means I want to hook
things at run-time.

I'm not sure why every HIDS out there hooks so low. Performance hits go
down as you go up the stack. Make an economy of signatures that you
trade like snort rules, and go from there. The price point to hit is 50
bucks a server per year. You could do it with a free (GPLed?) API hooker
that accepted variable validation signatures on a subscription basis.

Maybe Immunity will do that (but probably not, we're pretty busy). :>

-dave



On Mon, 2004-08-23 at 21:48, David Maynor wrote:
> I dunno Dave....I am gonna have to go ahead and disagree with you on this one.
> If you believe in custom attacks then you are not a fan of the hype of
> companies like ISS. You see, ISS writes their sigs for the vulns, and
> not for exploits. People like Tipping Point claim this, but in fact
> don't. Further proof your custom attack market is not very large is
> the HIPS market. Lack of code coverage and poor design will keep
> players like Cisco and Entercept from ever stopping anything of any
> worth. What does this mean, why am I spouting it? Simple, its still
> the wild, wild, west. Custom attacks, generic attacks, they are all
> still owning everybody with out protection of REAL security
> companies**********************
>
> On Mon, 23 Aug 2004 17:02:48 -0400, Dave Aitel <dave () immunitysec com> wrote:
> > So I think the real market for future security is in custom attacks and
> > defenses. This is what I see people starting to work on, although they
> > call it by many names (IPS, etc).

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave