RE: Custom defense

[info () thehomeloanguide org]

Any intrusion detection/prevention application based on an expert system
approach is fundamentally flawed, there are too many variables to
consider even with an intelligent protocol parsing capability.  Until
IDS/IPS' are redesigned to more closely mimic the human mind (e.g.
behavior modeling and neural networks, as opposed to simple pattern
matching or protocol enforcement), any semi-talented exploit engineer
can obfuscate an existing attack with relative ease (and that's without
even considering 0day stuff).  Another thing lacking in the IDS/IPS
market are visualization engines; any $7/hr security guard could pick
up on violations in network security policy and "acceptable use" of
network assets if given the proper gallery of pretty images to look at.

I met two guys from Gatech back in '97 that had replaced the underlying
Realsecure signature engine with a neural network-based core, after
about a 2 week learn time they could pick up on and generate alarms
based on deviations in network and protocol behavior as opposed to
black and white decisions about pattern matching.  They only supported
FTP sessions at the time due to processor limitations (dual PPRO 200)
but it was an impressive demonstration nonetheless.

Humans are largely creatures of habit, the networks we use are just
microcosms of those behavior patterns.

> -------- Original Message --------
> Subject: Re: [Dailydave] Custom defense
> From: "Dave Aitel" <dave () immunitysec com>
> Date: Mon, August 23, 2004 8:09 pm
> To: "David Maynor" <dmaynor () gmail com>
> Cc: dailydave () lists immunitysec com
>
> I'm not entirely sure what you're advocating here, but I'm pretty sure
> that the ISS way involves a lot of writing protocol parsers, and I'm
> betting that in retrospect, "modeling" every DCE-RPC parser idiosyncrasy
> [un]known to man sounds like a pretty silly (a.k.a. dumb) idea. I'm even
> fairly confident that Marty and whichever guy that was BlackIce but now
> is ISS Proventia will figure out that even if you know it's NT 4 SP 6a,
> you still end up having to reverse engineer the whole dang thing to
> model it properly, which costs millions (and means you hold lots of
> state (==slow and complex)). Assuming I don't negotiate an encrypted
> session for my attack anyways, which'll knock the whole idea sideways
> from the get-go.
>
> I see protocol parsers, including ISS's, as custom defenses. They
> usually cost around 10K to bypass, and 50K to break entirely (Immunity
> is 2K per day per person, YMMV). But, oddly enough, an in-line IPS
> sometimes retails for MUCH MUCH MORE! I love Marty's graphical demos
> (and I'm sure I'd love ISS's demos too), but I don't think the price
> point is really there from a security standpoint. With ISS having most
> of the market (let's just be honest), it's pretty easy to make your
> money back from a custom attack standpoint.
>
> I also don't think the price point is there for your standard HIDS.
> They're all custom niche products, and cost even less to bypass, on
> average. But the market is so fragmented I'd really want to do some
> recon and find out what my target is using before spending the money on
> a custom attack. You can go broke bypassing them all just to have the
> one your target is running.
>
> What I do think is going to happen is much more API hooking. System call
> hooking is all well and good, but you really want to do it on the very
> top layer. I want to say "any high order bits in this character array in
> MSTASK's rpc server call?" Or, say, just hook all the MSRPC server
> functions and do some anomoly detection (not as good because of false
> positives that are impossible to debug). This means I want to hook
> things at run-time.
>
> I'm not sure why every HIDS out there hooks so low. Performance hits go
> down as you go up the stack. Make an economy of signatures that you
> trade like snort rules, and go from there. The price point to hit is 50
> bucks a server per year. You could do it with a free (GPLed?) API hooker
> that accepted variable validation signatures on a subscription basis.
>
> Maybe Immunity will do that (but probably not, we're pretty busy). :>
>
> -dave
>
>
>
> On Mon, 2004-08-23 at 21:48, David Maynor wrote:
> > I dunno Dave....I am gonna have to go ahead and disagree with you on this one.
> > If you believe in custom attacks then you are not a fan of the hype of
> > companies like ISS. You see, ISS writes their sigs for the vulns, and
> > not for exploits. People like Tipping Point claim this, but in fact
> > don't. Further proof your custom attack market is not very large is
> > the HIPS market. Lack of code coverage and poor design will keep
> > players like Cisco and Entercept from ever stopping anything of any
> > worth. What does this mean, why am I spouting it? Simple, its still
> > the wild, wild, west. Custom attacks, generic attacks, they are all
> > still owning everybody with out protection of REAL security
> > companies**********************
> >
> > On Mon, 23 Aug 2004 17:02:48 -0400, Dave Aitel <dave () immunitysec com> wrote:
> > > So I think the real market for future security is in custom attacks and
> > > defenses. This is what I see people starting to work on, although they
> > > call it by many names (IPS, etc).
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave