Dailydave mailing list archives
RE: Custom defense
From: info () thehomeloanguide org
Date: Tue, 24 Aug 2004 05:59:08 -0700
Any intrusion detection/prevention application based on an expert system approach is fundamentally flawed, there are too many variables to consider even with an intelligent protocol parsing capability. Until IDS/IPS' are redesigned to more closely mimic the human mind (e.g. behavior modeling and neural networks, as opposed to simple pattern matching or protocol enforcement), any semi-talented exploit engineer can obfuscate an existing attack with relative ease (and that's without even considering 0day stuff). Another thing lacking in the IDS/IPS market are visualization engines; any $7/hr security guard could pick up on violations in network security policy and "acceptable use" of network assets if given the proper gallery of pretty images to look at. I met two guys from Gatech back in '97 that had replaced the underlying Realsecure signature engine with a neural network-based core, after about a 2 week learn time they could pick up on and generate alarms based on deviations in network and protocol behavior as opposed to black and white decisions about pattern matching. They only supported FTP sessions at the time due to processor limitations (dual PPRO 200) but it was an impressive demonstration nonetheless. Humans are largely creatures of habit, the networks we use are just microcosms of those behavior patterns.
-------- Original Message -------- Subject: Re: [Dailydave] Custom defense From: "Dave Aitel" <dave () immunitysec com> Date: Mon, August 23, 2004 8:09 pm To: "David Maynor" <dmaynor () gmail com> Cc: dailydave () lists immunitysec com I'm not entirely sure what you're advocating here, but I'm pretty sure that the ISS way involves a lot of writing protocol parsers, and I'm betting that in retrospect, "modeling" every DCE-RPC parser idiosyncrasy [un]known to man sounds like a pretty silly (a.k.a. dumb) idea. I'm even fairly confident that Marty and whichever guy that was BlackIce but now is ISS Proventia will figure out that even if you know it's NT 4 SP 6a, you still end up having to reverse engineer the whole dang thing to model it properly, which costs millions (and means you hold lots of state (==slow and complex)). Assuming I don't negotiate an encrypted session for my attack anyways, which'll knock the whole idea sideways from the get-go. I see protocol parsers, including ISS's, as custom defenses. They usually cost around 10K to bypass, and 50K to break entirely (Immunity is 2K per day per person, YMMV). But, oddly enough, an in-line IPS sometimes retails for MUCH MUCH MORE! I love Marty's graphical demos (and I'm sure I'd love ISS's demos too), but I don't think the price point is really there from a security standpoint. With ISS having most of the market (let's just be honest), it's pretty easy to make your money back from a custom attack standpoint. I also don't think the price point is there for your standard HIDS. They're all custom niche products, and cost even less to bypass, on average. But the market is so fragmented I'd really want to do some recon and find out what my target is using before spending the money on a custom attack. You can go broke bypassing them all just to have the one your target is running. What I do think is going to happen is much more API hooking. System call hooking is all well and good, but you really want to do it on the very top layer. I want to say "any high order bits in this character array in MSTASK's rpc server call?" Or, say, just hook all the MSRPC server functions and do some anomoly detection (not as good because of false positives that are impossible to debug). This means I want to hook things at run-time. I'm not sure why every HIDS out there hooks so low. Performance hits go down as you go up the stack. Make an economy of signatures that you trade like snort rules, and go from there. The price point to hit is 50 bucks a server per year. You could do it with a free (GPLed?) API hooker that accepted variable validation signatures on a subscription basis. Maybe Immunity will do that (but probably not, we're pretty busy). :> -dave On Mon, 2004-08-23 at 21:48, David Maynor wrote:I dunno Dave....I am gonna have to go ahead and disagree with you on this one. If you believe in custom attacks then you are not a fan of the hype of companies like ISS. You see, ISS writes their sigs for the vulns, and not for exploits. People like Tipping Point claim this, but in fact don't. Further proof your custom attack market is not very large is the HIPS market. Lack of code coverage and poor design will keep players like Cisco and Entercept from ever stopping anything of any worth. What does this mean, why am I spouting it? Simple, its still the wild, wild, west. Custom attacks, generic attacks, they are all still owning everybody with out protection of REAL security companies********************** On Mon, 23 Aug 2004 17:02:48 -0400, Dave Aitel <dave () immunitysec com> wrote:So I think the real market for future security is in custom attacks and defenses. This is what I see people starting to work on, although they call it by many names (IPS, etc)._______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Custom defense Dave Aitel (Aug 23)
- Re: Custom defense David Maynor (Aug 23)
- Re: Custom defense Dave Aitel (Aug 23)
- RE: Custom defense Mike Bailey (Aug 23)
- Re: Custom defense Andrew R. Reiter (Aug 24)
- <Possible follow-ups>
- RE: Custom defense Kohlenberg, Toby (Aug 23)
- RE: Custom defense info (Aug 24)
- RE: Custom defense Ron Gula (Aug 24)
- Re: Custom defense David Maynor (Aug 23)