Re: Application-level Attacks

[Adam Shostack <adam () homeport org>]

On Fri, Jan 28, 2005 at 09:24:12PM +0530, Devdas Bhagat wrote:
| On 27/01/05 18:56 -0800, Crispin Cowan wrote:
| > Shimon Silberschlag wrote:
| > 
| > > Today, when attacks are shifting towards using the already open ports 
| > > on the firewall, at the application level,
| > 
| > It is often said that contemporary attacks are migrating to 
| > application-level attacks. Can someone point me to data backing this claim?
| 
| Or the reverse, data showing that older attacks were not application
| layer attacks (packet flooding and the rare ping of death attact excepted).

I think that older attacks were not application-layer from a business
perspective; they may have been at one layer or another of the
technical stack, but they rarely attacked core business
functionality.  I think that a combination of technical factors (more
money moved through internet systems) and social ones (attackers who
are in it for the money) combine to make a new type of attack.


Richard Bejtlich asked some similar questions at:
http://taosecurity.blogspot.com/2005/01/application-vulnerabilities-are-not.html,
and I responded at http://www.emergentchaos.com/archives/000840.html:

> I think that Richard is both right, in that there's no big technical
> shift, and wrong, in that the attacks will mature. As I said a few
> days ago, the attackers will become more clever in using the attacks
> to make money. There's also a perception issue, a blowback, if you
> will, of the success of database-driven vulnerability scanners like
> ISS and Nessus. These scanners are very effective at finding
> instances of the sorts of vulnerabilities that get CVE entries. They
> are less effective, if they even try, at finding vulnerabilities in
> your locally developed application. Here tools like those from
> Kavado and SPI Dynamics do much better. Rather than working from a
> database of flaws, they inspect a web application for classes of
> flaw, by running attacks against the site in a controlled way. So
> the success of the database-driven scanners is that people think
> that they can run those scanners and learn how an attacker can get
> in. And that's correct. But no tool will give you a complete
> list. And so I expect that what the SANS folks are talking about is
> a rise in attacks against the business infrastructure, rather than
> the technical infrastructure. If they're not, they should be.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards