Honeypots mailing list archives

Re: Attack Paradigm Shift?

From: Lance Spitzner <lance () honeynet org>
Date: Wed, 21 May 2003 16:16:15 -0500 (CDT)

On Wed, 21 May 2003, Roger A. Grimes wrote:

"A statistic from Riptech, a provider of security services [says] targeted
attacks against its customer base last year reached 40 percent [of total
attacks], far above the expected 15 percent.
" -http://news.com.com/2010-1071-1001016.html

The quote above is from an article being summarized by SANS and other
security reporting organizations today, saying targeted attacks (vs.
randomly searching scanning malware) are becoming very prevalent.

My initial thought is disbelief because of the inherent nature of scanning
malware and my own experience tells me most companies get tons of untargeted
attacks (CodeRed, Nimda, Slammer, etc.) every day and only the lucky few get
targeted attacks.

I was wondering if Lance or the other Honeynet Project participants agreed
with these trend summaries?


The Honeynet Project is not really qualified to comment on these statistics.
To date, most of our Honeynets have been systems of little value, placed on 
home or small business connections.  The only way you can find these systems
is by randomly scanning networks.  We have deplolyed only a very limited
number of 'high value' Honeynets.  As a result, we tend to collect data on
a specific clientel, mainly random attackers.  For us to verify these statistics,
we would have to deploy multiple Honeynets of 'high value' and determine
the number of targeted attacks against them.  We are not there yet, but we
are working on it :)

As for obtaining such statistics, it would be interesting to see what
the definition of 'targeted' is and how it is determined.  For example,
we have often captured targeted activity against specific organizations,
a blackhat targeting a specific IP for a Denial of Service attack.
However, the reason the blackhat is targeting that IP is merely to
attack another blackhat who has broken into the target organization.
Does this count?  It can be extremely challenging determing what activity 
is correlated to which source and its motivation.

However, I can tell you with a great deal of confidence, the Internet
is a mighty hostile place to be :0

lance

Current thread:

Re: Attack Paradigm Shift? Andrew . Patrick (May 21)
- Re: Attack Paradigm Shift? Seth Arnold (May 21)
- RE: Attack Paradigm Shift? Roger A. Grimes (May 21)
  - Re: Attack Paradigm Shift? gml (May 21)
  - RE: Attack Paradigm Shift? So focus on the DZ not the DMZ! Ken Kousky (May 22)
- <Possible follow-ups>
- Re: Attack Paradigm Shift? Lance Spitzner (May 21)
  - Re: Moving forward with definition of honeypots iatac vuln (May 21)