Re: Rating Attackers

[H C <keydet89 () yahoo com>]

> Overall comment - you seem confused as to whether
> you are developing a matrix
> to assess "risk" on your part, or "skill" on the
> attacker's part. 

Either way, I think that something like trying to
determine the "skill" of an attacker is extremely
subjective, and perhaps not even quantifable in terms
of a matrix.  Say you're getting script kiddie scans
from a variety of sources over a period of weeks. 
Each of these may be seen as separate incidents, b/c
they come from such widely geographically dispursed
locations.  But what if the entire thing is all part
of a single attacker's plan...by probing your site
using "victim" systems he's already compromised,
perhaps he's gauging your reactions (ie, is the
"victim" machine used to probe taken off the Net,
etc), or perhaps he's flooding your site w/ traffic
(and filling your logs) so that you won't notice his
real intent.  

Given such situations, something viewed a several
extremely poor attacks may be all part of one much
larger, well thoughtout attack.  Or, vice versa.  But
without knowing, how does one quantify this?

> You may want to split it into two separate ratings. 
> You also need to consider
> the difference between random and targeted attacks -

Right...such as a full-b0re whisker scan vs a scan
target to IIS servers (which you may have)...or even a
targeted scan, but one aimed at IIS when you're
running Apache...

> remember that the
> upper echelons of hackers (those scoring over 40 or
> so on your scale) will
> mostly be doing targeted attacks against a specific
> machine.  These will
> likely be complicated attacks, involving social
> engineering, privilege
> escalation, and multiple steps to reach the goal
> (for instance, whacking
> a webserver by first targeting a developer's
> workstation).

This is a good point, though I haven't seen such a
thing, nor do I know anyone who has...but it is a
possibility.  How does one rate the "skill" of an
attacker who targets a system, and penetrates it by
getting a job as an admin at the company she's
targeting?

Another question is how do you rate guys like Lamos? 
In some of his interviews, he's made it clear that
it's more a matter of persistence than skill...he
reportedly used a browser to access the NYTimes site. 
Again, "skill" doesn't necessarily related directly to
"persistence"...though Lamos arguably has both to some
degree.

> Similarly, I dont see why a *BSD trying to whack a
> Linux 2.2 scores *more* than a 2.4.

Good points.  I'm not all that clear on why Win9x gets
such a low score, either.  After all, if you install a
Win98 machine and disable file sharing, what score
would anyone get for being able to access the system
remotely, regardless of the os used by the "attacker"?
 Script kiddies are installing Linux more and more,
and many distros install a heck of a lot of services,
whereas for the most part, Win9x installs file
sharing, and that's just about it.
 
> In addition, everybody who didn't just fall out of a
> tree knows you want to
> launch your attack from an untrackable throwaway,
> prefereably one with little
> or no concept of logging.  So if you see an inbound
> connection from a Win95
> box, it may be a pathetically clueless script kiddie
> - or a professional that
> knows about the power of an open Wingate proxy....

Exactly...but how do you know?  And that goes back to
my earlier point...what if the "pro" uses several
Win9x machines (and Linux, too) to launch a wide range
of "attacks", but slips in from another venue that you
don't notice.

Another issue is the analyst themselves.  When I was
the network security manager for a telecomm, I had to
deal w/ one admin at the data center who had a...well,
"different"...way of bringing incidents to the notice
of the customer.  Well, first off, he wasn't supposed
to.  Second, when we had one of those "tagged" ftp
directory issues, he went to the customer and told
them that their SAM database had been copied and
cracked...with no evidence other than "that's what
hackers do" to support his statement.
 
> If you're trying to evaluate the *skill* of the
> attacker, point should only
> be scored in this section for a *successful* attack.

hhhhmmmm...I don't know.  Other things need to be
taken into consideration.  For example, at this point
in time, an attack using the directory transversal
exploit to IIS isn't particularly skillful...but it
does lead to success, even for some automated tools.

>  If you're trying to
> evaluate *risk*, the table needs to be reversed - if
> you're running Win95
> and the attacker is on OpenBSD, you score a 5
> because you're in deep, 

I don't agree with that.  I think that kind of
statement is based more on the quasi-religious
argument about OS's, rather than on hard facts.  I've
put Win95 systems on a raw DSL connection (no
firewalls) and disabled file sharing...and never had a
successful break-in, or even a virus.

> You missed an *entire* set of intelligence-gathering
> here - portscanners are
> NOT the end-all, especially for targeted attacks.
> For instance, you should be
> able to make some educated guesses about what I'm
> running based on the mail headers I emit - 

However, these *can* be altered, in many cases.


>  If you can score 5 points just for
> having a stealthy
> portscanner, there should be a 6 or 7 point score
> for "obviously had us pegged
> in detail before sending a single packet".

And again, that's a subjective issue that's hard to
quantify.  One analyst looking at the data may say
what you said, while another would say, "no way, the
guy got lucky."

> Maybe I'm low on caffeine, but I'm failing to see
> the difference between "not
> reported before" scoring 1 point and "new attack"
> scoring 2, for a total of 3.
> Also, if a recon was performed, and the attack was
> *still* not applicable,
> there should be a -2 score for gross stupidity. ;)

Agreed.  But then, how does one know that the grossly
stupid activity isn't being purposely used to mask the
really important attack...the one that gets in...

> "is this a common attack" should be rephrased to
> "this week's popular attack",
> a skilled attacker may try a formerly-popular attack
> just to be retro.

Again, too subjective...who determines what's most
popular this week?  Listings on Incidents.org?  Posts
to BugTraq?  Dude, we've got guys on the SF lists that
can't properly format a Google search...
 
> For targeted attacks, there's always the use of
> Outlook as a trojan-delivery system. ;)

This statement sort of makes my point regarding
perspectives...on many infrastructures, such a
targeted attack would rank extremely low in skill, and
do nothing more than fill some log files.
 
> You overlook the case of a worm that installs a
> rootkit. ;)

Perhaps not...while not specifically mentioned, it
doesn't take a skilled attacker to launch a worm.  In
fact, one would think that truly skilled individual
would avoid the use of worms...they're too
indiscriminate.  Think of a landscape w/ targets...the
truly skilled attacker is more akin to a sniper than
an infantry company on line, clearing the brush of
everything in their path...
 
Over all, some of the issues w/ the presented model
are things like:

- assessing the current posture of an organization is
far too subjective.  I've dealt with admins who've
claimed to be secure, only to find out that some
anti-social 15 yr old 3000 miles away has had greater
control of his server for 6 months than the admins in
the office.

- assessing an attack...how many times do we see the
same questions in the SF lists...someone finds
something odd running on a system after a portscan,
and instead of running a port-to-process mapping tool,
they go to the Internet to see which daemon _should
be_ using that port?  We still see people who don't
recognize Nimda, CR, or even just dir transversal
attempts, or don't know what the "404" response code
in their logs means.

- as we've already discussed, there are far too many
possibilities and variables to be able to accurately
assess the "skill" level of a real attack...


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com