The (network) Attack Process

Tipi di aggressori

Di "aggressori" ce ne sono molti con una grande varietà di obiettivi e diversi livelli di esperienza. È perciò difficile cercare di catalogarli correttamente: alcune di queste parlano di 26 tipi di "aggressori", e questo non aiuta certo a progettare un'architettura sicura.

La catalogazione quì presentata è più semplice e mostra tre tipi di aggressori: gli "script kiddie" (letteralmente, i "bambini degli script"), i "cracker" e l'"elite", rappresentati proprorzionalmente al loro numero.

Script kiddie

Alla base della catalogazione ci sono gli "script kiddie", così chiamati perchè stereotipamente sono giovani e non hanno un vero talento, perciò necessitano di usare script per eseguire la maggior parte del loro lavoro. Pur non avendo grandi conoscenze, ne sanno generalmente di più dei normali utilizzatori circa la protezione del computer e le comuni vulnerabilità. I motivi degli attacchi sono vari, ma comunque generalmente attaccano senza discriminazione. Gli script kiddies preferiscono attaccare con una sequenza che hanno già imparato e che ripetono su qualsiasi pc sia vulnerabile ad essa.

Sperando che nessun lettore voglia diventare uno script kiddie, è utile comprendere come sia facile al giorno d'oggi diventarlo e causare danni reali in Internet. Questo è un esempio di come diventare uno script kiddie in sette facili passaggi:

1. Installare alcune distro LINUX/UNIX su un pc
2. Trascorrere molto tempo su IRC ed apprendere il "gergo".

3. Iscriversi a BugTraq e vuln-dev. Non devi necessariamente contribuire ad una discussione, ed esse forniscono i tool di cui lo script kiddie ha bisogno.

4. Controllare i post relativi alle nuove vulnerabilità, in special modo quelle che affliggono molti utenti (per esempio quelle relative ai web server),

5. Usare un analizzatore della rete come Nmap per trovare le macchine potenzialmente esposte all'attacco.

6. Prendere il codice di esempio fornito nella mailing list ed eseguirlo sul sistema che lo script kiddie ritiene essere vulnerabile.
7. Utilizzare la macchina compromessa per attaccare altre macchine, lanciare attacchi DoS (Denial of Service), prelevare informazioni confidenziali, ecc.

Ciò che è da ricordare è che agli script kiddies non importa che ci sia qualcosa di valore sulla macchina attaccata; molti sono contenti semplicemente di comprometterla ed usarla per attaccarne delle altre.

Cracker

Un gradino sopra gli script kiddie ci sono i cracker, i quali hanno più esperienza e sono potenzialmente più pericolosi. Si distinguono dagli script kiddie nella loro abilita di pensare e lanciare nuovi attacchi contro obiettivi specifici. vengono chiamati generalmente "cracker" o "black hat"; importante è non chiamarli "hacker", che viene usato ed è un distintivo di onore.

Il Jargon File (è corretta la traduzione???) definisce hacker "una persona a cui piace esplorare i dettagli delle macchine ed espanderne le capacità, l'opposto di molti utenti, che preferiscono imparare solo il minimo necessario", definisce invece cracker "colui che infrange la sicurezza di un sistema".

Il Jargon File prosegue dicendo che il termine cracker fu coniato nel 1985 da hacker, per offrire ai media un altro termine per chiamare coloro che infrangono le sicurezze dei sistemi. Purtoppo, ciò non venne applicato e quando i media dicono "hacker" intendono ancora oggi una persona che "fa cose illegali".

Elite

Infine, il gradino più alto include le persone di cui raramente sentirai parlare e certamente non attaccheranno la tua rete.

Elite Finally, the top tier includes the people you rarely read about and certainly don't want attacking your network, the attacker elite. They are the well-paid corporate spies, government-funded information warfare groups, political radicals, and terrorists. Although not always, you can expect this group to be better funded and have very specific targets that they attack relentlessly.

NOTE I am always a bit cautious about bringing up this category of top-tier attackers because mentioning them is most often used as a scare tactic when selling security products to big business. "Hey, Mr. Customer, you must buy our new product or your competitor's spies will get you." The fact is, the threat from these sorts of individuals is real but generally for a very specific type of organization under very specific circumstances. If you manage a network that controls a critical infrastructure in your country (electric power, water, emergency services, and so on), you should be concerned about the risk. Likewise, if you work in a competitive market in which your intellectual property is of very high value, it would be naive to assume that all of your competitors are law-abiding citizens.

Vulnerability Types Any network contains vulnerabilities. It is important to understand how these vulnerabilities arise and what to watch out for. At a high level, vulnerabilities can be broken down into the following categories: ■ Software ■ Hardware ■ Configuration ■ Policy ■ Usage

The first two are more concrete, the last three categories are harder to quantify.

Software Vulnerabilities Various software-engineering methodologies and academic studies have sought to identify and improve the rate of errors found in every 1000 lines of computer program code. Depending on the software and the organization doing the measurement, these numbers can vary widely, but estimates of between 5 and 15 errors for every 1000 lines of code are common. If you look at today's modern applications and operating systems, many have millions of lines of code. (Microsoft Windows XP contains about 50 million lines.) Even if just a small percentage of those flaws are security related, and even if just a small percentage of that group of flaws are exploitable, there are thousands of security flaws waiting to be discovered.

On top of that, software code is changing all the time. Sometimes fixes for one part of a large program can introduce problems into another part. Also, two independent pieces of software might be security bug-free, but when they are run on the same system, they might introduce a new problem. A quick survey of the software vulnerabilities on mailing lists such as BugTraq shows just how many defects are found and the wide range of products in which they are found.

In addition to application bugs, correct implementation of a flawed protocol or design can also cause problems. Because the end result is a software mistake, no matter the reason, these are also called software vulnerabilities.

NOTE As a secure network designer, software vulnerabilities are part of the reason you have a job in the first place. In many cases, the network is augmenting the security of an application. If software could be counted on to operate without error, application security could be relied on more, and elements such as firewalls and intrusion detection systems might not be as necessary.

Hardware Vulnerabilities Hardware vulnerabilities are less common but are increasing in significance primarily because of the increase of programmable hardware in the market. Vulnerabilities in the system basic input/output system (BIOS), network processors, and CPUs could do potentially more damage because a hardware vulnerability is often not easily remedied by a software patch.

Finding out you must replace your computer because of a hardware vulnerability is not a happy day. Although not specifically related to security, Intel had to offer customers free replacement Pentium processors in 1994 because of a floating-point error in the hardware.

Configuration Vulnerabilities Despite the best intentions of network operators, misconfigurations are very common on a network. In a firewall with a complex access control policy, hundreds of entries permitting and denying different traffic types can exist. The chances are high that someone eventually will make a mistake.

In addition to inadvertent misconfigurations, the problem of RTFM often rears its head. For a definition of RTFM, consult your friendly neighborhood search engine. The basics of the problem are this: if the individual responsible for deploying a technology doesn't know much about the technology, the chances of it working as intended decrease significantly. As a result, it is critical that organizations set aside part of the budget to allocate for employee training.

TIP One of the easiest ways to avoid configuration errors is to ensure that your security technologies are easy to manage. For example, when deciding on a firewall, features, performance, and cost are second, third, and fourth on my list of criteria after manageability.

Policy Vulnerabilities In addition to software, hardware, and configuration vulnerabilities, you might encounter policy vulnerabilities. Policy vulnerabilities occur when an attack is made possible by a poor choice in the development or implementation of a security policy. Since your network security system is only as good as the security policy to which it adheres, policy vulnerabilities can cause widespread problems. This is one of the main reasons because the security system is improved over time through modification of the system and the policies. The distributed denial of service (DDoS) attacks that occurred in 2000 are examples of policy vulnerabilities. Clearly, changes could have been made to IP to reduce the chances of these attacks succeeding, but at the time most organizations had not planned for such attacks or even considered the remote possibility of them. As such, organizational security policies had not defined standards for how systems should deal with DDoS attacks. Today, if you look at the security policy of any large e-commerce organization, you will probably find standards and guidelines around protecting systems from DDoS.

Usage Vulnerabilities Just because a system can be used in a secure way, it doesn't mean a user will use it in a secure way. Usage vulnerabilities occur when a user (usually through inexperience, not malice) violates the security policy and causes a vulnerability in the network. One common example is when a user adds a modem to his computer so he can dial up after hours to do work. The user probably personally installed the remote control software and, in doing so, most likely did not enable any of the security features. Therefore, an attacker can use that same modem as a launching point to attack the rest of the network.

Attack Results All attacks have specific attack results that can be categorized as one of five types. The result shown in screenshot_014.png was denial of service. Howard mentions four types of results: ■ disclosure of information, ■ corruption of information, ■ denial of service, ■ theft of service and, here, we can add a fifth, ■ increased access.

The following definitions of the first four types of attack results come straight out of Howard's work.

NOTE Although the first four definitions provided are from Howard's paper, the definitions are themselves references within Howard's document. Refer to Howard's paper for more specific references.

Disclosure of Information Disclosure of information is the dissemination of information to anyone not authorized to access that information. This includes sniffing passwords off the wire, reading parts of a hard disk drive you are unauthorized to access, learning confidential information about your victim, and so on.

Corruption of Information Corruption of information is any unauthorized alteration of files stored on a host computer or data in transit across a network. Examples include ■ website defacement, ■ man-in-the-middle (MITM) attacks, ■ viruses that destroy data, and so on.

Denial of Service Denial of service (DoS) is the intentional degradation or blocking of computer or network resources. Most types of flooding attacks have DoS as a primary objective. Similarly, intentionally crashing network resources can create a DoS condition, as would reconfiguration of certain network devices.

Theft of Service Theft of service is the unauthorized use of computer or network services without degrading the service to other users. Stealing someone's password and logging on to the network is a good example, as is accessing a wireless LAN without authorization or pirating software.

Increased Access Increased access is the resultant unauthorized increase in user privileges that occurs when accessing computer or network services. Executing a buffer overflow attack is a good example of an attack resulting in increased access.

NOTE Increased access typically is not the end result of an attack as are the preceding four attack results. It is more often a midpoint to further attacks, which can ultimately accomplish one of the other four results.

Attack Taxonomy Attack taxonomies are almost always inaccurate in some way. They either create conditions in which attacks exist in more than one category or conditions in which a given attack doesn't have a clear home. But without a reasonably comprehensive attack taxonomy, security designers have no way of knowing whether their architecture addresses the threats it must.

We cover the main types of attacks against networks and the results they generally create. The main families (also called classes) of attacks are as follows: ■ Read Gain access to unauthorized information ■ Manipulate Modify information ■ Spoof Provide false information or offer false services ■ Flood Overflow a computer resource ■ Redirect Change the flow of information ■ Composite Comprise more than one listed method

NOTE If you have a taxonomy that you are more comfortable or familiar with, feel free to use it here. This taxonomy is very network centric.

Each attack class can comprise a number of attack elements or subclasses. For example, the first class read includes the subclass reconnaissance and the attacks sniffer and direct access. Each subclass comprises two or more attack elements. The attack elements for the reconnaissance subclass are data scavenging, wardial/drive, and probing and scanning. The entire attack taxonomy is presented in screenshot_016.png.

Table below shows the analysis of a sample attack: probing and scanning.

■ Attack name: Probing and scanning ■ Class/subclass: Read/reconnaissance ■ Example implementations: Nmap , Nessus ■ Prerequisites: Data scavenging ■ Pertinent vulnerability: None ■ Typical use: Learn IPs and applications available at victim network ■ Attack result: Disclosure of information ■ Likely follow-up attack: Almost anything ■ OSI layers: 37 ■ Detection: IDS and firewalls (with log analysis) ■ Protection: None ■ Detection difficulty: 4 ■ Ease of use: 5 ■ Frequency: 5 ■ Impact: 2 ■ Overall rating: 37

The following list defines the components of the table:

Member of class/subclass Refers to the class and subclass to which the specific attack belongs. In the example above, the attack TCP spoofing is a member of the class spoof and the subclass transport.

Sample implementations Provides examples of the given attack. In some cases, this might link to a website about the subclass of attacks rather than to a specific example.

Prerequisites Lists required or optional attacks that enable or enhance the attack in question. Optional prerequisites are noted in the field with an (optional) marker. In this case, data scavenging is necessary first to determine the IP address ranges of the systems the attacker will scan.

Pertinent vulnerability Cites the most common vulnerability type enabling the attack from the list of five vulnerability types discussed earlier in this text. In this example, there is no real vulnerability because some form of probing and scanning is always possible on IP networks.

Typical use Explains the most common use of a particular attack. This generally relates to the attack result.

Attack result Cites the most common attack result from the list of five explained earlier.

Likely follow-up attack Lists the attack most likely to be run after a successful attempt at the attack in question. In this example, after a probe and scan, almost any attack can be run. From the Internet, application manipulations are very common once a vulnerable system is scanned.

OSI layers Lists the most common Open Systems Interconnection (OSI) layers used in the attack.

Detection Lists the security technology that is capable of detecting but not preventing the attack. In this case, intrusion detection systems (IDS) are able to detect many types of scans and probes, and firewalls can also show scans if their log data is analyzed.

Protection Lists the security technology that actually stops or helps to stop a particular attack. These technologies can also aid in detection but are never listed in both categories. Because there are always exceptions in network security, the inclusion of a particular technology does not mean it is 100 percent effective against the attack. Defense-in-depth still applies.

The remaining five fields in Table are numeric values, and the final field shows an overall rating of the attack. This rating can be used as a rough guide to determine the level of concern you should have for a particular attack. Higher numbers are always better for the attacker and worse for you. The criteria are rated on a 1 to 5 scale, and the overall rating is derived from this formula:

(Detection Difficulty * 1) + (Ease of Use * 2) + (Frequency * 3) + (Impact * 4) = Overall Rating

This formula produces a range from 10 (shouting nasty words at the network with the hope it will crash) to 50 (I won't even say).

WARNING I chose the values for rating attacks in a completely subjective manner. Anyone with 10 minutes and a favorite spreadsheet program can begin to reproduce these values with weightings more appropriate to their security policy or even the specific area of the network. I selected the values based on my own and my customers' experiences.

The following describes the remaining five fields and the rating scale for each:

Detection difficulty Refers to the approximate difficulty network staff will have in detecting the attack. Secure networking best practices are assumed. Later, these values might trend up or down depending on the capabilities of a particular network design.

• The attacker is assumed to have midlevel competence. The probe and scan attack

example earned a 4 because most modern scanners have the ability to scan so slowly that they stay below the radar of most IDS systems (1 = almost trivial to detect; 5 = almost impossible to detect).

Ease of use Refers to how hard the attack is to execute. When tools for the attack are freely available in the public domain, the rating increases. For attacks with no publicly available tools or for which public tools are of limited use (as in the case of worms), the value trends lower.

Probing and scanning earned a 5 in this category because almost anyone can scan. Even my Macintosh comes standard with a port scanner in the default installation (1 = elite skills required; 5 = script kiddie ability needed).

Frequency Refers to how common the attack is in the area of the network in which it is most effective. For example, an Address Resolution Protocol (ARP) redirection attack might have a midtier frequency rating even though it is almost never launched against an Internet edge (since the attack doesn't cross routers). As anyone who has ever looked at a firewall or IDS log will tell you, probing and scanning easily earns a 5 in this category (1 = attack is almost never seen; 5 = most large networks see this attack daily).

Impact A measurement of the damage caused by the successful execution of the attack. This value certainly changes based on the type of asset the attack affects. The rating provided in this field is an average. If there is a very dangerous attack that is made possible by the listed attack, the impact rating tends to increase even if the listed attack is fairly benign. This is the case with probing and scanning. By itself, probing and scanning earns only a 1 in impact, but because scanning makes follow-up attacks more likely to be successful, the attack earns a 2 (1 = little to no impact; 5 = better brush up the résumé, just in case).

Overall rating Refers to how this attack stacks up against others you are likely to encounter. This rating isn't as important as its relationship to the rest of the attacks under evaluation. For example, an attack rating of 30 doesn't mean that you can ignore the attack, but if you are dealing with several attacks that have higher ratings, you should give them priority (of course, with adjustments based on the location of the network or your own security policy). Later you will see how these overall ratings change based on the location of the network you are trying to protect. What was once a top-5 issue can struggle to be in the top 20 (10 = no worries; 50 =instant insomnia).