pacific security japan · november 6 / 7, 2003 · tokyo, japan · state of the art security from an...
TRANSCRIPT
![Page 1: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/1.jpg)
State of the Art Security from an Attacker's Viewpoint
State of the Art Security from an Attacker's Viewpoint
Ivan Arce · Gerardo Richarte
Core Security Technologies46 Farnsworth St
Boston, MA 02210
Ph: (617) 399-6980
www.coresecurity.com
Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan
![Page 2: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/2.jpg)
State of the Art Security from an Attacker's Viewpoint
Who we are?
What do we do?
We work for Core Security Technologies | http://www.coresecurity.com
Gerardo RicharteLead Exploit developer
Associate Sr. Consultant
Ivan ArceCTO
Software that automates Penetration Testing
Penetration Testing and Software Security Auditing services
![Page 3: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/3.jpg)
State of the Art Security from an Attacker's Viewpoint
We will discuss information security from an attacker‟s perspective
Current Attack & Penetration practices
Privilege Escalation and Pivoting
Other attack targets
Attack planning and modeling
OUTLINE
![Page 4: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/4.jpg)
State of the Art Security from an Attacker's Viewpoint
ATTACK AND PENETRATION
To improve our security posture we need to understand the attacker
![Page 5: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/5.jpg)
State of the Art Security from an Attacker's Viewpoint
Mass-rooters and „skript kiddies‟ use the simplest attack methodology
Information
GatheringPenetration
Attack
![Page 6: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/6.jpg)
State of the Art Security from an Attacker's Viewpoint
A dedicated attacker adds extra steps to increase success rate
Privilege
Escalation
Information
GatheringPenetration
Vulnerability
DetectionAttack
![Page 7: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/7.jpg)
State of the Art Security from an Attacker's Viewpoint
Sophisticated attackers plan ahead and go deeper
Analysis &
Planning
Privilege
Escalation
Information
GatheringPenetration
Vulnerability
DetectionAttack
![Page 8: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/8.jpg)
State of the Art Security from an Attacker's Viewpoint
Professional penetration testers must fit in business criteria
Analysis &
Planning
Scope/Goal
Definition
Clean Up
Reporting
Privilege
Escalation
Information
GatheringPenetration
Vulnerability
DetectionAttack
![Page 9: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/9.jpg)
State of the Art Security from an Attacker's Viewpoint
Penetration testing efficiency can be improved with methodology
Scope/Goal
Definition
Clean Up
Reporting
Privilege
Escalation
Penetration
Vulnerability
DetectionAttack
Analysis &
Planning
Information
Gathering
Information
Gathering
Analysis &
Planning
![Page 10: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/10.jpg)
State of the Art Security from an Attacker's Viewpoint
And still mimic the most basic attack scenarios…
Information
Gathering
Scope/Goal
Definition
Clean Up
Reporting
Privilege
Escalation
Analysis &
PlanningPenetration
Attack
![Page 11: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/11.jpg)
State of the Art Security from an Attacker's Viewpoint
PRIVILEGE ESCALATION AND PIVOTING
Compromised systems are used to launch further attacks
![Page 12: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/12.jpg)
State of the Art Security from an Attacker's Viewpoint
A sophisticated real-world attacker will leverage trust relationships to gain
access to more valuable information assets
ANATOMY OF A REAL-WORLD ATTACK
Base camp
A target server is attacked and compromised
The acquired server is used as vantage point
to penetrate the corporate net
Further attacks are performed as an internal user
External
attacker’s system
![Page 13: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/13.jpg)
State of the Art Security from an Attacker's Viewpoint
Pivoting can be a complex and time-consuming step
After successful attack against a target
Use the compromised host as a vantage point (pivoting)
– Attacker profile switch: from external to internal
– Take advantage of the target credentials within its network
– Exploit trust relationships
To be able to pivot, the tester needs his tools available at the vantage point
THE PRIVILEGE ESCALATION PHASE
targettester
rest of neworktransfer
![Page 14: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/14.jpg)
State of the Art Security from an Attacker's Viewpoint
There are several methods used to maintain access to a compromised system
Add direct shell access on a listening port
echo "ingreslock stream tcp nowait root /bin/sh sh -i" >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob &"
Add a new account to the compromised systemecho "sys3:x:0:103::/:/bin/sh" >> /etc/passwd;
echo "sys3:1WXmkX74Ws8fX/MFI3.j5HKahNqIQ0:12311:0:99999:7:::" >> /etc/shadow
Use a “call home” command shell
Install backdoor using existing binariesSSH daemon, telnetd, , etc.
Install rootkits to ensure access, establish cover channel and minimize detection
Enhance attack payload (shellcode) to provide the techniques described above
COMMON PENETRATION TECHNIQUES
![Page 15: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/15.jpg)
State of the Art Security from an Attacker's Viewpoint
Agents provide seamless pivoting after successful exploitation
Exploits deploy an agent on compromised systems
– Payload is independent from exploitation specifics
– Payload is independent from settings not related to exploitation technique
– Payload is platform dependant
– Suppy small agent as attack payload
» Agent highly optimized for size (Linux agent ~80 bytes, Windows ~180bytes)
» Agent inherits privileges of vulnerable program
Benefits
– Transparent pivoting
– “Local” privilege escalation
– Doesn‟t rely on the presence and availability of a shell
– Easy to clean up
USING AGENTS AT THE BASE CAMP
ATTACK
![Page 16: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/16.jpg)
State of the Art Security from an Attacker's Viewpoint
Agents provide platform independence
Provides a uniform layer for interacting with the underlying system
– Generic modules are platform independent
– Porting the agent to different platforms effectively makes all modules available on
that platform
Isolates the particular characteristics of the pivoting host platform from the
module
– Simplifies module development
– Simplifies product use
THE AGENT PLATFORM
Module
Agent Interface
OS
[python code]
open(‘anyfile.txt’, ‘r’)
CreateFileEx() open()
![Page 17: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/17.jpg)
State of the Art Security from an Attacker's Viewpoint
Agents are automatically chained to assure connectivity
Automatic: agents are chained to the current source agent (implicit chaining)
Enables the tester to communicate with agents deep into the target network
AGENT CHAINING
![Page 18: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/18.jpg)
State of the Art Security from an Attacker's Viewpoint
Multiple agent connection methods aid in providing connectivity in different
network environments
Connect to target
Connect from target
Reuse socket
AGENT CONNECTION METHODS
Connects TO agent
Sends Attack
Connects FROM agent
Sends Attack
Reuses same TCP
connection
Sends Attack
![Page 19: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/19.jpg)
State of the Art Security from an Attacker's Viewpoint
Syscall proxying agents transparently provide remote execution
A process interacts with resources
through the OS
SysCall Proxying in action
Process
OS services
(system calls)
Resources
workstation
Syscall client
Syscall server
server
Process
OS services
(system calls)
Resources
workstation
SYSCALL PROXYING AT A GLANCE
![Page 20: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/20.jpg)
State of the Art Security from an Attacker's Viewpoint
References implementation of Syscall Proxying and Inline Egg areavailable
Syscall Proxying
Windows and Linux x86 reference implementation for non-commercial use
http://www.coresecurity.com/files/files/13/SyscallProxying.pdf
http://www.coresecurity.com/files/files/13/Samples.zip
Inline Egg
Reference implementation using Python for non-commercial use
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html
IMPLEMENTATION OF AGENT TECHNOLOGIES
![Page 21: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/21.jpg)
State of the Art Security from an Attacker's Viewpoint
OTHER ATTACK TARGETS
A determined attacker will engage ANY available target
![Page 22: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/22.jpg)
State of the Art Security from an Attacker's Viewpoint
The list of possible targets of attacks is not limited to just servers and
networking equipment
Routers, switches, servers, FWs, IDSes
The organization as a whole
Individuals and their workstations
Other networking capable gadgets
Trusted third parties
… and more?
ATTACK TARGETS
![Page 23: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/23.jpg)
State of the Art Security from an Attacker's Viewpoint
The whole organization as target
Publicly available information
Business oriented targets
Security beyond the perimeter
An organization is dependant on people
Physical security
Denial of service – Public image attacks
ORGANIZATION AS TARGET
![Page 24: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/24.jpg)
State of the Art Security from an Attacker's Viewpoint
Attacks against specific individuals and their environment
Some examples
Representations of a Person
Impersonation attacks
Use the front door (not the backdoor)
Person - Workstation - Client side attacks
Internal honeypots and IDSes
PERSON AS TARGET
![Page 25: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/25.jpg)
State of the Art Security from an Attacker's Viewpoint
ATTACK
Attacking workstation software requires solution to some technical questions
and implementation of a suitable framework
Anatomy of a real–world client side attack.
AsyncAgent
Connector
Target
workstation
COMM. CHANNEL
agent
Attacker’s
system
![Page 26: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/26.jpg)
State of the Art Security from an Attacker's Viewpoint
Targeting individuals has several advantages
Lighter maintenance
Less skilled enemy
More software (more bugs)
More targets
Right to the inside
Diversity is better
ADVANTAGES
![Page 27: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/27.jpg)
State of the Art Security from an Attacker's Viewpoint
…but requires more sophisticated techniques and a flexible framework
Tougher tuning
It may be more noisy
Asynchronous nature
Communication channel
Uptime
DISADVANTAGES
![Page 28: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/28.jpg)
State of the Art Security from an Attacker's Viewpoint
To effectively use persons as attack targets we need a whole new set of tools
Network mapping using email headers
Person discovery tools
Craft profiles / trust relationships graphs
OS and application detection
Reverse traceroute
TOOLS
![Page 29: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/29.jpg)
State of the Art Security from an Attacker's Viewpoint
Network capable gadgets are also part of the infrastructure and therefore
possible targets
Network printers
Home DSL routers and cable modems
Cellular phones, PDAs
Gaming consoles, cameras
Other embedded systems
NETWORK CAPABLE GADGETS
![Page 30: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/30.jpg)
State of the Art Security from an Attacker's Viewpoint
ATTACK PLANNING AND ATTACK MODELING
More attack sophistication and efficiency can be gained by improving
methodologies and applying problem-solving technologies
![Page 31: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/31.jpg)
State of the Art Security from an Attacker's Viewpoint
An overview of current Information Gathering methodology
Establish candidate target hosts
Determine host liveness
Network mapping
OS Detection
Identification of target services
STARTING THE ATTACK
![Page 32: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/32.jpg)
State of the Art Security from an Attacker's Viewpoint
How useful is the current methodology?
How do we use the outcome of IG?
Do we use all the information we gather?
Does it really matter if port 9 is open?
Does it help to know the OS of every host?
Is it really worth using a Vuln.Scanner?
SOME QUICK QUESTIONS
![Page 33: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/33.jpg)
State of the Art Security from an Attacker's Viewpoint
An example of attack planning for the information gathering phase
Goal: To gain control of any host in target network
Assets: Target's IP addressControl of my boxA set of IG tools and exploits
Actions:test if a given port is open (port probe)exploit ssh (on an OpenBSD)exploit wu-ftpd (on a Linux)exploit IIS (on a Windows)exploit apache (on a Linux)
Plan:Probe only ports 22, 80 and 21.Probe port 80 first!As soon as a port is found open, run an exploit.Keep probing other ports only if exploit fails.
goal
ssh x IIS x apache x wu-ftpd x
port 80 port 21port 22
port
probe
my box
![Page 34: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/34.jpg)
State of the Art Security from an Attacker's Viewpoint
Our simplistic example can outline some interesting lessons
Planning for tools we already have
Planning for services on standard ports
Simple goal
Different priorities would influence the plan
Do we really need to port probe?
How could we use an OS detector?
INTERESTING NOTES
![Page 35: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/35.jpg)
State of the Art Security from an Attacker's Viewpoint
A slight variation of our first example…
Goal: To gain control of ALL possible hosts on a given network
Actions:test if a given port is open (port probe)test if a given host is alive (host probe)exploit SSH (on an OpenBSD)exploit wu-ftpd (on a Linux)exploit IIS (on a Windows)exploit apache (on a Linux)
Plan:Don‟t use the host probe first.Probe only ports 80,22 and 21Probe ONLY port 80 first!Launch exploit for every open port.Probing other ports if exploit fails.[Host probe remaining hosts][Probe non-standard ports]
Assets: Target's IP addressControl of my boxA set of IG tools and exploits
goal
ssh x IIS x apache x wu-ftpd x
port
probe
host
probe
port 80port 22 port 21
my box
host
![Page 36: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/36.jpg)
State of the Art Security from an Attacker's Viewpoint
… illustrates some common sense ideas
The plan depends of the end goal
Planning based on available assets
Planning based on available information
Kelyacoubian statistics, known ports
Do we really need to host probe?
How could we use an OS detector?
OTHER INTERESTING NOTES
![Page 37: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/37.jpg)
State of the Art Security from an Attacker's Viewpoint
As the number of available tools increases the complexity of planning and
executing successful attacks also increases
Our IG and exploit tools are un-realiable
Our exploit tools can disrupt targets (DoS)
Some exploits have dependencies on others
Goals are defined more precisely
Systems and individuals detect attacks and react
Attack execution time is constrained
WHAT IF…
![Page 38: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/38.jpg)
State of the Art Security from an Attacker's Viewpoint
Introduction of technology-based attack analysis and planning can solve some
problems
Analysis &
Planning
Scope/Goal
Definition
Clean Up
Reporting
Privilege
Escalation
Information
GatheringPenetration
Vulnerability
Detection
Attack
![Page 39: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/39.jpg)
State of the Art Security from an Attacker's Viewpoint
To address attack analysis and planning we must first be able to model
attacks from the attacks perspective
Attack planning
Risk assessment
Attacker profiling
Higher level of abstraction for IDS
Computer aided intrusion
Automated intrusion
Priorization of tool development
USES FOR AN ATTACK MODEL
![Page 40: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/40.jpg)
State of the Art Security from an Attacker's Viewpoint
The model - Introduction
Actions» Things you can do
Assets» Things you have or know
Agents» The actors, who can do Actions
Goals» Purpose and end result of attack
Costs» The cost of a given action
Plan» Actions needed to fulfil a goal
Attack Graph» Union of all possible plans
MODEL COMPONENTS
![Page 41: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/41.jpg)
State of the Art Security from an Attacker's Viewpoint
Existing models do not reflect the attacker‟s concerns
Produced noise / Stealthiness
Total running time
Probability of success
Trust
Traceability
Novelty ( 0-day-ness)
SOME CONCERNS ASSOCIATED TO “COST OF ATTACK”
![Page 42: Pacific Security Japan · November 6 / 7, 2003 · Tokyo, Japan · State of the Art Security from an Attacker's Viewpoint Pivoting can be a complex and time-consuming step After successful](https://reader033.vdocuments.site/reader033/viewer/2022050212/5f5e5b330c91d6410949fbc2/html5/thumbnails/42.jpg)
State of the Art Security from an Attacker's Viewpoint
[email protected] [email protected]
CONTACT INFORMATION FOR FOLLOW-UP
Headquarters · Boston, MA
46 Farnsworth St
Boston, MA 02210 | USA
Ph: (617) 399-6980 | Fax: (617) 399-6987
Research and Development Center
Argentina (Latin America)
Florida 141 | 2º cuerpo | 7º piso
(C1005AAC) Buenos Aires | Argentina
Tel/Fax: (54 11) 5032-CORE (2673)
www.coresecurity.com