RE: how to verify whether an attack attempt is successful?

Certainly the techniques of combining vulnerability assessment data with attack information is an excellent way to determine success. However, some specific pitfalls you need to be aware of when using this approach are:

• Vulnerability data is never as recent as the attack; just because a system wasn't vulnerable yesterday to a vulnerability and it got attacked today, doesn't mean it wasn't vulnerable at the time of attack. Of course, some vulnerabilities are quite unlikely to have been introduced in any given period of time (Solaris exploits against a Windows server), but others could easily have been.
• The alternative approach, scanning for a vulnerability AFTER an attack, is even more dangerous to false-negative results on remote access vulnerabilities since an attacker cognizant of this being done would instantaneously 'fix' the vulnerability so it appeared to fail. On less serious vulnerabilities where an attacker wouldn't have access to do this, it is a fairly reliable approach, though.
• Just because an attack was made against a specific vulnerability and that vulnerability exists on a machine does not mean that the attack was succesful. Case in point many vulnerability scanners will 'trigger' IDS alerts on systems without ever actually exploiting the vulnerabilities; also many exploits are very dependent on specific systems and versions and an attacker may be using the wrong exploit (eg wrong shellcode in an overflow) for a vulnerability.
• With the advent of more behavioral intrusion prevention software, there is the potential for a lot of ambiguity in defining whether a system is vulnerable to attack or not. If a system is running a vulnerable service, but it is also running a host IPS that catches and stops the vulnerability from being exploited, is that a vulnerability or not? (for that matter, if its behind an in-line network IPS and there is no internal threat). Some scanning tools might say yes, some might say no. Some experts might say yes, some might say no. I'd say, its still a vulnerability, but a lower priority one than if it was more easily exploitable, but I doubt any security scanner out there can make that same judgement for you. How your tools answer these questions will play into the accuracy and usefulness of the 'success' metrics your IDS can generate.

> In general it's impossible to determine the success of attacks with
only a network IDS
> (NIDS).

In many situations, you can determine success by looking at the bidirectional communication between attacker and system. The behavior of a vulnerable system compared to that of a non-vulnerable system to an attack is often different and well-defined, although figuring this out is a lot more engineering work than writing a signature or analyzing unidirectional communication, and there are evasive measures attackers could use to avoid the appearance of success.

-Dave

-----Original Message-----
From: detmar.liesen@lds.nrw.de [mailto:detmar.liesen@lds.nrw.de] Sent: Thursday, January 16, 2003 2:28 AM To: yzhai@unity.ncsu.edu; focus-ids@securityfocus.com Subject: RE: how to verify whether an attack attempt is successful?

->Is there any technology developed in this direction?

Sure there is.

With some attacks you can determine whether or not the attack was successful because the system under attack responds in an attack-specific way. Snort has some attack-responses rules, but none of these ever triggered on my network and I haven't yet had a closer look at those rules, so I don't know if they are really useful.

In general it's impossible to determine the success of attacks with only a network IDS (NIDS).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

What you can do at network level is to compare detected attack-attempts with information from a vulnerability-database. The vulnerability information can be gathered by using VA tools like nessus.

Thus you can always determine whether or not the system under attack is vulnerable to that specific attack. If so, you can be damned sure that the attack succeeds.

However, this is not a 100% reliable way. But such things are never very reliable. They are an aid at analysing events more quickly and accurately because you gain a better "signal-noise-ratio".

But Host based IDSs can do this quite accurately because they utilize more than just packet-stream information.

Host based IDSs look into log files, check file system - integrity (i.e. if any files have been modified) and they can also analyse system- and api-calls at kernel level.

HTH, Detmar Liesen Received on Mon Jan 20 17:54:59 2003