 |
|
This chapter presents a brief discussion of the desired characteristics of a taxonomy. This is followed by a critique of current taxonomies in the computer and network security field. These current taxonomies include lists of terms, lists of categories, results categories, empirical lists and matrices. A proposed taxonomy for computer and network attacks is then presented. This taxonomy was developed from the criticisms of the current taxonomies, from the definition of computer security presented in Chapter 5, and from a process or operational viewpoint of means, ways, and ends. From this viewpoint, an attacker on computers or networks attempts to reach or "link" to ultimate objectives. This link is established through an operational sequence of tools, access, and results that connects these attackers to their objectives. The next chapter uses this attack taxonomy, along with other parameters to classify Internet incidents (groups of attacks). 6.1. Characteristics of Satisfactory Taxonomies A taxonomy should have classification categories with the following characteristics [Amo94:34]: 1) mutually exclusive - classifying in one category excludes all others because categories do not overlap, 2) exhaustive - taken together, the categories include all possibilities, 3) unambiguous - clear and precise so that classification is not uncertain, regardless of who is classifying, 4) repeatable - repeated applications result in the same classification, regardless of who is classifying, 5) accepted - logical and intuitive so that they could become generally approved, 6) useful - can be used to gain insight into the field of inquiry. These characteristics can be used to evaluate possible taxonomies. It should be expected, however, for a satisfactory taxonomy to be limited in some of these characteristics. A taxonomy is an approximation of reality that is used to gain greater understanding in a field of study. Because it is an approximation, it will fall short in some characteristics. This may be particularly the case when the characteristics of the data being classified are imprecise and uncertain, as was the data for this study. Nevertheless, classification is an important and necessary process for systematic study. 6.2. Toward a Taxonomy of Computer and Network Attacks As presented in Chapter 1, an attack is a single unauthorized access attempt, or unauthorized use attempt, regardless of success. An incident, on the other hand, involves a group of attacks that can be distinguished from other incidents because of the distinctiveness of the attackers, and the degree of similarity of sites, techniques, and timing. Since incidents are made up of attacks, it is appropriate to develop a taxonomy for attacks which can then be used within a broader classification of incidents. A taxonomy of attacks is, however, useful by itself. Such an attack taxonomy may facilitate the development of policy recommendations for increasing Internet security. An attack taxonomy is also useful both in the development of new systems, and in evaluating existing systems. By comparing possible categories of attack against the details of the target system of interest, one establishes a means for determining how well that system is likely to stand up to potential security attacks . . . [Amo94:33] Finally, an attack taxonomy can be used to evaluate the effectiveness of mitigation efforts, such as law enforcement, investigation, disclosure of vulnerability information, incident response, etc. For this research, the taxonomy will be used to determine the relative frequency of various attack activity. This is presented in Chapter 8. 6.3. Current Computer and Network Security Taxonomies Computer and network security taxonomies do not necessarily focus on attacks, as will be done in the taxonomy developed for this research. For example, some authors focus more narrowly on security flaws or vulnerabilities, which could be used for attacks. Landwehr uses such an approach (to be discussed later). Regardless of whether the taxonomy focuses on attacks or not, they generally all attempt to classify attacks, which is the common element of these taxonomies. For purposes of being complete in this discussion, the focus will be on taxonomies involving computer and network security with the assumption that this will include attacks. 6.3.1. Lists of Terms - A popular and simple taxonomy of computer and network security attacks is a list of single, defined terms. An example is the following from Cohen [Coh95:40-54]: Trojan horses Toll fraud networks Fictitious people Infrastructure observation E-mail overflow Time bombs Get a job Protection limit poking Infrastructure interference Human engineering Bribes Dumpster diving Sympathetic vibration Password guessing Packet insertion Data diddling Computer viruses Invalid values on calls Van Eck bugging Packet watching PBX bugging Shoulder surfing Open microphone listening Old disk information Video viewing Backup theft Data aggregation Use or condition bombs Process bypassing False update disks Input overflow Hang-up hooking Call forwarding fakery Illegal value insertion E-mail spoofing Login spoofing Induced stress failures Network services attacks Combined attacks Another list from Icove, et al. [ISV95:31-52]: Wiretapping Dumpster diving Eavesdropping on Emanations Denial-of-service Harassment Masquerading Software piracy Unauthorized data copying Degradation of service Traffic analysis Trap doors Covert channels Viruses and worms Session hijacking Timing attacks Tunneling Trojan horses IP spoofing Logic bombs Data diddling Salamis Password sniffing Excess privileges Scanning Lists of terms generally fail to have most of the characteristics of a satisfactory taxonomy. First, the terms tend not to be mutually exclusive. For example, the terms virus and logic bomb are generally found on these lists, but a virus may contain a logic bomb, so the categories overlap. Actual attackers also generally use multiple methods. This was confirmed by this research. As a result, developing a comprehensive list of methods for attack would not provide a classification scheme that yields mutually exclusive categories (even if the individual terms were mutually exclusive), because actual attacks would have to be classified into multiple categories. This serves to make the classification ambiguous and difficult to repeat. A more fundamental problem is that, assuming an exhaustive list could be developed, the taxonomy would be unmanageably long and difficult to apply. It would also not indicate any relationship between different types of attacks. As stated by Cohen, …a complete list of the things that can go wrong with information systems is impossible to create. People have tried to make comprehensive lists, and in some cases have produced encyclopedic volumes on the subject, but there are a potentially infinite number of different problems that can be encountered, so any list can only serve a limited purpose [Coh95:54]. None of these lists has become widely accepted. Part of the reason is that the definitions of individual terms is difficult to agree on. For example, even such widely used terms as computer virus have no accepted definition [Amo94:2]. In fact, it is common to find many different definitions. Finally, this classification scheme provides no structure to the categories. This, combined with the above criticisms, limits its usefulness. Because of these reasons, lists of terms with definitions are not satisfactory taxonomies for classifying actual attacks. 6.3.2. Lists of Categories - A variation of the list of terms with definitions is to list categories. An example of one of the more thoughtful lists of categories is given by Cheswick and Bellovin in their text on firewalls [ChB94:159-166]. They classify attacks into seven categories as follows: 1. Stealing passwords - methods used to obtain other users' passwords, 2. Social engineering - talking your way into information that you should not have, 3. Bugs and backdoors - taking advantage of systems that do not meet their specifications, or replacing software with compromised versions, 4. Authentication failures - defeating of mechanisms used for authentication, 5. Protocol failures - protocols themselves are improperly designed or implemented, 6. Information leakage - using systems such as finger or the DNS to obtain information that is necessary to administrators and the proper operation of the network, but could also be used by attackers, 7. Denial-of-service - efforts to prevent users from being able to use their systems. Lists of categories are an improvement because some structure is provided, but this type of taxonomy suffers from many of the same problems as one large list of terms. Authors also tend to make lists within these lists, which makes the approach even more similar to the previous type. 6.3.3. Results Categories - Another variation of the list method is to group all attacks into basic categories that describe the results of an attack. An example is a list, such as corruption, leakage, and denial, as used by Cohen [Coh95:54; RuG91:10-11], where corruption is the unauthorized modification of information, leakage is when information ends up where it should not be, and denial is when computer or network services are not available for use [Coh95:55]. Russell and Gangemi use similar categories but define them using opposite terms: 1) secrecy and confidentiality; 2) accuracy, integrity, and authenticity; and 3) availability [RuG91:9-10]. Other authors use other terms, or use these terms differently. This type of classification scheme has proven to be a useful framework because most individual attacks can be associated uniquely with one of these categories. However, this is not always the case. An example is an intruder who uses computer or network resources without degrading the service of others [Amo94:31]. This example could not be easily associated with one of the three typical categories. 6.3.4. Empirical Lists - A variation of the three-category taxonomy of results is to develop a longer list of categories based upon a classification of empirical data. An example of this is the taxonomy developed by Neumann and Parker to classify accounts of actual attacks sent to Neumann at SRI International as part of its Risks Forum ("Risks to the Public in Computers and Related Systems") [NeP89]. Neumann and Parker use eight categories to classify their data. One advantage of this approach is that attacks that would not logically fit into one of the three traditional categories can now be classified. The Neumann and Parker list is as follows (with examples by Amoroso [Amo94:37]):
Amoroso critiques this list as follows: A drawback of this attack taxonomy that should be mentioned is that the eight attack types are less intuitive and harder to remember than the three simple threat types in the simple threat categorization. This is unfortunate, but since the more complex list of attacks is based on actual occurrences, it is hard to dispute its suitability [Amo94:37]. Such a list appears to be suitable because it can classify a large number of actual attacks. If carefully constructed, such a list would have categories with the first four desired characteristics: mutually exclusive, exhaustive, unambiguous, and repeatable. However, simply being able to put all of the attacks into a category is not sufficient. As Amoroso notes, since the resulting list is not logical and intuitive, and there is no additional structure showing the relationship of the categories, its acceptance would be difficult and its use limited. 6.3.5. Matrices - Perry and Wallich present a classification scheme based on two dimensions: vulnerabilities and potential perpetrators. This allows categorization of incidents into a simple matrix as shown in Figure 6.1, where the individual cells of the matrix represent combinations of potential perpetrators: operators, programmers, data entry clerks, internal users, outside users, and intruders, and the potential effects : physical destruction, information destruction, data diddling, theft of services, browsing, and theft of information (vulnerabilities) [PeW84; Amo94:35].
The two dimensions of this matrix are an improvement over the single dimension of the results categories presented previously. The two dimensions appear to have mutually exclusive and perhaps exhaustive categories. The use of the term vulnerability to describe the terms on the left is not generally accepted, and these might better be termed the results from exploiting vulnerabilities. Perhaps more importantly, the terms inside the matrix do not appear to be logical or intuitive. For example, an outside user causing information destruction is labeled as using malicious software. This is a term generally assumed to mean computer viruses, worms or Trojan horses. An outside user, however, could use a variety of other methods to attack, such as commands at the user interface. The other terms inside the matrix have similar problems. The connection of results to perpetrators is a useful concept which has similarities to a process approach which will be used for the development of a taxonomy in this chapter. The problem in this matrix is that the connection between the two is not properly made. Perhaps the most ambitious matrix approach to a taxonomy is found in Landwehr et al. [LBM94]. They present a taxonomy of computer security flaws (conditions that can result in denial-of-service, or the unauthorized access to data [LBM94:211]) based on three dimensions: Genesis (how a security flaw finds its way into a program), Time of Introduction (in the life-cycle of the software or hardware), and Location (in software or hardware). The first of these three dimensions, Genesis, is shown in Figure 6.2. In this dimension, security flaws are divided into two broad categories. On the top of the figure are the flaws that are "intentionally" introduced into the software, either "maliciously," such as through a Trojan horse, trapdoor, logic/time bomb, or "non-maliciously," through a covert channel. The bottom of the figure shows the other broad category: "inadvertent" software programming errors. The Landwehr, et al., taxonomy includes numerous terms, such as Trojan horse, virus, trapdoor, and logic/time bomb for which there are no accepted definitions. As a result, the taxonomy suffers from some of the same problems in ambiguity and repeatability found in the simpler taxonomies described earlier. For example, classifying a virus as a Trojan horse is not universally accepted. In fact, some authors view the terms as mutually exclusive. The taxonomy also includes several "other" categories, which means the flaws that are identified may not represent an exhaustive list. An example of an exploitable flaw would be a design error which is implemented correctly in the code. This does not appear to have a place in the taxonomy. The procedure for classification using the Landwehr, et al., taxonomy is not unambiguous when actual attacks are classified. This can be seen by attempting to classify the Internet Worm using the Genesis dimension shown in Figure 6.2. The Internet Worm program was self-replicating, so it would logically be classified as Intentional, Malicious, Trojan Horse and Replicating. However, the code took advantage of several known software bugs in the UNIX and VAX operating systems to bypass system security. The attack could, therefore, also be classified in several of the Inadvertent categories. In addition, the worm had provisions for a Logic Bomb (although one was not present), which is a different classification. Finally, the worm used a password cracking routine to bypass security which would be difficult to classify in this taxonomy [RuG91:3-5].
It is likely that Landwehr, et al., would not recommend that an entire attack be classified in the manner just shown. Instead, the approach should be to classify the individual parts of the attack. Again using the Internet Worm as an example, each individual part should be classified. The Worm itself would be classified the same as above (intentional, malicious, Trojan horse, replicating), but the vulnerabilities exploited would be classified in other parts of the matrix. This means an attack would generally be classified in multiple categories. This problem is difficult, if not impossible, to eliminate. The reality of Internet attacks is that multiple methods are used. This same problem is found in the taxonomy developed for this research (Section 6.4). To help with this problem, the taxonomy for this research is in two parts or levels: a taxonomy for individual attacks (this chapter), and a classification of incidents (groups of attacks) which uses the attack taxonomy along with other parameters. Perhaps the most significant limitation of the Landwehr, et al., taxonomy is one of its basic logic. When dealing strictly with software errors (bugs), the taxonomy seems logical and intuitive (the Inadvertent part of Figure 6.2). The categories in the Intentional portion of Figure 6.2, however, are not so obvious. In this case, the logic that was apparently used was that various types of software can introduce flaws in the system which could then be exploited. The logic is not intuitive. For example, it does not logically follow that the introduction of a virus into a computer system results in the creation of a flaw in the system. The last problem with the Landwehr, et al., taxonomy is a matter of usefulness. It appears perhaps to be limited to determining the rates at which each flaw occurs. This results from the limited logical connection between the various categories. For all of its complication, this means the Landwehr, et al., taxonomy is primarily a sophisticated list, which has the problems and limitations of the lists discussed earlier. 6.3.6. A Process-Based Taxonomy - The taxonomy developed as part of this research is broader in scope than Landwher, et al., because it does not attempt to enumerate all computer security flaws, or to enumerate all possible methods of attack, but rather attempts to provide a broad, inclusive framework. The intention was to reorient the focus of the taxonomy toward a process, rather than a single classification category, in order to provide both an adequate classification scheme for Internet attacks, and also a taxonomy that would aid in thinking about computer and network security. Stallings presents a simple process model that classifies security threats [Sta95:7]. The model is narrowly focused on information in transit, but it is instructive to examine. Stallings defines four categories of attack as follows:
Interception is viewed by Stallings as a passive attack, and interruption, modification and fabrication are viewed as active attacks. These four categories are illustrated in Figure 6.3. While this is a simplified view with limited utility, its emphasis on the process of attack is useful. The approach used in Section 6.4 to develop a more comprehensive taxonomy was to classify an attack based on the broader process or operational perspective of "means, ways, and ends," discussed in Chapter 5. In the following discussion, I refer to this perspective as an "operational" viewpoint or approach.
 Figure
6.3. Security Attacks [Sta95:8]6.4. A Taxonomy of Computer and Network Attacks From an operational viewpoint, an attacker on computers or networks attempts to reach or "link" to ultimate objectives or motivations. This link is established through an operational sequence of "means, ways, and ends" that connects attackers to objectives. For the computer security field it is appropriate to use different, more descriptive, terms instead of "means, ways, and ends." For this taxonomy, the terms will be "tools, access, and results." These link together attackers and objectives in the process of computer and network attacks as shown in Figure 6.4.
This operational sequence will be expanded in this section to provide a taxonomy that will then be used to classify Internet attacks. 6.4.1. Attackers and Their Objectives - People attack computers. They do so through a variety of methods and for a variety of objectives. As stated by Icove, et al., At one extreme there are the teenage "joyriders," playing around with their computers and modems. At the other extreme are ultra-dangerous criminals who break into classified military systems or corporate databases, for reasons of terrorism or military or corporate espionage. In the middle are disgruntled or fired employees, looking to wreak revenge on an employer, as well as hired [hackers] who break into systems under contract [ISV95:61]. Attackers are the obvious beginning point, the originators, for computer and network attacks. They could be identified by who they are and where they come from, such as being a high school student from a certain city, a former employee of a company, or a foreign national. They could also be identified by their capabilities, such as was done by Tiley, who states the "people you need to guard your data and hardware from fall into four basic categories:" thieves, the merely curious with low technical competence, the curious with high technical competence, and the determined hacker with high technical competence [Til96:49]. Russell and Gangemi present two broad categories of attackers (which they call "threats"): insiders and outsiders. Insiders include employees, former employees, students, etc. Outsiders consist of foreign intelligence agents, terrorists, criminals, corporate raiders and hackers [RuG91:14-15]. Cohen identifies 26 categories of "disrupters" [Coh95:57-71]. Similar lists are presented by Schwartau [Sch94:215-248] and others. An alternative approach, and the one taken here, is to identify attackers by what they typically do. Icove, et al., present a simple classification based on three categories: hackers, criminals, and vandals. They differentiate these categories as follows: To some extent, they are best differentiated by motivation: The main motivation of a [hacker] is access to a system or data; the main motivation of a criminal is gain; the main motivation of a vandal is damage [ISV95:62]. Hackers are distinguished because they are more interested in the challenge of defeating a system's security rather than by the potential for personal gain. Corporate raiders and professional criminals, on the other hand, are motivated by the potential for financial gain. Spies and terrorists seek political gain [RuG91:15], although terrorists are distinguished because they seek to gain politically by creating fear through provocative acts. Finally, vandals are characterized by anger directed "most often at a particular organization, but sometimes life in general [ISV95:64]." One problem with classifying attackers motivations into these three categories (hackers, criminals, and vandals) is that, regardless of the motivation, all of these categories describe criminal behavior. As such, separating hackers and vandals from criminals is not consistent. I have avoided this inconsistency by not using the term criminal in the taxonomy. Instead, I have divided attackers into the following six categories:
These six categories of attackers and their four categories of primary motivations or objectives are shown in Figure 6.5. These categories of attackers and objectives serve as the two ends of the operational sequence of computer and network attacks. In between are the "tools, access, and results" which link attackers to their ultimate objectives, or motivations. 6.4.2. Access - The definition of computer security (Chapter 5) leads directly to the center of the connection between attackers and their objectives in this taxonomy: unauthorized access or unauthorized use. This is shown in Figure 6.6, which is an expansion of the access block in Figure 6.5. The arrows show that all attackers must either obtain unauthorized access, or use a system in an unauthorized way, in order to make the connection to their objective. As was discussed in Chapter 5, the unauthorized access or use is to processes, or to files or data in transit through processes. These are depicted in Figure 6.6. CERT®/CC incidents were all classified according to the highest "level" of access the attacker achieved (see Chapter 5). The two highest levels were to superuser or root privileges, and to a user account. It is important to include both unauthorized access and unauthorized use in the "ways" of attack. The most widely known Internet security incidents involve unauthorized access, but abusing authorized access may also be a widespread problem. Russell and Gangemi estimate that "as many as 80 percent of system penetrations are by fully authorized users who abuse their access." [RuG91:16]. The CERT®/CC incident records presented in Chapter 7, however, do not reflect this, although they do show it has been a problem, and it has the potential to be a greater problem.
In order to reach the desired process, an attacker must take advantage of a computer or network vulnerability, which is a flaw allowing the unauthorized access or use [Amo94:2]. A vulnerability may arise in three ways. The most well-known way is through a software bug, which is an implementation problem where the design is satisfactory, but an error has been made in its implementation in software or hardware. Numerous examples have occurred in the Unix systems which have formed the basis of the Internet, such as the many problems in the sendmail program which often could be used to gain unauthorized access to host computers [GaS96:497]. The second way a vulnerability may arise is from the design itself, which is potentially more serious and difficult to correct. In this case, the vulnerability is inherent in the design and therefore even a perfect implementation of the design in software or hardware will result in a vulnerability. The Internet sendmail program is also an example of this. Even when it has no software errors, electronic mail generated by sendmail can be used in an unauthorized manner to attack a system, such as through repetitive mailings (mail spam) which cause a denial-of-service (see Chapter 11). The third way a vulnerability may arise is through a configuration error. These are very common occurrences. Many vendors ship their software in a "trusted" state which is convenient for users, but may also be highly vulnerable to attack. Configuration errors could include such security problems as system accounts with default (and well known) passwords, with default "world write" permission for new files, and with vulnerable services enabled [ABH96:196]. 6.4.3. Results - Between obtaining access and the attacker's objectives, we conceptualize the results of attack. At this point in the sequence of an attack, the attacker has access to the desired processes, files, or data in transit. The attacker is now free to exploit this access to alter files, deny service, obtain information, or use the available services. Figure 6.7 depicts these results of attack, which includes the three traditional categories of corruption, disclosure and denial, but also includes a fourth category: theft of service [Amo94:3-4,31; RuG91:9-10; Coh95:55-56].
The results of attack categories are defined as follows: Corruption of Information - any unauthorized alteration of files stored on a host computer or data in transit across a network [Amo94:4]. Disclosure of Information - the dissemination of information to anyone who is not authorized to access that information [RuG91:9]. Theft of Service - the unauthorized use of computer or network services without degrading the service to other users [Amo94:31]. Denial-of-service - the intentional degradation or blocking of computer or network resources [Coh95:55]. 6.4.4. Tools - The final connection to be made in the operational sequence that leads attackers to their objectives is the tools of attack. This is also the most difficult connection to make because of the wide variety of methods available to exploit vulnerabilities in computers and networks. When authors make lists of methods, they often are making lists of tools. As discussed earlier, these lists have limited utility. The approach taken here was to established the following categories (see Figure 6.8): User Command - the attacker enters commands at a command line or graphical user interface. Script or Program - scripts and programs initiated at the user interface to exploit vulnerabilities. Autonomous Agent - the attacker initiates a program, or program fragment, which operates independently from the user to exploit vulnerabilities. Toolkit - the attacker uses a software package which contains scripts, programs, or autonomous agents that exploit vulnerabilities. Distributed Tool - the attacker distributes tools to multiple hosts, which are then coordinated to perform an attack on the target host simultaneously after some time delay. Data tap - where the electromagnetic radiation from a cable carrying network traffic, or from a host computer is "listened" to by a device external to the network or computer.
6.4.4.1 User Command - Until recently, the most common means of attack was for the attacker to simply enter commands at the keyboard. An example is opening a telnet session to a target computer and attempting to log in to a user or the superuser account. Access could be gained by such widely-varying techniques as guessing passwords, or entering long strings of characters to take advantage of a software bug. 6.4.4.2 Script or Program - At the user command interface, attackers can also make use of scripts or programs for the automation of commands. The simplest way to automate commands is to use a script, which is a series of commands entered into a file which can be executed by a Unix shell. An example of a program in common use is crack, which is used by system administrators to check for bad passwords, but is also used by attackers to crack passwords on targeted hosts. An additional type of tool often employed at the user command interface is known as a Trojan horse, which is a program that an attacker may copy over another program on the target system. Analogous to the wooden horse at the battle of Troy, a Trojan horse program performs like a real program a user may wish to run, such as login, a game, a spreadsheet, or an editor. In addition to performing as the user expects, however, the Trojan horse program also performs unauthorized actions, such erasing files, copying information, or logging user passwords in a file [ISV95:45]. 6.4.4.3 Autonomous Agent - Autonomous agents are the most widely publicized of the means of attack. What distinguishes an autonomous agent from other scripts or programs is that the program selects target systems on its own. For example, a Trojan horse program that has been placed on a target system may operate independently to say, record passwords, but it was placed on the host by a user. In contrast, an autonomous agent contains program logic to make an independent choice of what host to attack. The most well-known autonomous agent is the computer virus [Par90:544]. Although there is no agreed upon definition, the general consensus is summarized by Spafford, et al.: …a computer virus is a segment of machine code (typically 200-4,000 bytes) that will copy its code into one or more larger "host" programs when it is activated. When these infected programs are run, the viral code is executed and the virus spreads further. Viruses cannot spread by infecting pure data; pure data is not executed. However, some data, such as files with spreadsheet input or text files for editing, may be interpreted by application programs. For instance, text files may contain special sequences of characters that are executed as editor commands when the file is first read into the editor. Under these circumstances, the data is "executed" and may spread a virus. Data files may also contain "hidden" code that is executed when the data is used by an application, and this too may be infected. Technically speaking, however, pure data cannot itself be infected [SHF90:316]. An alternative type of autonomous agent does not insert itself into other programs. It is called a worm, which operates separately as described by Spafford, et al.: Unlike viruses, worms are programs that can run independently and travel from machine to machine across network connections; worms may have portions of themselves running on many different machines. Worms do not change other programs, although they may carry other code that does, such as a true virus [SHF90:317]. 6.4.4.4 Toolkit - In recent years, attackers have made increasing use of software packages commonly referred to as "toolkits." Toolkits group scripts, programs and autonomous agents together, often with a user-friendly graphical user interface. What distinguishes toolkits from user commands, scripts or programs (the previous classifications) is that these are grouped together in a toolkit - a toolkit contains a group of tools. A widely used Internet toolkit is rootkit, which contains a sniffer and Trojan horse programs that can be used to hide activity and provide backdoors for later use. 6.4.4.5 Distributed Tool - A distributed tool is used to attack a host simultaneously from multiple hosts. An attack using a distributed tool is prepared by copying attack tools to surrogate sites distributed across the Internet. The attack itself begins with the synchronization of the clocks used by each of the surrogate attack tools. The timers are set so that each tool will attack a single victim site at a pre-defined time. It is difficult to determine the origin of an attack that is the result of using a distributed tool. The site initiating the attack typically severs any connection to the surrogate sites before the attack begins. As a result, tracing the packets backwards through the routers to find the source of the attack will fail because the attack has multiple physical sources (not just multiple source IP addresses), and is not part of any intruder activity at the sites sending the attack packets. The difference between a coordinated attack tool and other attack tools is the distributed and time-delayed nature of the attack. It represents a meta-attack tool category that can be used to thwart common security mechanisms that rely on straight-forward attack strategies. Of course, new strategies can attempt to trace to the coordinated attack source, but that is much more difficult and the coordinated attacker has the advantage in the number of indirections that can be set up. It is also possible to spoof the source address of the coordination tool to prevent tracing from the mid-points to the actual origination point - and since that is not an active connection at the time of the attack, no active tracing is possible. The only response is to maintain a history of packet traces on the network, which is prohibitively expensive. A typical defense against attack is to trace incoming packets to their origin and then to block incoming attempts from that subnetwork. This creates a chance for an additional, denial-of-service form of attack. This is accomplished by the attacker using surrogate sites that correspond to clients of the attacked site. When the attacked site blocks the surrogate sites, legitimate clients are denied their service also. 6.4.4.6 Data Tap - Electromagnetic devices such as host computers and network cables generate magnetic fields that can be exploited to reveal the information in the memory of the computer (particularly data displayed on the terminal), or to reveal data in transit. This is different from the other tools because it is a "physical" form of attack instead on an attack using software over a network. It is necessary to include this category for completeness, but as was stated earlier, the CERT®/CC records do not contain any evidence of such attacks. There are numerous other tools that could be discussed, but they generally all fit into the categories shown in Figure 6.8. Admittedly, this takes what many authors have as a very long list of means and reduces it to five categories; however, it is hoped that this will be a more useful approach which may lead to some insights into computer security. 6.4.5. The Complete Taxonomy of Computer and Network Attacks - Figure 6.9 presents the complete taxonomy. This taxonomy depicts a simplification of the path an attacker must take in order to accomplish the attacker's objectives. To be successful, an attacker must find one or more paths that can be connected, perhaps simultaneously. As the formal definition presented earlier indicates, computer security is preventing attackers from achieving objectives by making any complete connections through the steps depicted. More specifically, computer security efforts are aimed at the six blocks of the taxonomy. Aiming at the first block, attackers, law enforcement agencies, system administrators and others attempt to determine who the attackers are and where they are located. Once this is determined, the attackers could be subjected to investigation, prosecution and punishment. Other efforts can be made to prevent attackers from using computer and network resources, such as through closing of accounts or preventing access to network connections. When tools are found in use they can be removed. For example, users and system administrators are encouraged to use virus-checking software to detect and eliminate autonomous agents. Systems can be monitored closely to detect the presence of Trojan horses, or other unauthorized files. Processing can be monitored for unauthorized operation of software, such as password crackers or sniffers. User commands can be monitored and logged. Such monitoring could be used to warn of attack, and logging could be used to investigate after an attack. Systems can also be monitored and filtered for the use of specific forms of attack. Examples of these are IP spoofing packets, mail spam, and attack tools found in common toolkits. Access to systems can be prevented in two ways. First is by a vigorous program to discover and eliminate design, implementation and configuration vulnerabilities. Systems administrators are key to this effort. They must keep current on the latest problems that are discovered. They must ensure the system and all its files are configured correctly, that software bugs are patched, and insecure software is eliminated or restricted. The second method to prevent access is to ensure access controls on files and processes are properly implemented. This includes a wide range of controls, from strong passwords and secure password files, to correct default permissions on files. Unauthorized access can also be reduced by narrowing the number of processes that do not have access controls, and by monitoring how processes are being used. The results of an attack can be mitigated by limiting what a successful attack could accomplish. For example, sensitive files could be encrypted so, even if an attacker succeeds in accessing these files, information will not be disclosed -- although this may not provide any protection from the files being corrupted. Files can also be backed up, mitigating any corruption of information, and systems can be carefully monitored for any signs of theft or denial-of-service. Mitigation efforts can also be used in the last block, objectives. 6.5. Summary of the Taxonomy of Computer and Network Attacks A taxonomy of computer and network attacks was developed for this research in order to classify Internet security incidents. The complete taxonomy is summarized in Figure 6.9. A taxonomy is an approximation of reality that is used to gain greater understanding of a field of study. A taxonomy should have classification categories with the following characteristics: 1) mutually exclusive - classifying in one category excludes all others because categories do not overlap, 2) exhaustive - taken together, the categories include all possibilities, 3) unambiguous - clear and precise so that classification is not uncertain, regardless of who is classifying, 4) repeatable - repeated applications result in the same classification, regardless of who is classifying, 5) accepted - logical and intuitive so that they could become generally approved, 6) useful - can be used to gain insight in to the field of inquiry. A popular and simple taxonomy of computer and network security attacks is a list of single, defined terms. Variations of this approach include lists of categories. There are several problems that limit the usefulness of these approaches including 1) the terms not being mutually exclusive, 2) an exhaustive list being difficult to develop and unmanageably long, 3) the definitions of individual terms being difficult to agree on, and 4) there being no structure to the categories. An alternate categorization method is to structure the categories into a matrix. The procedure for classification using these taxonomies, however, is not unambiguous when actual attacks are classified. In addition, the logic is not intuitive, and the classifications are limited in their usefulness. The taxonomy developed as part of this research does not attempt to enumerate all computer security flaws, or to enumerate all possible methods of attack, but rather to reorient the focus of the taxonomy toward a process, rather than a single classification category.
The final taxonomy presented was developed
from the specific definition of computer security (Chapter 5),
from the criticisms of the current taxonomies, and from a process
or operational viewpoint. From this viewpoint, an attacker
on computers or networks attempts to link to ultimate objectives
or motivations. This link is established through an operational
sequence of tools, access, and results that
connects these attackers to their objectives as shown in Figure
6.9.
 [6]
 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
