Saturday, April 18, 2009

The Fine Art of Attack Prediction

Internet security is gradually evolving from an art in to a science - particularly the evaluation of vulnerabilities in terms of threat impact and business risk (to which I think that CVSS has played a significant role in galvanizing the major software vendors). That said, one security realm still firmly entrenched as an art is "threat prediction".

The way I see it, "Threat Modeling" is quite a bit different from "Threat Prediction". While the former focuses on using existing threat information to model trends and evaluate risk profiles (often incorporating measurement systems such as CVSS), the later tends to assume longer timescales and deals with factors or industry trends that can not be reasonably precomputed and modeled.

Threat prediction typically requires the crystal ball to be rolled out and, depending upon the diviner, can be a little hit or miss at the best of times. However, I've found that threat predictions tend to become more accurate if you assume a few things first:
  1. If the bad-guys can make money from exploiting it, then you bet that they'll try.
  2. The more sophisticated the technology, the more vulnerable it is to primitive attack.
  3. The lowest hanging fruit are the first to fall.
There's also a fine line to be walked between keeping it real and flooding the airwaves with FUD (which the industry is only too keen to keep on perpetuating), and I often find myself wishing some security commentators would bear those three assumptions above before launching a press release.

Common Sense Threat Prediction
Threats are evolving at an increasing pace, but in most areas it's not too hard to predict a few years in to the future. While many "new" threats appear original at first glance, if you study your Internet security history you'll soon be able to draw parallels with past and present threats. In fact, the more you understand the mechanisms that shaped past threats, the better you'll be able to predict how new ones will evolve.

For example, look at how protection against password guessing as evolved...
  • [Whitehat] Force the user to supply a password in order to login - thereby stopping the blackhat from logging in with just the UserID.
  • [Blackhat] Passwords can be guessed, automatically cycle through popular passwords to find the right one for the UserID and gain entry to the system.
  • [Whitehat] Implement an account lockout procedure consisting of a maximum failed guess threshold (e.g. three failed password attempts and the account becomes inactive).
  • [Blackhat] Abuse the threshold procedure to lockout lots of users accounts and construct a denial of service attack - seeking to make money via extortion.
  • [Whitehat] Setup a proceedure to automatically 'unlock' locked accounts after a few minutes or hours - thereby negating the DoS threat and inconvenience to the end user.
  • [Blackhat] Implement horizontal guessing of passwords. Armed with a long list of known UserID's, try the same password against each UserID before trying a different password - thereby making use of automated account unlocking without adversely hindering the guessing process.
  • [Whitehat] Implement CAPTCHA's to stop the blackhat from using automated tools to pass the Turing test and guessing the USERID password.
  • [Blackhat] Socially engineer or recruit other Internet users to answer the CAPTCHA's and include the results in to the automated password guessing tool. [more discussion on these techniques can be found here and here].
A thing to bear in mind with the example above is that the overall "password battle" between blackhats and whitehats evolved throughout a decade - with the most rapid change occuring within the first couple of years (note that CAPTCHA's have only been popular as an anti-automation technique for 2-4 years, and it's only in the last year that we've seen the criminal blackhats recruit and pay Internet employees to break CAPTCHA's).

It's probably also worth pointing out that particular Internet threats and attack techniques never actually disappear, and it's not uncommon for the same threat to reappear several years later in a slightly different guise because of some new implementation of an old (and vulnerable) technology. I wrote a whitepaper on the topic a couple of years ago - Old Threats Never Die.

With all that in mind, It's also worth pointing out that threat prediction is getting easier. While the technologies are getting more and more sophisticated (and integrated), if you keep the thought "how would I make money from exploiting it?" at the forefront of your mind, you'll probably be reasonably good at predicting what the bad-guys will do


  1. Hi Gunter, I actually agree with you here (not wanting to sound too surprised by that ;).

    It is clear that not only do we fail to "solve" security problems once and for all when they pop up, we forget about them.

    Years later when technology has been remarketed, renamed, and updated it still brings with it the same old problems of yesteryear.
    Autorun is a perfect example, floppy disks turn into USB keys / PDA's / Network shares / etc.

    I learned it's stupid to stick my finger into a car cigarette lighter when I was about eight years old, why cant the infotechnology industry?


  2. Having worked with, and around, commercial software engineers for quite a few years now, I have no reasonable expectation that the software industry will ever "solve" the bug => vulnerability => exploit chain, but I guess I have higher expectations of how they are capable of performing.

    Awareness of past security failings is critical in preventing future failures - history of the world around us has taught us that already.

    Unfortunately, in the battle of features versus security, the bloodied loser tends to be "security". The problem is that "security" is a vindictive beast with a long memory ;-)