This post is the second of three on this data set.? ?On Opportunistic Attacks, Part 1? talks broadly about where opportunistic attacks begin: Where are we seeing attempted connections and where are they coming from?? This post will look at the typical attack pattern: Are we seeing patterns in the scans of hosts or a ?light touch? of isolated checks?? Finally, Part 3 will attempt to understand timing: How long can a host or service be on the internet before it would experience the beginning of an opportunistic attack?
In the first part of this series we looked at what types of services opportunistic attacks were after and with what frequency.? We also spent some time looking at where the opportunistic packets were coming from.? Now we?re going to dive into their methods of scanning or checking for vulnerable services, are their any patterns we can detect or is there just a ?light touch??? What we found was quite interesting and dare I say, surprising.?
But before we jump into our findings, I?d like to reiterate that this data collection is absolutely dead simple and not particularly difficult to collect.? We?re simply logging the source and destinations IP, ports and protocols and when packets appear on a variety of IP addresses.? This type of data collection is possible for any individual or company with one or more IP addresses on the internet.
How many ports are scanned by a single IP?
Back ?in the day?, I worked for an Internet Service Provider and I wrote a monitoring application to detect scans of our systems and alert on them.? It was set to alert when any host had more than a configured threshold of ports scanned and it alerted us to possible malicious traffic fairly often (we were a small ISP).? It was that mentality that I approached this analysis.? I was curious to know what was the most prominent set of ports attackers would scan for.? Perhaps, I thought there would be a few standard tools in use that had a standard set of ports and that pattern would emerge in the data.? Boy was I naive and consequently was reminded by a co-worker that ?the plural of anecdote is not data.?
Once the data was compiled and I created the chart to the right, I couldn?t believe what I was looking at.? Go ahead and take a peak at the graphic.? 97.4% of the IP addresses that sent packets at us only checked one port.? I figured something was wrong with my analysis so I double and triple checked it because 97.4% of IP addresses only testing one port was not within the reality of my anecdotal evidence. But sure enough, that?s what was happening!
This has several implications, first, it?s probably safe to assume that opportunistic attackers are looking for a single vulnerability.? It must be much easier to look for a single weakness across many hosts than any any weakness on a single host.?? Another way to look at this is that attackers are lazy like everyone else ? they find the first thing that accomplishes their goal and they stick with it. Secondly, any sort of threshold (at least on a single host) would never trigger unless the threshold were set at 1.? The monitoring software I wrote years ago would now sit almost completely quiet. It?s worth noting that out of the 8,000+ IP addresses recorded, one source attempted 904 ports, another tried 204 and a third tried 43 and those are the top 3.
How hard did they try?
Since we know a huge proportion (97.4%) of these opportunistic packets are trying just a single port, perhaps there is something in how often they tried.? I wasn?t sure what to expect here since I was thrown off by my first question.? But since we were sending back reset packets for closed ports (and they were all closed), I wasn?t expecting a high return rate.? Sure enough, 81.3% of ports attempted saw a single attempt (see image).?? I didn?t break down the time difference between these attempts because the main story I found is that there is an incredibly small log footprint for opportunistic attacks and?
97% of opportunistic attackers try one port and 81% send a single packet.
Oh sorry, I don?t want to exclude any readers, so I will restate that for the qualitative risk folks out there:
There?s a big chance opportunistic attacker try a very small number of ports and they won?t send many packets.
This leads us to the next point.? This data is telling us that systems or applications trying to capture opportunistic data like this don?t have to carefully emulate operating systems.? For example, while we could make a claim that ?Attackers often remotely fingerprint operating systems?, it appears, (when it comes to opportunistic attackers) they certainly do not do this.? Instead, they check for one?specific vulnerability and move on as if fingerprinting is a waste of valuable scanning time.? Which also means capturing this data is relatively dead simple? just listen, record and count.
Finally, if the majority of attackers look for a single port once and move on, they are the complete opposite of an advanced threat, as a community they have a clear repeatable pattern that we can rather simply identify.? Therefore I?d like to coin the term ?Simple Consistent Threat? (SCT).? The term describes an adversary that uses very simple techniques and rather than adapt for their target, they simply find a target that is susceptible to their single style of attack.? As a community of threat agents, they appear to be consistent in who they attack (everyone) and the actions they try (a single service).? What?s good about that is that by simply observing this pattern, they quickly become a transparent adversary and rather simple to prevent.
Breach Data on the Simple Consistent Threat
By looking into the data we?ve collected for the DBIR, there?s a clear relationship between the size of the organization (measured by number of employees) and the number of Simple Consistent Threats causing a breach.? As organizations grow, the number of breaches caused by SCT?s decrease and we can assume it?s not because they somehow magically avoid larger organizations.? This decrease it?s more likely due to an increase in security maturity of the organizations.? Attempts from SCT?s are relatively simple and can be mitigated with a few basic security controls and practices.? So why have we consistently seen this style of attack in over 70% of the breaches we?ve analyzed over the last 2 years?
No really, I?m asking.
Source: http://securityblog.verizonbusiness.com/2012/09/05/ask-the-data-on-opportunistic-attacks-part-2/
deliverance pentatonix nicki minaj barbie doll nicki minaj barbie doll black dahlia drew drew
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.