Potential attackers gain tools

The SANS Institute is one of the best knowledge resources for keeping up the fight against the latest information security threats. I try to put in an appearance at a SANS event whenever possible, and at SANS 2004 I revisited the always stimulating distillation of the latest in network hacks presented by Ed Skoudis, now with IntelGuardians. Of particular interest to me this year were two examples at opposite ends of the hacker sophistication spectrum, and what they mean for security management.

The first was a demonstration of a tool kit (which, for this newsletter at least, will remain nameless) for assembling an exploit package from a range of available payload, targeting and delivery components. Although useful for “white hat” probes of vulnerability, part of the stated goal of the project responsible for this framework is “to create a useful resource for exploit developers.” It has succeeded.

The range of options currently available is rather limited, but that is hardly the point. What is arresting is that this toolkit takes the “script kiddie’s” job to a higher level, making a fairly straightforward task out of building a complete exploit, even if little is known about the actual attacks available for packaging. It even features a graphical user interface! Although a little primitive in the current version, this GUI makes selecting features a simple matter.

In other words, it’s basically a rudimentary IDE for exploit developers. A bad sign for the future, if you thought producing blended, multifunctional threats required intimate familiarity with exploit code. This tool is even simpler to use than Visual Basic.

At the other end of the spectrum was a discussion of the heightened interest among hackers in ways to exploit an operating system kernel itself. User- and application-level exploits typically interact with – but outside of – the core of an operating system to wreak their havoc. A kernel exploit, on the other hand, works on a more fundamental plane, possibly rendering user- and application-level functionality blind to a compromise. The primary obstacles facing kernel exploits thus far have been in delivery to and integration with the target operating system. However, the possibility for gaps in verifying the integrity of kernel components such as device drivers and (attention Linux users) loadable modules makes it clear that the potential threat is very real, and more sophisticated explorations include efforts aimed at modifying the kernel image itself.

In my view, the level of response necessary to counter examples like these will reinforce a building trend in which the tools of management will be increasingly leveraged to bring greater security integration to the enterprise.

Lowering the sophistication barrier to building hybrid threats clearly signals that multifunctional worm/virus attacks are not going away. The only effective defense for the enterprise will be a management strategy able to bring a similar level of coordination and enforcement of a range of protections across an infrastructure.

Lest you think this level of threat management would only be necessary in Windows shops – the increased visibility of kernel-level hacks ought to be a warning to anyone to take system integrity management far more seriously than they do now, regardless of platform. It will do no good to deploy an array of defenses against privacy and vulnerability exploits if the underlying system on which these defenses depend can itself be subverted, potentially in silence.

Coordination, integration and depth are three of the characteristics of mature management – and the direction security defenses must go in order to maintain the integrity of the enterprise in the future.