Constructing an

Constructing an "Attack Path "

You have now considered many methods of obtaining information about a host that might have launched an attack. So what? The next and final section of this chapter deals with piecing together all the information you obtain to construct an "attack path."

What Is an Attack Path?

An attack path is a model of the network or possibly the telecommunications route used to launch an attack. In other words, if during the time of a certain attack a certain victim host had a connection with another host to which another host was connected, the trail of the attack could be constructed .

Constructing an Attack Path

After someone has a reasonable amount of information about the nature of the attacks and the potential source IP address(es) of the attacks, it is possible to construct an attack path. As mentioned many times previously in this book, a competent incident response effort documents all information it receives. This information can be used as the basis of constructing an attack path.

Pinpointing the Source

How does somebody construct an attack path? The answer lies in piecing together all information gathered from using methods described in this chapter: the type of protocol used (or perhaps "misused" is the better word), the source address, the destination address, intermediate addresses involved, and more. Now the fun begins. Commonality is the key. If over half of the attacks involve misuse of the FTP protocol from only one or two potential source IP addresses, data commonality narrows the source of attacks considerably.

The Direct Trace Method

In the direct trace method, you determine the source of an attack while the attack is underway and then contact the system or security administrator of the other (source) system (labeled System 1 in Figure 6.4). The system or security administrator of System 1 looks at current connections to verify the connection from System 1 to your system and then determines the source of the connection to System 1. You then contact the system or security administrator of System 2, the source of the connection to System 1, and so on, until you identify what is apparently the true source host (see Figure 6.4). In an ideal scenario, you call in law enforcement, which catches the perpetrator(s) in the act.

Cliff Stoll ^[9] , and others who cooperated with him, used this method to track down the Hanover Hacker. Stoll contacted staff members from organizations with intermediate hosts in the attack path to eventually pinpoint the source of the attacks. This method is the most direct, logical way to trace an attack, but remember that the apparent source address might not be the real source. Unless only IPsec connections to hosts are allowed, packet header information can easily be spoofed. Additionally, wide-scale cooperation is not easy to obtain. Determining the immediate source of a connection often means you will contact someone from an organization that has a "see no evil, do no evil" policy. In addition, an organization with a host in the attack path you constructed might be a competitor of yours.

^[9] Stoll, C., The Cuckoo's Egg . NewYork: Doubleday, 1989.

The Indirect Trace Method

The indirect trace method is similar to the direct trace method except there is no real-time element. The attack path is constructed from accounting and other data that indicates that particular types of connections occurred as well as the times of usage from one part of the attack path to the next. Because there is no real-time element, each party involved in using the indirect trace method does not have to be focused on reacting quickly. This potentially allows a slower, more careful analysis of a wider range of data. The main limitations, on the other hand, include systems that do not have any logging enabled (an all-too-common problem) and logging failures (such as when attackers plant rootkit-type tools). The result is the inability to trace an attack beyond a certain point in the trail.

Other Clues

As you construct a path of attack, you will find that other sources of information can also be useful in this effort. Names of accounts created by an attacker, command usage patterns, typical types of errors (such as misspellings of certain commands), the baud rate of connections, and other "signatures" can help fill in missing pieces of data necessary to construct the path of attack. Knowing, for example, that a particular attacker always creates a new account named "abc" in systems to which this person obtains unauthorized access can help you pinpoint the source of an attack. Knowing that a series of hosts now have accounts named "abc" could lead you to hypothesize that many or all of these hosts are part of one or at least a few attack paths. Using attacker "signatures," however, requires at least one previous determination of the source of the attack. Additionally, copycat attacks in which someone who is junior to an attacker within a hacking group copies the actions of a more experienced attacker can be very misleading. Still, the more information you obtain, the more likely it is that you'll be able to locate where attacks originated.