BreakingPoint Strike Lists: The Attacks That Matter Most
By Garett Montgomery | To keep our Application and Threat Intelligence (ATI) customers current, Ixia’s ATI Research Center marches to the lively tempo of new applications and vulnerabilities, and continually evolving attacks. The ATI-2016-14 release includes some description improvements in several of our Strike Lists, so now is a good time to take a few minutes to talk about Strike Lists.
First, let's discuss the changes that most of you will have already noticed—the description update for Strike Levels 1-3, for years 2010-2016.
These Strike Lists group Strikes by severity—according to CVSSv2 score and year. What is hopefully more clear now is that the year refers to when the vulnerability was first disclosed, and not when the Strike was released or the vulnerability was patched.
In the image above you can also see that the filtering of Strikes under the “malware/” directory has been tightened (previously URLs containing ‘malware’ were erroneously filtered).
- Disclosure can include: Vendor patch announcements, Mitre CVE assignments, PoC exploit appearance, 0-day blog write-up—basically the first time information on the vulnerability or the exploit for it was made public.
I'd also like to mention two Strike Lists that we’ve added in the first half of 2016: AtRisk Strikes 2016 and Server Host Header Strikes.
ATRISK STRIKES 2016
As I would expect many of you are aware, SANS is well-known in the InfoSec community for their work in raising security awareness. For the past several years, they have reliably published a weekly summary of InfoSec news “@RISK: The Consensus Security Vulnerability Alert”. Included in those newsletters are a list of vulnerabilities for which exploits are available (provided by the Qualys Vulnerability Research Team). The vulnerabilities listed represent some of the gravest InfoSec risks to organizations as the vulnerabilities exist in widely-deployed software and examples of how to exploit them are publicly available.
As you can see in the image above, the Strike List is a Smart Strike List, which means that the content of the list is dynamic – the number of Strikes contained in the list may increase when updating ATI StrikePacks. As additional @Risk newsletters are published, we’ll continue to update the Smart Query with additional CVEs as they are added.
- As these Strikes represent some of the most-current, most-dangerous exploits that might target an organization, you might want to create and run a test applying the StrikeVariants Evasion Profile. The number of Strikes is currently low, so there should not be too many Variants generated, and it would be a good way to test protection devices to see how they perform against all possible incarnations of the Strike.
SERVER HOST HEADER STRIKES
Based on a request from one of our customers, we recently added an Evasion option allowing target IP addresses to replace randomly generated hostnames in the HTTP Header Host field.
Evasion Option::VirtualHostname::Use the target IP address.
There are however, numerous cases where the Host field is explicitly set by the Strike, and some cases where the targeted vulnerability is exploited via the Host header. Since it wouldn’t make much sense to use a valid IP address in those cases, we went through the past 10 years of Strikes and compiled a list of Strikes that should not have their Host header fields modified by an Evasion Profile. As shown in the image below, the Server Host Header Strikes List is comprised of Strikes using the HTTP protocol, with Strikes containing defined Host field values explicitly filtered out (dis-included).
We’re always looking to find ways to help in categorizing and grouping the Strikes representing the greatest risks, so be on the lookout for additional Strike List releases later this year. And, as always, please feel free to contribute additional suggestions for organizing Strikes.
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.