<<< Date Index >>>     <<< Thread Index >>>

Re: On classifying attacks



On Thu, 28 Jul 2005, Daniel Weber wrote:

I've seen a lot of classification schemes proposed on Bugtraq in the
intervening years, some of them quite good.  (Search the archives for
"taxonomy" or "classification".)  But unless they are -very- simple to
use, they won't be taken up by the community.  If you can come up with
a single word that imputes the concept of "malicious data that I can
easily get onto the victim's machine and in front of the victim's
eyes but requires him to run it," that would be a great step forward.

Simplicity is key.  (Unlike this posting, which I did not have time
to make shorter and simpler.)


(Apologies for the late reply, I've only just caught up on this thread)

Would that it were that simple. Then there would not be debates. You've somewhat captured the intuitive idea with your long phrase, that being that these exploits require user intervention of some fashion to succeed. Were I to take a real world phrase and apply it to the cyber realm, the closest that comes to mind is "booby trap", but this does not lend itself well to conveying the consequences of triggering a trap. Nor do I like applying classifications such as "remote to user" to exploits involving user interaction, as this phrase does not distinguish between automated attacks and those requiring user intervention, even though it does convey some of the requirements and consequences of the attack.

Realistically, these types of attacks encompass multiple components such as the delivery vector (e.g. webpage, email), level of user interaction (e.g. regular use of program, clicking attachment) and consequences (e.g. privileges obtained). A simple classification scheme along the lines of "remote to root" is not well suited to conveying all these details. From a modeling standpoint, breaking the attacks down into its components makes sense, but that is not always as useful from a user standpoint. The user might be more concerned about distinguishing exploits that can occur during normal use from those which require more social engineering as the former implies little to no user control over the risks (other than patching when a patch is available of course). Academically however, these might just be two branches rather far down on a taxonomy tree. So, I suppose it has to be asked if we just want catchy phrases to impress upon the user the severity of an issue so they patch or if we want an academic classification scheme. The two aims do not always align.

Melissa