I was telling a friend about stupid things I did ages ago, specifically web flaw scanning of the entire IP space of China and giving the results to activists working against the PRC, and they asked “what tool did you use?” It took a slight bit of googling, but I did find it.

It was the cgi scanner included with VLAD the Scanner (linked at the end of the page), first announced to the world at Black Hat in 2000. VLAD was written by the RAZOR research team I was a part of at BindView. Much to the chagrin of my boss at the time, the “stress test” of the cgi scanner was the China bit. And my god, some of that old code we wrote…

An Old Presentation

During my searching I had stumbled across a video of the old Black Hat presentation I gave in 2000 where I announced VLAD. The talk is somewhat dated and covers some odd attack methods I may or may not have used in my past (okay fine, I definitely did), and discusses that these attack methods had started to come more into the mainstream, and how certain weaknesses need to be addressed. Some weaknesses that to this day have never been solved. Oh sure, there are some attempts at solutions that have come close, and with machine learning I think it can be done, but we are not where we should be.

I was already somewhat concerned because the main scenario I outlined was attacking systems using throwaway hosts, controlling those throw-away hosts from a main host, and the use of covert channels to help manage things. It bypassed most defenses available at the time. First discussed in public at a SANS presentation in 1999 called “Network Cat and Mouse” (link unavailable), it predated the start of large scale bot-controlled DDoS attacks that began to happen not too long after.

My ideas did not involve denial of service. They involved scanning, mapping, attacking, and maintaining a presence - all in a more coordinated and stealthier way that before. By using a combination of odd elements in the various IP stacks along with a knowledge of infrastructure and covert channels of communication, a more organized method of of attacking and maintaining a presence on an organization’s network was laid out.

Still the Same

But in that same talk I would mention a few things that still ring true:

• If a security system spits out a lot of false positives, the analysts looking at those false positives are too busy to look at any of the alerts be they positive or negative, and will skip looking at the security system completely.

• Things that at first glance look benign will get dismissed as benign, mainly due to the amount of “benign-ness” in normal data sources. This is because analysts are usually looking for anomalies, not something that looks like everything else.

• We don’t have a good way to look at extremely disparate “indicators of compromise” across multiple systems, and if we did, we could track attacks better - even prevent them by catching them early in the attack stages (like during the reconnaissance phase).

• The “mimicking” of traffic of a trusted partner was a variant of what would later be classified as a supply chain attack. Granted we usually think of code when discussing supply chain vulnerabilities now, but it is really trusting a source - be it a source of traffic, a source of information, or a source of code. Still, compromising a trusted partner was (and still is) a valid technique.

I’ve worked on things to improve this over the years from a lot of different angles. For example when I worked at MITRE I used my experience from a previous employer (a network IDS startup), stripped the 5000+ signatures from MITRE’s Snort systems, and restarted from scratch with only 200 or so custom signatures that were 100% accurate. All of the sudden the front line analysts started acting on alerts instead of ignoring them. The true effectiveness of the tool was being maximized, and there were immediate benefits.

Additionally as we were tracking hundreds of IOCs and doing manual coordination, we had started a project involving AI to start gathering correlations between some of these disparate systems. Even just focusing on email IOCs we were starting to make progress, although for reasons beyond MITRE’s control (DHS budget cuts) the project did not go forward to completion. Note that this work on AI was over a decade ago.

A bit of hope

Now all of the sudden AI is all the rage, it’s the latest thing. Bitch all you want about how some LLM got some facts wrong and mixed up something odd, the biggest positive as far as I am concerned is that AI is now finally being taken seriously by upper management in numerous companies. Oh sure, there will still be some “garbage out” when people don’t fully understand the limitations of using other company’s AI models instead of developing their own. But what it means to me is that my original concerns - brought on by being a prodding hacker doing mischief last century - may finally be addressed. I will work on this direction now, as will others.

From past experience, I’d say using AI models based upon subsets of relevant (i.e. my own) data are a good starting ground and then begin combining output from multiple outputs/models/programs into a single alerting system could work. However AI should be used only where it makes the most sense, and not just use it for the sake of using it. DON’T RELY ON LLMs. Build your own models based upon your own data - the data you want analyzed.

If the “magic” system that pulls together data from multiple sources and spots attacks realtime actually comes together, I want to use this. I plan on working on the idea myself or at least encourage others to do the same. I just find it sad that this problem I began talking about nearly a quarter century ago is still around, and I am hoping we are finally getting closer to an actual solution.

Final Note

Since someone will ask, here are links to a few of the tools I wrote and/or used back in the day:

• NCovert2 - This was a later improvement to the first publicly-released version, ncovert. It was based off of an old tool I don’t have a copy of that I used way back in the day. This allowed for stealth file transfer, and was a technique later heavily used by APT groups.

• IcmpEnum - This tool allows for ICMP packet sweeps to detect hosts, and is not limited to echo (PING) packets, which at the time most people would simply block the echo packets and think they were good.

• VLAD the Scanner - The version released at Black Hat was version 0.7, this is the link to version 0.9.2. In it is the infamous cgi scanner I used against China, and an old RPC scanning tool from my early intrusion days I had cleaned up for this release.