{"id":196,"date":"2009-03-25T09:15:49","date_gmt":"2009-03-25T14:15:49","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=196"},"modified":"2009-03-31T10:07:59","modified_gmt":"2009-03-31T15:07:59","slug":"anatomy-of-an-attack-from-incident-to-expedient-resolution","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/25\/anatomy-of-an-attack-from-incident-to-expedient-resolution\/","title":{"rendered":"Anatomy of an Attack: From Incident to Expedient Resolution"},"content":{"rendered":"<p>For the first session of the morning on the last day of the TRISC 2009 Conference, I decided to attend the &#8220;Anatomy of an Attack: From Incident to Expedient Resolution&#8221; talk by Chris Smithee, a Systems Engineer at Lancope.\u00a0 He talked about the different types of attacks that you see on your network and how using FLOW data can be used to monitor and eliminate some of these types of threats.\u00a0 My notes from the session are below:<!--more--><br \/>\n<span style=\"text-decoration: underline;\">Types of Attacks<\/span><\/p>\n<ul>\n<li> Barbarian Horde\n<ul>\n<li>Our castle walls must keep us safe\n<ul>\n<li>Script kiddies and DDoS<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li> Ninjas\n<ul>\n<li>Knowledgeable \u201cHaxx0rs\u201d with deliberate intent\n<ul>\n<li>Social engineering to exploits<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Vampires\n<ul>\n<li>Generally have to be \u201cinvited\u201d in\n<ul>\n<li>Convert others to their side<\/li>\n<li>Malware, worms, and botnets<\/li>\n<\/ul>\n<\/li>\n<li>Vampires are social creatures<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\">Problems with Traditional Mechanisms<\/span><\/p>\n<ul>\n<li> The Barbarian Horde\n<ul>\n<li>How do we know its working?<\/li>\n<\/ul>\n<\/li>\n<li>Ninjas\n<ul>\n<li>Ninjas are stealthy and think outside the box<\/li>\n<li>Social Engineering can grant all manner of access<\/li>\n<\/ul>\n<\/li>\n<li>Vampires\n<ul>\n<li>What happens if you\u2019re the first one bit?<\/li>\n<li>Where do you have your safeguards?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"> How can Flow Data help? (Packet level logging for network devices \u2013 Ex: NetFlow)<\/span><\/p>\n<ul>\n<li> Global Accounting\n<ul>\n<li>Who, what, where, when, how<\/li>\n<\/ul>\n<\/li>\n<li>Barbarians\n<ul>\n<li>Who made it through the castle wall?<\/li>\n<\/ul>\n<\/li>\n<li>Ninjas\n<ul>\n<li>Forensic data<\/li>\n<li>\u201cSoft-Firewall\u201d like rules<\/li>\n<\/ul>\n<\/li>\n<li>Vampires\n<ul>\n<li>Containment is key \u2013 one hop away<\/li>\n<li>Policy verification<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"> Why Flow?<\/span><\/p>\n<ul>\n<li> Leverage your existing network infrastructure to quickly, accurately detect, contain and remediate incidents.<\/li>\n<li>Anywhere from a 3-10% impact on processor.\u00a0 Memory impact is even smaller.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"> Freeware flow data<\/span><\/p>\n<ul>\n<li> FLOW-TOOLS<\/li>\n<li>NMon<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"> Behavioral Analysis?<\/span><\/p>\n<ul>\n<li> Flow data is awesome.\u00a0 Why the expert system?\n<ul>\n<li>Flow data is plentiful \u2013 drinking from the firehose can hurt<\/li>\n<\/ul>\n<\/li>\n<li>The problem of context\n<ul>\n<li>Signatures and rules may not always be appropriate<\/li>\n<\/ul>\n<\/li>\n<li>Bobby Sue doesn\u2019t normally upload this many files to the Net<\/li>\n<li>Who has staff available to constantly scrub files and graphs?<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>For the first session of the morning on the last day of the TRISC 2009 Conference, I decided to attend the &#8220;Anatomy of an Attack: From Incident to Expedient Resolution&#8221; talk by Chris Smithee, a Systems Engineer at Lancope.\u00a0 He talked about the different types of attacks that you see on your network and how [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[222],"tags":[223,148,125,226,224,225,227],"class_list":["post-196","post","type-post","status-publish","format-standard","hentry","category-texas-regional-infrastructure-security-conference-2009","tag-anatomy","tag-attack","tag-data","tag-flow","tag-incident","tag-resolution","tag-tools"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-3a","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=196"}],"version-history":[{"count":9,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/196\/revisions"}],"predecessor-version":[{"id":205,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/196\/revisions\/205"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}