IDS mailing list archives
RE: Are sophisticated attacks just FUD?
From: drbitbucket () comcast net
Date: Wed, 30 Jun 2004 16:57:21 +0000
No, he's right. But you need better toys to detect those sophisticated attacks anyway :) I see IPS products as catching things that you could put your finger on via an IDS (or log input and the like) and do something about it (for low false positive rates). There's a small category of attacks that typically fall into that category, with minimal false positives. Most of those are web-based attacks; worms, viruses, Trojans, and other easily identifiable attacks. Sophisticated attacks are often quiet and involve the exploitation of some trust relationship. For example, if someone is collaborating with another organization and uses replayable authentication (i.e. reusable passwords), then a compromise in the other organization could yield a password that might work elsewhere. Then the legitimate account is used to gain access, then privilege escalation after that. These are very hard to detect. You might get lucky if you can catch the intruder transfering an exploit or rootkit in the clear or an observant user if the intruder is sloppy. But in order to do that level of detection, you need some broad IDS signatures that can be tuned using, perhaps, content-based filtering. Jon Repaci, GCIA, CISSP -----Original Message----- From: Sam Heshbon [mailto:sheshbon () yahoo com] Sent: Tuesday, June 29, 2004 10:12 AM To: focus-ids () securityfocus com Subject: Are sophisticated attacks just FUD? I had a big discussion with my boss who claims most of the IPS, SIM and other new tools are just a hype protecting from sophisticated threats, which only exist in labs. He thinks multi staged attacks and so on do not often happen in the wild and shows our firewall's logs as evidence. It is true we see mostly worms.(NMAP) scanning happens once in a while, but he claims it's a script kiddy and the fact we have never seen a breach means it is not a real threat (we run a large network operation). I'm looking for statistical data showing how frequent sophisticated attacks and advanced tools are evolved and what there damage is to the corporate. If anyone knows of a research showing if this is FUD or a real problem, I'd love to prove him wrong (I'm willing to admit I'd be happy to have some new toys ;) --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Are sophisticated attacks just FUD? Drew Simonis (Jun 30)
- <Possible follow-ups>
- Re: Are sophisticated attacks just FUD? Brian Lund (Jun 30)
- RE: Are sophisticated attacks just FUD? Keith T. Morgan (Jun 30)
- RE: Are sophisticated attacks just FUD? Angel Rivera (Jun 30)
- RE: Are sophisticated attacks just FUD? drbitbucket (Jul 01)
- RE: Are sophisticated attacks just FUD? Steve Hall (Jul 01)
- RE: Are sophisticated attacks just FUD? Joshua Berry (Jul 01)
- RE: Are sophisticated attacks just FUD? Chuck Herrin (Jul 04)
- RE: Are sophisticated attacks just FUD? Rob Shein (Jul 01)
- RE: Are sophisticated attacks just FUD? Runion Mark A FGA DOIM WEBMASTER(ctr) (Jul 04)
- Re: Are sophisticated attacks just FUD? Anton A. Chuvakin (Jul 09)