IDS mailing list archives
RE: Are sophisticated attacks just FUD?
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Wed, 30 Jun 2004 12:08:54 -0400
I think you need to look no further than the recent IIS/IE worm which used a multi-vector attack. AFAIK, it exploited MS-0411, and then vulnerabilities in browsers. So I think the detection of multi-vector attacks is a critical issue. This is typically done via event correlation. The sophisticated threats are out there, and are very real. I think the question of the day is do IDS/IPS type solutions properly identify them. I tend to think that event correlation is the real defense against these sophisticated threats. Preferably in realtime. I'm quite unconvinced that there's any software out there capable of doing event correlation on an automated basis. This seems to require two things: 1. The tools to effectively mine and distill event data, and 2. A logical, thinking, knowledgeable human being to enterpret the data. I truly believe that TRUE intrusion detection prevention will *only* be effective when performed by human beings using good tools. Sophisticated multi-vector attacks are becoming more common. We've used them in penetration testing sucessfully, so if we can do it..... Would an IPS detect and react? I haven't played enough in a lab to determine that. Did they do that in the case of this latest worm? Enquiring minds want to know.
-----Original Message----- From: Sam Heshbon [mailto:sheshbon () yahoo com] Sent: Tuesday, June 29, 2004 12:12 PM To: focus-ids () securityfocus com Subject: Are sophisticated attacks just FUD? I had a big discussion with my boss who claims most of the IPS, SIM and other new tools are just a hype protecting from sophisticated threats, which only exist in labs.
************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Are sophisticated attacks just FUD? Drew Simonis (Jun 30)
- <Possible follow-ups>
- Re: Are sophisticated attacks just FUD? Brian Lund (Jun 30)
- RE: Are sophisticated attacks just FUD? Keith T. Morgan (Jun 30)
- RE: Are sophisticated attacks just FUD? Angel Rivera (Jun 30)
- RE: Are sophisticated attacks just FUD? drbitbucket (Jul 01)
- RE: Are sophisticated attacks just FUD? Steve Hall (Jul 01)
- RE: Are sophisticated attacks just FUD? Joshua Berry (Jul 01)
- RE: Are sophisticated attacks just FUD? Chuck Herrin (Jul 04)
- RE: Are sophisticated attacks just FUD? Rob Shein (Jul 01)
- RE: Are sophisticated attacks just FUD? Runion Mark A FGA DOIM WEBMASTER(ctr) (Jul 04)
- Re: Are sophisticated attacks just FUD? Anton A. Chuvakin (Jul 09)