Re: When to do something about detected attacks (was Re: how to do...)

[zen () trouble org (d)]

Ok, I sez:
[blah blah blah]
> What you seem to be saying is keep lots of data around for forensics and
> later analysis or data mining.  That seems pretty reasonable to me, if you 
> intend to do forensics or do more analysis.  I can't imagine, though, that 
> every business hooked up to the Internet, from big to little, really has 
> time, skill, or the inclination to do that.  It's argueably a shame that 
> that is true, but it's reality.

I'll agree with you - the skill, time, & inclination are typically not
there.  However, can you conclude by that that this stuff shouldn't be 
kept?  If you're broken into, do you want to have some *possible* recourse,
or have essentially nothing?

Skipping to later in your letter, you say:

> That's really my issue here.  Not every one does security research at
> your level.  If they don't, can they really afford to keep lots of
> records around?

I believe the problem is that some people talk about using IDS's today,
as if they were really useful stuff... while I'm saying something like
hey, IDS doesn't really work all that well, and we need to keep this
stuff around to (a) learn, and (b) when the IDS does fail and we get
screwed, even if we don't have the capabilities ourselves, perhaps we
can call in the Hired Gun to analyze what we have saved.

[...]
> Auditting and forensic information are always good to keep around, if
> you intend to do later auditting and investigation of security breeches.
> I don't see, though, how an IDS that tells you that www.microsoft.com
> tried to bonk you (and failed) will help you determine which one of your
> 10K systems are running a vulnerable service.  

IDS is not everything; as I've said, I'm unconvinced that IDS is worth
much of anything right now other than an interesting research project,
but I do believe it has potential... I've been following it and used to 
go to IDS conferences some ten years ago, when it was *really* bad.  But 
what has changed?  I wouldn't be on this list if it were "IDS-wizards"...
I can barely read *some* of the traffic here, let alone all the mail that 
I usually get ;-)  (To be fair, however, if I didn't have my intense 
interest in analysis and auditing, I might well be wasting my time on IDS ;-))

And yes, of course IDS will not tell you what services are vulnerable, but 
if you keep getting hit frequently with an odd attack that should fail, 
perhaps you could investigate it - perhaps it's a variation that does work,
etc.

dan