Re: The value of detecting neutralized threats. (was RE: IDS blah blah)

[davidg () genmagic com (David Gillett)]

On 21 Jan 99, at 22:40, John Kozubik wrote:

> There are two reasons for trying to detect traffic and breaches with IDS
> that you have previously taken steps to prevent.
>
> (in answer to he question "why should we watch for netbios traffic if we
> have already firewalled those ports?")
>
> 1. The existence of network scans, petty DoS attempts, and lame netbios
> attacks can be one of two things - some teenager getting their kicks, or,
> a sophisticated attacker using these probes as a precursor to a more
> sophisticated (and successful, perhaps) attack.  Do not kid yourselves and
> think that well funded attackers do not at least try the front door once
> or twice before bringing out the big guns.  If you have sensitive and
> valuable data to protect, you are doing yourself a disservice by not
> making an effort to look for traffic that should theoretically not exist
> on the network.
>
> By discovering these precursors to what might be a more sophisticated
> attack, action can be taken to prevent its escalation.

  Exactly.  An intruder is unlikely to penetrate a reasonable level of 
security on the first try, unless extremely well-informed.  Proactive 
defense means detecting and responding (a chat with their ISP is often 
sufficient -- works better if they also hear from a few .mil and .gov 
sites...) to their initial failed attempts.


David G