IDS mailing list archives

Re: Tracking back internal incidents to users, not IPs


From: "Michael Allgeier" <Michael.Allgeier () lcra org>
Date: Tue, 21 Feb 2006 21:29:45 -0600

One method to 'skin this cat' is centralized logging.  Yes this would require authorized boxes and users but this 
should be the environment for an internal network.  I assume we are considering only MS clients.  This is one method I 
use, the other is a small script that runs after login that grabs the IP and user ID and logs it into a database (with 
date time stamp).  Another consideration is time sync of all devices and time from incident to time of request.  
Keeping logs for any substantial amount of time for a medium/large network will consume disk space.  Rotate and keep 
backups.  I've also had the 'unauthorized machine/user' attempt to cause havoc internally out to the Internet.  
Capturing Internet activity can identify the culprit, especially when they log into websites (Yahoo!, Google, etc..) so 
you have another means of tracking the person down.  Options are endless and are up to your imagination.  We have about 
3000 devices on our network.

Mike Allgeier, CISSP, CISM
Information Security Manager
Lower Colorado River Authority
1-800-PRO-LCRA ext. 2449
www.lcra.org 

"Charles Kaplan" <ckaplan () mazunetworks com> 2/20/2006 9:38:31 AM >>>

Given the wealth of expertise here, and the combined hundreds of years
of seat of the pants experience dealing with IDS alerts/incidents, I was
curious how most of us were figuring out users to contact VS system IPs.
Given that this is the 'last mile' for many of us, I believe it an ok
topic for this list.

My personal interest is as it relates to internal to internal incidents,
but it has lots of overlap with external to internal and internal to
external incidents as well.

Say for example you detect port scanning originating from an
un-authorized internal system, how do you go about getting a user name?

Note that I am assuming that the source is a DHCP system here (otherwise
it is much easier problem).  

I realize there is a lot of industry talk around DHCP, DDNS, user auth
(say Active Directory), NAC and such, but looking at real situations
today I am very interested in how people are solving this problem.

I am often given an internal IP# on my own network and asked to call the
user and ask them why they are doing something strange.  I would ideally
like to use some kind of extended NSlookup to tell me who to call.  And
while I won't be a spokes person for Microsoft any time soon, I think it
safe to assume that I would like to somehow find this info stored within
AD.

And yes, I realize that for the info to get to AD, it must be a
credentialed user, and maybe this is an area to debate, but I am simply
looking for ideas based on how others have solved this, not a 100%
perfect solution.

Thoughts?

Note that I would take an open source or a commercial product as a
viable answer.

Thanks

________________________
Charles Kaplan


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


Current thread: