The incidence of the misuse of "incidence", when an author actually means "incidents", is very high, as this and similar incidents demonstrate well.
Gartner: Super hackers basically don't exist, your incident response plan sucks, and you should relish the opportunity to drown in data: such are the lessons from incident response fanatic Anton Chuvakin. The analyst, physicist, and former director of Security Warrior Consulting gave delegates of the Gartner Security and Risk …
This is because you don't work day in, day out on IR and are unaware of how deep the incidents rabbit hole goes and it's very easy to get confused. Here's some of the other uses we have in the trade:
Inside Ants - Ants nest in the datacentre.
Inside Ents - Downtime related to rampaging forest elementals in the data centre protesting your rampant overuse of fossil fuels destroying the environment.
Arthur Dents - Tea-drinking everyman who nevertheless seems to court disaster on a regular basis.
Eensy Dents - As Ted Crilly would testify, this is the wrong way to repair bodywork on a Rover 213.
Ince Idents - Pen tests from individuals posing as famous Ince's, such as Sir Godfrey Ince, William Ince MP, or Clayton Ince.
Its A Fence - Theft of server equipment due to insufficient amount of walls between datacentre and criminal underworld, kit sold to guy(s) at a pub.
Coe Indidents - Spectacularly expensive operations that quite by accident are backed by Sebastian Coe.
Super hackers don't exist because everyone leaves entries in logs.
Am I the only one thinking that is a stupid comment? If "super hackers" did in fact exist then you wouldn't know as they wouldn't leave entries in logs.
I love a good oxymoron.
Click the 'Start' button to shut down the computer.
"Monetary cost is a question that should have been left in the 1990s," Chuvakin says.
Yeah, good luck with that. The 90s were all about ignoring the monetary question, hence the dot com bust. "You have more money than time." - Anyone else remember the war cry of the fishies? As a way to bill people it was genius, but as a way to run your business, not so much.
Agreed and it appears that Chuvakin is not a frequent member if the Budget/Project decision committee meetings.
Security is obviously a balance of Cost vs Risk... The questions are always the same "Can the risks be mitigated, if so how much will it cost?" What's that you say, we "must " have at least 3 data centres to host or our Exchange server..... HOW MUCH......
A simple enough 'canary' logging (yes also goes to another box) rule in your firewall/gateway tells you who's looking, how often etc and frequently also ties up with spammer 'probing proxies' or 'completely legitimate business enterprises' like one featured in a certain paper yesterday (not mine!) as 'google for hackers' and will probably appreciate the free advertising.
As for the 'everyone leaves a trace', this is well known but it only seems like there is a super unseen elite because webmail providers ignore attempts to communicate clumps of relay attempts, ISPs ignore notifications of streams of login attempts, universities have officially sanctioned 'research' scans, and cloud providers hide behind the 'customers are not our problem, even breaches of the Computer Misuse Act or whatever it is called in your juris-my-diction'. No names because people always get scarily defensive about their chosen provider (for meanings of 'their' and 'chosen' and probably also 'provider').
Companies don't care and puny individuals can go whistle. So all we can do is lock stuff down as hard as possible and hope for the best. Or unplug everything.
I like your thinking however as they are aware of the when/how/where of sys logs it wouldn't be that difficult to fake said logs even if they were on another machine as once you own the machine sending the logs it's pretty simple.
Fear the invisible mighty super hackers that may or may not exist, nobody would ever know.
> as they are aware of the when/how/where of sys logs it wouldn't be that difficult to fake said logs
An entirely correct point - so that's something else to watch out for when trying to figure out WTF the logs mean once they have been filled with all that chaff and sorting out the actual start point depending on how clever they have or have not been.
Also important is to ensure the logging machine only ever accepts logging messages and no other connections etc etc I realise I'm preaching to the choir now... perhaps syslog boxes should boot from a self-destructing USB stick and record everything to WORM drives or is that just standard practice now...?
Or just not bother disguising the IP. It's trivial for an attacker to just proxy their connections through a rented botnet, so even knowing the correct IP would be pointless (what are you going to do, call up some random schmuck in Brazil / China / India and ask them to send you their computer so you can trace the attack?).
Biting the hand that feeds IT © 1998–2020