We saw what typically happens when trying to use static rule-based log
correlation to perform real-time incident management... combinatory explosion
and lack of scalability. How do you automate non-deterministic attacks in a
few discrete steps???
Today, we'll look at more scenarios for which static rule-based log
correlation doesn't make sense.
Attack Scenario Example 2: Brute Force Attack
Let's look at another example scenario. Brute Force Attack.
- A user tries to log in to his account
- He fails many times in a row and then finally succeeds
- Then "probably" a successful Brute Force Attack just took place
Again, let's look at this apparently simple scenario in more details.
- Some organizations consider it more likely that Brute Force has taken place
if the login failed are on the same account.
o But what if the attacker attacks different accounts?
§ The attack may... (more)
First-party fraud involves fraudsters who apply for credit cards, loans,
overdrafts and unsecured banking credit lines with no intention of paying
them back. It is a serious problem for banking institutions. U.S. banks lose
tens of billions of dollars every year (1) to first-party fraud, which is
estimated account for as much as one-quarter or more of total consumer credit
charge-offs in the United States (2). It is further estimated that 10%-20% of
unsecured bad debt at leading US and European banks is misclassified, and is
actually first-party fraud (3).
Contrary to third-part... (more)
Over the next few weeks, we'll investigate how the expression "An ounce of
prevention is worth a pound of cure" could also be applied to the IT world,
and what are the tools to foster preventive security through behavior
When looking at IT security, it seems that most of the security solutions
today are based on Defensive Security. Technologies such as AntiVirus,
Firewalls, Intrusion Detection Systems and Intrusion Prevention Systems,
Anti-Trojan, Anti-Worms, and Anti-Spyware belong in this category. The
primary focus of these technologies is defending against secu... (more)
This week let's review why logs are such a popular and powerful tool when
performing forensics, and how to insure that investigators are working from a
clean stream of data.
Logs used in forensics have several distinct advantages.
First, logs can be used not only to solve the IT crime, but also as evidence
in a court of law, provided that they have been properly managed.
Second, logs are widely available. Logs have been around for the past 25
years and today all electronic equipments are capable of generating logs.
Third, best practices for log management are mature, all system adm... (more)
Last week we saw that a proper Log Management tool is a powerful tool to
catch the bad guys.
Advertise your use of such a tool and you will send a clear signal to
would-be attackers that they will be caught, which will act as a powerful
deterrent, and curb bad behaviors.
A 2004 study from Ibas, a computer forensics firm, conducted on 400 UK
businesses showed that "69.6% of business professionals have stolen some form
of corporate IP from their employer when leaving a job."
I simply cannot believe that 69.6% of the people are "bad guys," responsible
for a trillion dollar worldwid... (more)