RE: Are sophisticated attacks just FUD?
From: Keith T. Morgan (keith.morgan_at_terradon.com)
Date: 06/30/04
- Previous message: Brian Lund: "Re: Are sophisticated attacks just FUD?"
- Next in thread: Angel Rivera: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Angel Rivera: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: drbitbucket_at_comcast.net: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Steve Hall: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Joshua Berry: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Rob Shein: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: Are sophisticated attacks just FUD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jun 2004 12:08:54 -0400 To: "Sam Heshbon" <sheshbon@yahoo.com>, <focus-ids@securityfocus.com>
I think you need to look no further than the recent IIS/IE worm which
used a multi-vector attack. AFAIK, it exploited MS-0411, and then
vulnerabilities in browsers.
So I think the detection of multi-vector attacks is a critical issue.
This is typically done via event correlation. The sophisticated threats
are out there, and are very real. I think the question of the day is do
IDS/IPS type solutions properly identify them. I tend to think that
event correlation is the real defense against these sophisticated
threats. Preferably in realtime. I'm quite unconvinced that there's
any software out there capable of doing event correlation on an
automated basis. This seems to require two things: 1. The tools to
effectively mine and distill event data, and 2. A logical, thinking,
knowledgeable human being to enterpret the data. I truly believe that
TRUE intrusion detection prevention will *only* be effective when
performed by human beings using good tools.
Sophisticated multi-vector attacks are becoming more common. We've used
them in penetration testing sucessfully, so if we can do it.....
Would an IPS detect and react? I haven't played enough in a lab to
determine that. Did they do that in the case of this latest worm?
Enquiring minds want to know.
> -----Original Message-----
> From: Sam Heshbon [mailto:sheshbon@yahoo.com]
> Sent: Tuesday, June 29, 2004 12:12 PM
> To: focus-ids@securityfocus.com
> Subject: Are sophisticated attacks just FUD?
>
> I had a big discussion with my boss who claims most of the
> IPS, SIM and other new tools are just a hype protecting from
> sophisticated threats, which only exist in labs.
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to anyone or make copies.
** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Brian Lund: "Re: Are sophisticated attacks just FUD?"
- Next in thread: Angel Rivera: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Angel Rivera: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: drbitbucket_at_comcast.net: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Steve Hall: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Joshua Berry: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Rob Shein: "RE: Are sophisticated attacks just FUD?"
- Maybe reply: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: Are sophisticated attacks just FUD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
