Terradon Communications Group - Incident Response Team

Thursday May 15 2008 12:34

INCIDENT RESPONSE FAQ

Why are so many alerts tracked? Posted: 2006-04-20
How do I get infected with spyware? Posted: 2006-04-14
What is DIPS? Posted: 2006-04-13

Why are so many alerts tracked? - by: keith.morgan@terradon.com - 2006-04-20

Alerts can sometimes be related. For example, if an attacker wants to poke and prod at a server, he may ping it first. He may then hit it with a network scan (like superscan or nmap). After that, he may try to exploit various vulnerabilities on services (such as web servers, email servers etc...) that he finds running on the target machine.

We store large amounts of seemingly innocuous alert information to tie these escalating activities together. For example, if we see an attack against apache, and we want to determine if this was a worm, or a hand-driven attack, we can look at all of the related events from the attacker's IP address and determine if there's a relation or a pattern that indicates that someone is sitting at a computer targeting one of our customer systems by hand. We're not just interested in foiling the worm of the day. We feel that the biggest threat is a targeted attack by a skilled hacker. Storing lots of information, and correlating a poke here with a prod there helps to identify human driven attacks.

How do I get infected with spyware? - by: keith.morgan@terradon.com - 2006-04-14

Most users get infected with spyware simply by browsing internet sites. Sites tend to take advantage of two or three things to get you infected. The first of these is user gullability. Sites entice users with (often misleading) pop ups which when clicked, provide the site with "permission" from the user to install the spyware. Another way that spyware is installed, is when sites exploit vulnerabilities in browser software, and install themselves with no user interaction. A third way, is when spyware is built in to free or low-cost applications. Many times, the EULAs (End User Licence Agreement) to which the user just blindly clicks "ok" includes language that says something amounting to "We're going to install stuff on your computer now which allows us to monitor you. Additionally, we can change it at any time and we don't have to tell you. Thanks."

What is DIPS? - by: csirt@terradon.com - 2006-04-13

DIPS is an innovative new twist on a well established concept. DIPS stands for Distributed Intrusion Prevention System. DIPS is a secure mesh of multiple intrusion prevention systems which are securely networked together to work as one cohesive defensive system.

When one member of Terradon Communications Group's DIPS network sees an attacker, all other DIPS sensors across the TCG customer base are notified of the attack, and perimeter systems are instructed to "drop" or "black hole" the offending IP address or traffic. This creates a defensive community of which all TCG DIPS customers are members. DIPS members are distributed both physically around the United States, and logically around the internet. These sensors reside on networks hosted by diverse internet providers.

In addition to providing automated attack blocking across the DIPS customer base, the sensors (installed across a wide range of provider networks) provide TCG engineers with a very broad day-to-day picture of the global internet landscape. TCG engineers see all alert and attack activity across the entire DIPS network in a secure central database. This information is used to detect trends, and do event correlation. This is an absolute necessity, since there is no software substitute for human diligence, intelligence, and experience.

Engineer Login

Recent Entries

May 2008
April 2008
March 2008
February 2008
January 2008
December 2007

Incident Response

Report an incident
Contact Us

Security Resources

CERT Coordination Center
Internet Storm Center
Security Focus

[ home ] [ FAQ ] [ site map ] [ search ] [ contact ]