‚ < ‚ Free Open Study ‚ > ‚ |
Attack tracing is often a misunderstood and misused concept. This section explores what attack tracing is, the costs versus benefits, and reasons for wanting to trace attacks. Attack Tracing Versus Intrusion TracingSometimes attack tracing is erroneously equated to intrusion tracing. As mentioned in Chapter 1,"An Introduction to Incident Response," however, an intrusion is just one of many types of security- related incidents. Suppose, for example, that a DDoS attack occurred recently. A victim organization might want to determine where this attack originated. The only intrusions per se that might have occurred are ones in which zombies and handlers have been installed in systems, although many of today's attack techniques do not require any kind of actual break-in to result in the introduction of Trojan horse programs in victim systems. Exploiting bugs in NFS, the network file system, to write-mount a volume and then transfer malicious programs to the victim system is a good example. Tracing vulnerability scans is a special problem. In most network environments, vulnerability scans occur almost constantly. Tracing scans cannot realistically be considered a type of intrusion tracing per se. The term "attack tracing" fits better (see the following sidebar), but perhaps "scan tracing" is the most appropriate term . Most importantly, however, tracing the source of scans is likely to be extremely unproductive because a large number of scans are initiated from legitimate hosts that have been compromised by attacks. Furthermore, the sheer number of scans that occur every day makes the prospect of tracing the origin extremely unrealistic . Although it is wise to pay attention to the problem of scans, tracing their origin is, in most cases, not a good use of time and resources.
Relationship to the PDCERF MethodologyChapter 3,"A Methodology for Incident Response," covered the PDCERF methodology. How is attack tracing related to this methodology, and to what particular stage(s) is attack tracing most related? The answer is that it is most closely tied in with the detection, containment, and eradication stages. Let's consider why. DetectionAttack tracing is related to detection because, many times, tracing an event to a particular IP address will help incident response personnel conclude that a connection or flow of packets across the network is not legitimate. Consider, for example, the meaning of a network connection (such as a telnet connection) from a known hostile address. If there is no possible legitimate purpose for such a connection, there is really no logical conclusion other than this connection represents a security-related incident. ContainmentAttack tracing is also related to containment in that knowing the source of an incident can help those involved in handling the incident take corrective measures to limit the spread of an incident. Knowing that an attack on hosts within one's internal network has originated from a particular IP address enables incident response staff or automated mechanisms to change router or firewall filtering rules to block traffic from that address.This course of action can slow down or halt an attack. EradicationKnowing the source of an attack can also help eradication efforts. Attackers might, for example, include bogus entries in critical files such as .rhost or /etc/hosts.equiv files in UNIX and Linux hosts, enabling them to gain back-door entrance to victim hosts. Discovering and then deleting these entries can eliminate the access avenue(s) used by attackers. Considering Costs Versus BenefitsWeighing costs versus benefits is integral to everything done in the practice of computer and information security. Tracing network intrusions is no exception. An organization with extensive computing resources and with extensive connectivity to the outside will experience many hundreds, sometimes thousands, of attacks every day. It is not practical to respond to every attack let alone trace the source of the attack. Tracing the source involves even a greater level of effort and resources. It is important, therefore, to have a policy that specifies when intrusions must (or at least may ) be traced or, perhaps more realistically, to assign priorities related to the need to trace each incident and then trace attacks that have the highest priority when many attacks occur simultaneously. Perhaps tracing lower priority attacks should be attempted when only a few attacks occur simultaneously , or perhaps lower priority attacks do not need to be traced at all. Again, an organization's policy concerning whether attacks should be traced ‚ and, if so, to what extent ‚ is the key. Motivation for Tracing AttacksA few organizations have a policy that specifies that attacks must not (except perhaps in extraordinary circumstances) be traced. The normal rationale for such a policy is one (or all) of the following:
|
‚ < ‚ Free Open Study ‚ > ‚ |