Although you decided to block IRC access from inside the network, it might not be that clear for other employees in your company. If Mary from another department tries to connect to her favorite IRC channel at lunchtime, you'll probably catch it, but that doesn't mean there is a malware on Mary's workstation trying to contact the control center. However, a number of the same type of connections from one or multiple computers often is a good indication that something is going wrong.
In my work every day, I see some strange behavior. People always are trying to install illegitimate software, sometimes without even knowing it. Sometimes an employee's children try continuously installing Limewire on a company laptop given to them for playing a game or browsing the Internet.
With a little bit of information, you should be able to gather some statistics and distinguish real threats from normal misuse or other isolated incidents.
Securing information systems is a very hard task. Today we are in ongoing war against attackers—fighting the battles of time and money. Time is crucial in securing all environments when there is a threat in the wild, but first you need to know about it. If you know your enemies, their intentions and weapons, it is much easier to react and mitigate attacks. That's what Darknet and honeypots are all about.
ShadowServer Foundation: www.shadowserver.org
Snort IDS: www.snort.org
Team Cymru Project: www.team-cymru.org/Services/darknets.html
Setting an Evil Bit RFC3514: rfc.net/rfc3514.html
Snort IDS: www.engagesecurity.com/products/idscenter
Honeywall Project: https://projects.honeynet.org/honeywall
HIHAT Project: hihat.sourceforge.net
CAIDA Network Telescope Research: www.caida.org/research/security/telescope
University of Michigan—The Internet Motion Sensor: A Distributed Blackhole Monitoring System: www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/ims-ndss05.pdf
Tracking Global Threats with the Internet Motion Sensor: www.nanog.org/mtg-0410/pdf/bailey.pdf
Commercial Example of the Darknet Implementation: https://tms.symantec.com/Default.aspx
The Honeynet Project: www.honeynet.org
Grzegorz Landecki, CCNP, CISSP, is a security technologist at Cyber Security Team in Dublin, Ireland, responsible for protecting a major US company's 85K+, globally located computers.
|My Humble Little Game Collection||May 28, 2015|
|New Linux Based OS Brings Internet of Things Closer to Reality||May 27, 2015|
|Non-Linux FOSS: All the Bitcoin, None of the Bloat||May 26, 2015|
|Dr Hjkl on the Command Line||May 21, 2015|
|Initializing and Managing Services in Linux: Past, Present and Future||May 20, 2015|
|Goodbye, Pi. Hello, C.H.I.P.||May 18, 2015|
- New Linux Based OS Brings Internet of Things Closer to Reality
- Dr Hjkl on the Command Line
- Initializing and Managing Services in Linux: Past, Present and Future
- Non-Linux FOSS: All the Bitcoin, None of the Bloat
- Using Hiera with Puppet
- Infinite BusyBox with systemd
- Gartner Dubs DivvyCloud Cool Cloud Management Vendor
- Goodbye, Pi. Hello, C.H.I.P.
- It's Easier to Ask Forgiveness...
- My Humble Little Game Collection