NSM @ 28 Jan 2007 02:54 pm by ayoi
~DISCLAIMER~
~In no way I am trying to impose my belief/opinion/views on you. I also never ever state or mention that I am damned good in this field and my belief/opinion/views are always correct. Security is an ongoing, evolving process where IMHO if you do feel that you are satisfied with your current knowledge, you’ll be obsolete before u even can say “berak”. I always promoting knowledge sharing and every opinion, comments, views are always welcome. Thank you for reading and your feedbacks.~
While I can post something useful (now in the process of collecting necessary data/materials -Ok OK I’ve used this excuse before), perhaps I shud try to tell you guys why I chose and believe NSM is so far the best practice for a security analyst.
During my service years at The Client side, me and my team of analysts had to monitor few hundreds of assets located in The Client DMZ. With few hundred of alerts everyday, we have to properly study/analyze the alerts available and most of the time the alerts will be scrutinized/analyzed/studied based on its priorty, trend and the importance and sensitivity of the assets’ data. At the beginning, it seems like having alerts data is sufficient in analyzing any possible threat or anomaly in the network traffic.
But when I encountered my 1st incident, where one of The Client’s webserver has been defaced, I realized that depending only one source of data in identifying intruders/detecting threat is troublesome and time wasting. The situation is like this :
The webserver’s website was defaced on certain date (around few days back), no information on the attacker/defacer, no information on the exact time the event happened and the method of defacement. And the best part is we only know the website defaced thru zone-h (oyeh). I was given the task to identify the intruder (src IP, location, etc), find the time where the attack exactly happened (the time when the intruder do his reconnaisance, launch his attack, the time when the site defaced) and of cause how the intrusion happened based soley on our IDS.
So the only information that I had at that time is the webserver IP, and the date it happened (I believe the date shown at zone-h is the date of the defacement reported or verified?). I dun know bout you guys but for me to perform the task with that kind of information is like finding the thief/thieves who broke into your house while you’re not at home for a long time and without the benefits of cctv etc. 
I did ask the network administrator to at least give me his webserver logfiles (because he did mention that he think(?) someone having unauthorized ftp session to his webserver). The purpose for asking the log files :
a). To identify who accessing that website (at least from access_log many info can be gathered)
b). At least I can find any unusual request/activity/process from and to the webserver)
But alas, no logfiles received (the network admin dun know how to copy that file and send it to me.)
At the end all I can do was finding/compiling all high and medium priority alerts (especially regarding WEB)within the time frame(I just put 10 days before the date of the defacement reported/verified to zone-h), and making the best guess. I know it’s not rite but my guess is based on the event/alerts triggered within the time frame, the frequency of the alerts, the payloads and the the source IP. I have to admit I do feel stupid when I submit the report on the incident.
For most of the time, the questions that The Client will ask when incidents happen ;
“When did this intrusion happen?”
“what did he do? / What are the damage?”
“When does it happen?”
Ok ok, to put it simple, let say one day you discovered that somebody doing vulnerability scanning on your network. Of cause IDS will trigger quite huge sum of alerts. (I did some test with nessus scanning using around 15K plugins and its activity generate/trigger aroung 1600++ alerts). But how can we advice our client whether the scanning successful or not?
Same as when one of the famouse alerts =cmd.exe related alerts. You see the alerts, but how do you know that cmd.exe executed successfully over http? 
Any ideas?
Good write up, keep ur writing…i’ll be here always..
shit long paste…maleh btol nak bace…..pakcik ayoi….
Caitt… mana ada paste