work and IT @ 22 Feb 2007 12:31 am by ayoi
Sorry, it’s not MC Hammer’s song (Remember him and the song aa?). Actually this is regarding intrusion case. Most of the time once we saw/receive notification(s) about intrusions, one of the few things that we will do is identify which asset(s) affected and the source of the attack. I believe most of us (yeah us, including me as well) will try our best to gather as much as possible information regarding the intruder. Most of the time we will try to guess his/her OS, services, location etc. Rite?
Well it seems that it’s not a right/proper move to make. 
Why? Consider this :
a). What if the intruder IP is belong to an innocent party?
If the real owner of the system detected/realized that his system(s) were scanned, probed by you, and the moment he reported that activities to the authority, instead of being a victim at 1st place, you will become the offender.
b). If we decided to use “pursue and prosecute” respond on the intrusion events, any active connection to the intruder will reduce his/her activities. And this will weaken our case. How this can be?
To prosecute, we need to gather all available evidence in form of all data related on the incident, the intruder activities that breach our security policy. This can be gathered by assessing/capturing the full content/session data for any communications between the intruder and the victim. If we actively making contact with the intruder, this will make the intruder aware that his/her activities has been detected and definitely will cut off any communications with the victim. With that all the valuable data that can implicate him/her on the intrusion events. IMHO, a 20 minutes communication/activities/session of the event is more valuable than 20 seconds data. The ideal time for the intruder to know that he/her activities has been detected is when the authority knocking his/her door and taken to Bukit Aman 
c). Even tho u managed to enter the intruder system, get the necessay logs to show the intruder activities, that act will be questioned by the authority. (Learned that thru the hard way). Just let the authorized party to do the proper investigation/ data/evidence collecting activities)
Solutions?
We do need to gather all available information regarding the attacker. One of the ways to do that;
Passive fingerprinting. – Usually based on TTL-Time To Live (even tho not that accurate. A good attacker (we have to assume that all attacker are unpredictable and intelligent) can always change the TTL’s value). Window size. DF(Dont Fragment) Bit, TOS (Type of service), ICMP payload, TCP options and others.
Any other method? I do appreciate any inputs.
p/s: I will not hesitate to recommend Richard Bejtlich’s TaoSecurity Network Security Monitoring-Beyond Intrusion Detection, Extrusion Detection – Security Monitoring for Internal Intrusions and The Real Digital Forensic. Those books are good and very insightful. And no, I dun have any e-books for those titles
hehe ingatkan lagu mc hammer betul…
ayoi nak kena hammer?
uncleyoi… hehe….meh soma pls