Argus detecting historical APT1 activity #3 cont

Carter Bullard carter at qosient.com
Tue Apr 16 17:00:45 EDT 2013


Hey Harry,
Some users, in near real time, have been using argus data to do
alarm rejection.  Alarm sounds, say a SQL injection attack signature.
The sites will go grab the argus data for that host at the time of the
signature, to realize if there really was a SQL connection, most
false positives are HTTP connections with " select " in the URL, in
this case.  If it looks fishy, they will decide to spend resources checking
it out, by looking at the return strings, to see if there was a successful
SQL response, and if so, they would then watch for a while to see
if the server attaches to something it normally doesn't attach to, or
if someone now is accessing that server, or something weird.  

They know what is weird because they have a detailed awareness of
how their infrastructure has been used, based on their audit
information.

If your DCMA takedown notice indicated that you had been attacked,
then you are indeed doing  false positive rejection using argus data.
Checking if you've historically been affected by an attack profile is,
I suspect, just an IDS function.

Its the " I'm different " behavior that argus data can enable, if
you have an argus on the attacking path.  These complex behaviors
are not intrusions, more like " out of the box " behaviors, and they
can be most important in figuring out if you've been had or not  ......

Carter


On Apr 16, 2013, at 3:36 PM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:

> Hi Carter,
> 
> So, I'm curious about your statement of using Argus for false positive
> rejection.
> 
> We do something similar with DMCA takedown notices, in that if we don't
> see corresponding argus data we consider the notice as invalid.
> 
> Are you referring to a similar process or are they doing something more
> specialized with argus?
> 
> Cheers,
> Harry
> 
> On 04/16/2013 11:13 AM, Carter Bullard wrote:
>> Hey Craig,
>> Don't get me wrong, anything that can help find the bad guy/girl/whatever,
>> is a good thing, but Argus is a very specific implementation of comprehensive
>> network auditing, a fundamental security mechanism.  IDS's and anomaly
>> detectors are not fundamental security mechanisms, they are interesting
>> technology, that support a single phase of the Cyber Security Incident
>> lifecycle, penetration identification.  If you've already been penetrated, or
>> if its an insider, like 80% of incidents are, these methods are theoretically
>> useless, because there isn't anything for them to detect.
>> 
> <snip>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130416/a2af7854/attachment.bin>


More information about the argus mailing list