Author Mike Schiffman released a book called "Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios" last October. The book consists of 20 real-life intrusions from a variety of corporate and university environments, and invites the reader to figure out how machines were compromised, as well as any actions taken by the attacker once they were in. Incidents are rated (somewhat randomly) by difficulty of accomplishment and mitigation. I got all excited about this when I read about it, 'cos it sounded like a great place to go trolling for attack data. Sadly, the majority of the incidents are first detected either because a Web site was defaced, the attacker sent an e-mail to the victim talking about how el33t he was, or because a high-visibility service (like corporate e-mail) became unavailable. Only 2 of the 20 incidents are discovered because of IDS alarms; none are discovered in OS logs; and most of the forensic work uses lots of info other than syslog. It's a really good read (kind of like Agatha Christie for geeks, and about that level of complexity), and a great insight into what goes on >after< the first bit of discovery is done. I do recommend it highly. tbird full of spam today --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:36:58 PST