Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Re: How do you fight an attack in progress?

Re: How do you fight an attack in progress?

Andy Howard (achowarerenj.com)
Fri, 19 Sep 1997 13:36:22 -0500

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: GEIS: "RE: Any Holes?"
Previous message: BVE: "Re: Port 788 (Was: hitting the "on" switch)"
In reply to: Kees Hendrikse: "Port 788 (Was: hitting the "on" switch)"
Next in thread: Paul Ferguson: "Re: How do you fight an attack in progress?"
Reply: Paul Ferguson: "Re: How do you fight an attack in progress?"

I'm not a wizard, but would suggest the following........

The scan itself is not dangerous.... just rattling the door knob. Some
Web search and indexing sites do this.... there are some legitimate
reasons to get the door knob rattled.

Now, if you start getting logon attempts... somebody is trying to pick
the lock on the door... that's not so good. Your risk assessment should
address your several levels of response and that should be folded into
your Intrusion Response procedures.

If you don't have lots of staff but do have lots of secrets, pull the
plug. The other extreme is to just watch and be ready to pull the
plug. You could make elaborate areas for the hacker to go into and
watch, but most people don't have time. Your management should be able
to give some guidance as well.......
--------
Grigorof, Adrian wrote:
>
> Hello everybody,
>
> As the subject line suggests, I'm interested to find how do you fight an
> attack in progress. Let's say that your firewall keeps sending you
> messages about a scan in progress or something similar. You have the IP
> address. You look-up the domain, call the administrator that you found
> for that domain and get just a voice mail or a "number disconnected"
> message. Worst case: there is no domain associated with that IP address.
> The firewall keeps paging you and your adrenaline level grows
> exponentially.
>
> So, how do you Wizards deal with such situations?
>
> Adrian
> Apprentice Wizard

-- 
Andy Howard   713-656-4396
achowarerenj.com
"Think hard!  Think Fast!  Think Often!  But Think!"
The contents of this note are my opinion and should
be treated only as that.

Next message: GEIS: "RE: Any Holes?"
Previous message: BVE: "Re: Port 788 (Was: hitting the "on" switch)"
In reply to: Kees Hendrikse: "Port 788 (Was: hitting the "on" switch)"
Next in thread: Paul Ferguson: "Re: How do you fight an attack in progress?"
Reply: Paul Ferguson: "Re: How do you fight an attack in progress?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT