So I am unclear on the meaning of "attack". Is this more than a series of pings, or an attempt to do a pexec or remote viewing of the event log?
Secondly, if the sensor is placed in a pool of developer machines, does it have to have the whole development environment loaded up, for example, and occasionally do compiles?
"Doing anything different" seems to require close emulation of whatever is going on in the rest of the environment, no?
Further, if he has your machines installed in a controlled lab with properly tied off alarm end points (the things you trigger when you see something odd), what is to prevent an attack analogous to a virus writer having a lab full of each kind of antivirus hammering at his samples?
It seems the challenge for building a static alert system or sensor is that engineering talent from a team larger than yours in some other time zone is going to do the equivalent of sending a drone over your island to see what your radar response looks like. As in if they find the destination of your alerts before tickling your box and compromise that first. Or figure out how to set off an fake alarm or nine.
- What is alerted on (or "attack") is configurable and can range from code being executed (which is the true positive alert) to connecting to ports(which has more noise)
- It needs to look like the machine an attacker will be after when he's looking around on the network and that's much simpler then a whole loaded up environment.
- Yes, the decoys look like an integral part of the network
- It could be within every segment of the network and not in it's own island. But it's true that every security solution depends on it's management interface not being compromised :)
Let's say that an attacking organization fully installs your sensor in their own lab. What is to prevent them from engineering an approach to fully defeat the sensor itself?
Like was said before, you have to attack the decoy to recognize it and that enables catching the attack traffic. Also the mere fact that they recount every single action 10 times over before acting is a huge value in and of itself.
On another note I agree that they will try and we will be constantly remembering that fact :)
So I am unclear on the meaning of "attack". Is this more than a series of pings, or an attempt to do a pexec or remote viewing of the event log?
Secondly, if the sensor is placed in a pool of developer machines, does it have to have the whole development environment loaded up, for example, and occasionally do compiles?
"Doing anything different" seems to require close emulation of whatever is going on in the rest of the environment, no?
Further, if he has your machines installed in a controlled lab with properly tied off alarm end points (the things you trigger when you see something odd), what is to prevent an attack analogous to a virus writer having a lab full of each kind of antivirus hammering at his samples?
It seems the challenge for building a static alert system or sensor is that engineering talent from a team larger than yours in some other time zone is going to do the equivalent of sending a drone over your island to see what your radar response looks like. As in if they find the destination of your alerts before tickling your box and compromise that first. Or figure out how to set off an fake alarm or nine.
EDIT: typo