Comments on: Finding Aurora (googlehack)

By: Jesse Lands

Jesse Lands — Thu, 18 Feb 2010 18:59:07 +0000

Really?!?! You searched 6 months of traffic and ruled out the Aurora attack for them. And all in 15 minutes. I can’t even look through one gateway for an hours traffic in 15 minutes. To suggest that IDS will stop or discover APT by itself is absurd. It should be a piece in your arsenal, but not your only weapon.

By: Steven F. Fox

Steven F. Fox — Wed, 20 Jan 2010 18:54:04 +0000

“All I see is data – how do I discover the knowledge?” This question was asked by the Executive Director of a Detroit-area non-profit organization while I was analyzing their server logs. As I walked him through my analysis, his glassy eyed stare gradually melted, revealing a sense of understanding.

The “business paradigm” embraces the disciplines of analysis as they apply to process improvement and risk mitigation when they are communicated in familiar terminology, eg. financial ROI, value statements, cost of ownership, etc. Unfortunately, the advanced threat vectors on the cyber battlefield require a different analysis approach that is unfamiliar to business stakeholders – threat analysis.

I agree with Tim – network data must recorded from day one. The “rhythm” of the networks can be discerned from this information. By cross refencing this information with knowledged gleaned from business analyst, one can discover key risk indicators. This forms the foundation to a threat analysis that examines the possible abuse cases in relation to the business.

By: Tweets that mention NetWitness Network Forensics » Blog Archive » Finding Aurora (googlehack) -- Topsy.com

Fri, 15 Jan 2010 22:41:42 +0000

[...] This post was mentioned on Twitter by netwitness, Will Gragido. Will Gragido said: RT @netwitness: New @NetWitness Blog Post: "Finding Aurora" (on the Google Hack) http://bit.ly/74936b #Google #cyberwar #security [...]