Mark Crosbie wrote:
>What good does retaliation really get you though (apart from a whole
>load of legal headache)? Wouldn't "recovery" be a better goal to aim
>for?
We've often gotten requests for "firewall reconfiguration" or other types
of "reaction" - what's interesting to me is that all these requests:
- reaction
- retaliation
- repair
will be limited by the degree of certainty the IDS is able to achieve. If
you've got a 100% accurate diagnosis of the attack and its source then
you _might_ be able to take some steps. If it's not 100% accurate then
things start to go rapidly downhill. :) I think that in the next 4 or 5 years
we'll see IDS getting close to being able to do such things but before we
get there, you'll see:
- IDS correlation of significance: mapping events against types of
attacks against types of targets and re-prioritizing their
significance.
- IDS indication of confidence level: IDS will start to associate a
confidence value with an alert instead of just a severity. This is an
"oh, DUH!" that a lot of us security guys have had recently: the
severity of the problem is _not_ the same as the IDS' confidence
of its diagnosis.
- Establishment of mapping between significance (operationally set)
of targets versus reactions.
Heck, I'd like my system not to retaliate or reconfigure but to fix itself. :)
ALERT: SYSALERT, Severity=10, Confidence=10 - your system was
vulnerable to attacks that are being launched against it. OpenBSD
has automatically been installed replacing the copy of Linux that was
on it...
:)
mjr.
