Friday, November 26, 2010

Today is a great day for catching bad guys

For many people in the US, this weekend is extended due to Thanksgiving on Thursday. Bad guys are keenly aware that most smaller shops do not have 24x7 coverage, and that any activity taking place during this period may go unnoticed.

Since there is almost no actual work getting done, this is a great time to hop on to your IDS, or SIEM, or load up your logs, and start reviewing them. There should hardly be any noise created by users doing their stuff; all you should be seeing on most parts of your network is unattended automated traffic, and maybe some web site visits on your DMZ servers.

As there shouldn't be much going on, this is the perfect time go find out what kind of "background chatter" your systems generate, and to look for anomalies. You'll be able to more easily spot servers that should have been decommissioned, scripts that serve no purpose, and (if that is a violation of your policy) workstations left on during the break. If any malicious traffic is happening, there is a very good chance that you'll see traces of it much more clearly than when it is very busy on the network.

So: spend a half hour or so and look at what kind of things your IDS is reporting, check out your SIEM for anomalies, and look at your baseline network usage patterns. You might find something interesting!

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.