"Chapter 8 from Network Intrusion Detection: An Analyst's Handbook, published by New Riders Publishing.
In Chapter 3,"Architectural Issues," we raised the issue that CIRTs have to focus primarily on compromised systems. And they do! How would you feel if you were on the phone with your CIRT trying to get information you need to deal with the latest nasty Trojan horse code, and they said, "Sorry, we are devoting all our resources to a new intelligence gathering technique"?
The wise intrusion analyst will devote a lot of attention to the prevention, detection, and reporting of mapping techniques. They know that recon is just part of the game. As attackers amass high-quality information about the layout of networks and distribution of operating systems, they allow themselves to specifically target their attacks. You do not want to allow your organization to get in a one exploit, one kill situation!
The line between exploit/denial of service and recon probe couldn't be thinner. Any exploit that fails (or succeeds) also provides intelligence about the target.
This chapter contains many traces showing information gathering techniques. We will consider some of the ways an attacker might map the network and its hosts. We will take a short look at NetBIOS-specific issues since there are so many deployed Windows systems, and finally examine some of the so-called "stealth" mapping techniques."
This is chapter from a 9 year book, but there are many methods in here that have stood the test of time. I highly recommend you carve out an afternoon next weekend to review this information. I suspect you'll learn a thing or two.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: [email protected]
MVP - Forefront Edge Security (ISA/TMG/IAG)