-
Notifications
You must be signed in to change notification settings - Fork 159
Discovery and Detection
Host discovery and detection involves finding out what is behind the source IP address in each alert. Knowing the host targeted by an alert is an often ignored, but extremely relevant piece to deciphering any security event. Currently, almost all vendors spend their time telling you about the threat, and almost nothing about the what is behind the source IP address.
Why is this important? If you knew you were getting hit by a new and very dangerous piece of Mac malware, but could tell that the host behind the alert was a Windows system, then it would be very important. Being able to tell when an alert is not critical is as important as telling when something is actually attacking you. Another example would be if you knew a system beaconing back out to a C&C was also in your PCI zone. What about if the affected user was a Domain Administrator account for Active Directory? From a FIDO implementation standpoint the threat information provided by security vendors provides you with only one-third of the information you need to properly assess each event generated by existing security detectors.
Why don't vendors provide such valuable information? Because it's hard. Most rely upon DNS resolution. The problem with DNS resolution is that IP based networks these days are very dynamic. The host at an IP address an hour ago might not be the same host there now. This is why doing discovery and detecting the source IP of the host at the time the event is generated is so important.
On to the next step... Data Sources.