Thursday, February 4, 2010

Prints and Fibers





Prints and
Fibers



Just as a murderer will leave behind prints
and fibers, most network host security compromisers will leave some evidence
behind. Automated "exploits" combine the compromise, obfuscation, and
entrenchment phases.



The emergence of these scripted attacks makes
it much more difficult to detect an intrusion. Before these tools were
developed, there was a considerable lag between the compromise of the system
and the manipulation of system and log files to hide the attackers' presence. Nowadays
mere seconds or even milliseconds may separate these events.



Obviously it becomes very important to know
when these critical system files change, who changed them, and why. Often this
is the only way to tell a compromise has occurred. What you need is the
computer equivalent of a forensics expert, someone who can recover the prints
and fibers of the scripted network-based system compromise. That expert is class=docemphasis1>Tripwire.
In this chapter we will introduce this tool
and show you a little of how it works and how it can help you improve the
security of your Linux system.



 





No comments: