Outline of technical framework for active defense o General attack techniques o Remote service exploitation o Log alteration/"rootkits" o Sniffers o Covert channel comms o Stepping stones o Encryption o Address forgery/hijacking o General defense methods o Firewalls o IDS o Network logs o Honeypots o Validity of intelligence o Probability of alteration/forgery o Second sources o Times and dates o Completeness o Volatility o Levels of AD o Level 1 - Data collection within the defender's network o Level 2 - Data collection from remote systems (external) o Level 3 - Data collection from remote systems (internal) o Level 4 - Alteration or modification of remote systems to supress an attack o Measures (M) and counter-measures (CM) o Observation o Traceback o Deception o Suppression o AD Level 1 o M: System logs o CM: Log cleaning o CM: Trojan horses o M: File system timestamps o CM: Anti-forensics programs o CM: Kernel modifications o M: Router and switch flow statistics o CM: Cache poisioning o CM: Address forgery o M: Network traffic analysis o CM: Covert channel comms. o CM: S/N ratio o AD Level 2 o M: Collecting information from remote services o CM: Trojaned services o CM: Server hijacking o M: Collecting data from other IRTs o CM: Infiltration/impersonation o CM: Interception of comms o AD Level 3 o M: Exploitation of back doors o CM: Network trafffic monitoring o CM: Deception o M: Exploitation of vulnerabilities in remote services o CM: Trojaned services o M: Remote forensics o CM: Fake data o AD Level 4 o M: Exploitation of vulnerabilities in remote services o CM: Patching o CM: Removal of services o M: Exploitation of back doors o CM: Trojaned commands o CM: Logging/alarming command shells o M: Alteration of log files o CM: Secondary logs o CM: Network traffic monitoring o M: Denial of Service o CM: Overwhelming number of stepping stones o Involvement of law enforcement o Forged/deleted evidence o Publicity o Time required o Case load o Perceived amount of damages