±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 10
Overall: 27382
Visitors: 124

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

With 1,000 computers, expect 20-50 compromises a day?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sat Feb 09, 2013 8:22 pm

The below blog post suggests that even with a seasoned infosec team, you should expect to find 20-50 compromised computers a day with a network of 1,000 computers?

henrybasset.blogspot.c...s-are.html

Are you guys finding it's really that bad?  

Audio
Senior Member
 
 
  

Re: With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sun Feb 10, 2013 7:57 am

I would think that such a number depends upon a lot of things...visibility being one.

Some organizations do, in fact, have a "seasoned" infosec team. As an incident responder, I most often dealt with organizations that, while storing/processing a great deal of "sensitive data" (select your definition of choice), had no infosec team, or they had a team that was so hamstrung by internal politics that it was simply ineffective.  

keydet89
Senior Member
 
 
  

Re: With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sun Feb 10, 2013 8:20 am

- keydet89
I would think that such a number depends upon a lot of things...visibility being one.

Some organizations do, in fact, have a "seasoned" infosec team. As an incident responder, I most often dealt with organizations that, while storing/processing a great deal of "sensitive data" (select your definition of choice), had no infosec team, or they had a team that was so hamstrung by internal politics that it was simply ineffective.


Wow. So in your experience, if you actually have the ability to detect compromised computers, you can often expect to find around that many per day?

That seems like an awful lot. Although, I guess I can see how it can happen with malware spreading, or with how easy an attacker can often get domain admin.  

Audio
Senior Member
 
 
  

Re: With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sun Feb 10, 2013 10:45 am

- Audio
...s that even with a seasoned infosec team, you should expect to find 20-50 compromised computers a day with a network of 1,000 computers?


I'm not sure I would use the word 'compromised', though I would not hesitate about 'being involved in an incident'. (Though I personally don't think 'alarm' = 'incident'.) But that depends a lot on the organization and what it considers an incident. 'Being reported as compromised', OK -- that's what any AV solution does. (Added: and if some conscientous backup manager tests the backup system by restoring the oldest backup tapes in store to a server which happens to have the latest heuristic virus-detection, an dpolicy requires each AV alarm to be counted as an incident, the average number of 'incidents' per day will increase sharply just by that action alone.)

Incident, in the case I am thinking of here, involved 'compromises' as well as anti-virus alarms, including adware and jokes, as well as finding suspect network traffic (skype, p2p, etc. -- usually from consultants trying to use their computers in a way that was not allowed), and trying to connect to websites blacklisted by Bluecoat, and so on.

This is based on filling in as an incident dispatcher (i.e. sending alarms on to the correct incident responder/investigator) for a couple of months in an organization that was/is approximately that large.

Of those, the number of real compromises, after due investigation, was considerably smaller.  

athulin
Senior Member
 
 
  

Re: With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sun Feb 10, 2013 11:40 am

@athulin, Compromised was the blog authors term. He suggested that while there would be a ton of results from searching for IOCs, that most would not be false positives. Even a great, highly trained, and mature infosec team should expect 20-50 compromised computers per day 7 days a week.

If that's anywhere near what others are experiencing, that's pretty surprising to me.  

Audio
Senior Member
 
 
  

Re: With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sun Feb 10, 2013 8:40 pm

- Audio

Wow. So in your experience, if you actually have the ability to detect compromised computers, you can often expect to find around that many per day?


In my experience, it varies. It doesn't take malware spreading to cause massive compromises and infections. If you don't have visibility into what's happening on the network and endpoints, anything can happen without you seeing. Then, when something does happen that becomes visible to you, often, it's one of many.

I've seen boxes that were "thought" to have been infected as part of an incident, but weren't...the infection or compromise on that box had nothing to do with the incident we were investigating. I've seen systems thought to have been hacked by one party, only to find out that three or four parties are all accessing the system.

So...it varies. It depends. I would think that the data set discussed in the article showed just that...but that's one data set, at one point in time.  

keydet89
Senior Member
 
 
  

Re: With 1,000 computers, expect 20-50 compromises a day?

Post Posted: Sun Feb 10, 2013 9:04 pm

@keydet89 Good points... Thanks. Smile  

Audio
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next