|
|
|
|
|
|
by netik
3832 days ago
|
|
|
CISA is a terrible bill and not a solution to this problem. Security teams have been able to manage this data on their own for years without government intervention. There have always been other methods for determining if an attacker is state sponsored. One example: Seeing your account, and a number of dissident or activists being attacked from a block of IPs or similar password attempts, probably means the attack is state sponsored. That being said, in security, attribution is a very hard problem, and the methods used to determine state sponsored attacks are also quite hard to design. There's a reason why companies won't elaborate on how they do this, but it is usually a combination of login/account intelligence and threat feeds. |
|
|
Used to work at a fairly large global corporation. One day I was chatting up one of the senior sys admins. He was talking about the incredible traffic that bombards their server everyday. I was pretty naive back then and said, "Cmon man, it can't be that much!"
He opened his terminal and ran a simple monitoring tool, then opened one another terminal. In one was the constant traffic to several of their applications that were from a specific block of IP addresses he thought he had traced back to China. The other window was a running queue of mistyped password attempts. It was like clockwork. They'd try three, get kicked out of the system, then in an instant, you'd see a flurry of new IP addresses from the same block, then some more attempts to guess the password. Kicked out, rinse, repeat.
In the span of five minutes, I must have seen two dozen failed attempts to try and do a dictionary password attack on their login page. He guessed it was some kind of a bot that was running the tests considering how mechanical and orderly the attacks were.
It really opened my eyes as to how often and how many businesses these governments go after for intellectual property.