SR3R Project Forum

Discussion and debate for the SR3R Project
It is currently Sun Nov 17, 2019 11:42 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Sun Feb 10, 2008 7:15 pm 
Offline
Site Admin

Joined: Tue Jul 17, 2007 11:39 am
Posts: 875
Location: Boston
nezumi wrote:
However, I do agree that how IC is deployed is a bit silly. If an illegal operation occurs, or even a suspected illegal operation, the host should begin deploying both some low-level scouts to gather information, but also its heavy hitters almost immediately. You don't wait for the operations to continue. Unless it's pretty common for authorized users to engage in actions which are of indeterminate legality, the current paradigm doesn't make a lot of logical sense.

I'm going to disagree here, but I'm also going to need some other opinions.

Like has been said elsewhere, my view on this is that Tally is largely an expression of the certainty a host has that it contains an intruder. Low tally is low certainty, Passive Alert is moderate to high certainty, Active Alert is high certainty with low to moderate certainty of actual compromise beyond simple access, and Shutdown is sufficient certainty of compromise or potential for compromise to justify suspending operations.

So then the reason not to roll out the heavy hitters immediately is that there's low certainty of compromise. That only makes sense, though, if there's some other disadvantage—my view is that presumably activating IC is expensive in some fashion, probably by consuming significant quantities of system resources. This would mean that for many organizations, it is indeed worth it to activate less-expensive IC to verify the situation or attempt initial containment before activating the big guns.

But a lot of that, ultimately, is just opinion. Thoughts from others?

~J

_________________
Failure: when your best just isn't good enough.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Feb 10, 2008 9:27 pm 
Offline
Forum Admin

Joined: Wed Jul 18, 2007 3:11 am
Posts: 903
Absolutely agree. In fact this is another reason I think tally has to be held by the host, not mapped to a specific decker/user, should propagate downward, meaning that if the RTG has high tally then the connected LTGs should have high tally, and if an LTG has a high tally then all the hosts on that LTG should have high tally, and propagate horizontally, meaning that all the hosts in an interconnected network should share tally. Some of these are codified in the rules; others are a natural consequence of tally being more of a vague uneasiness held by the host rather than the silly idea that the host is counting the number of times a specific user has hacked it (why would you ever allow a tally of more than 1, if that were the case?)

In addition, I think that IC has to be a huge nuisance, otherwise they'd have a flood of it on all the time. I'm talking beyond Vista-level "You moved your mouse. Are you sure you want to continue?" level of annoyance, to something more like "You moved your mouse. Please remove all clothing and walk up to the scanner" level of annoyance, in particular for "legitimate" icons. Either that or there'd have to be a significant performance hit, and I'm not sure I'm comfortable with that because it would make the existence of Agents strain credulity.


Top
 Profile  
 
PostPosted: Mon Feb 18, 2008 12:34 pm 
Offline

Joined: Fri Jan 25, 2008 5:20 pm
Posts: 175
Location: Worcester, MA
I think if you make IC the same as agents, with their own physical resource requirements (as we have discussed for agents), then you can somewhat justify it. Perhaps there's only so many MPCPs a company has that it can dedicate to IC at any one time (think of it as a pooled resource), so when they activitate the IC they're reducing their potential pool of active ICs ... meaning they don't want to do it unless absolutely necessary because then potentially they can run out in a DDOS style fashion.


Top
 Profile  
 
PostPosted: Mon Feb 18, 2008 2:22 pm 
Offline
Forum Admin

Joined: Wed Jul 18, 2007 3:11 am
Posts: 903
Absolutely. The other thing we may want to think about, and has been mentioned elsewhere, is that IC should be harassing regular users as well as the deckers. This would be a big deterrent to deploying "heavy-hitters", as you on't want your boss's boss's boss being Black-hammered by a piece of hyper-paranoid IC just because his spreadsheet program had a small glitch that bumped the tally a bit; that's a good way to get fired, or maybe become the latest psychotropic IC test subject.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group