Jumat, 21 September 2007

Tactical Traffic Assessment

When I wrote Extrusion Detection in 2004-5 I used the term Traffic Threat Assessment to describe a means of inspecting network traffic for signs of malicious activity. I differentiated among various assessments using this terminology.


  1. A vulnerability assessment identifies vulnerabilities and exposures in assets.

  2. A penetration test identifies at least one way that an adversary could exploit vulnerabilities and exposures to compromise a target or satisfy a related objective.

  3. A traffic threat assessment identifies traffic that indicates a network has already been compromised.


The goal of the customer determined which of the actions to perform.

I was not really comfortable with the term "traffic threat assessment," so I'm going to use Tactical Traffic Assessment starting now. That definition for TTA nicely differentiates between a short-term, focused, tactical effort and a long-term, enterprise-wide, strategic program like Network Security Monitoring.

Tactical Traffic Assessment removes the "threat assessment" part out of TTA, since "threat assessment" is more about characterizing the capabilities and intentions of an adversary and not whether he has compromised the enterprise.

Tactical Traffic Assessment also leaves room for findingnon-security issues like misconfigured devices or other troubleshooting-related network problems.

0 komentar:

Posting Komentar