@What90 - I think that, in general, we agree (as does Ketchup) The logs you refer to, with regards to bots, etc, are exactly that, logs referring to bots and attempts. The ones I concern myself with are NOT the bots, but rather, the attacks that not only got past the perimeter, but got to data.
Overall, I do understand your thoughts, and agree with them. Just that IMHO, with regards to those that actually 'get in,' there's a probability that those who left tracks after getting in are likely much lower a percentage of the overall attack count as you might believe.
Simply stated, I understand your points, and am not disputing the validity, thereof. Just stating that, if you truly are concerned with data security, making a broad statement that there are few who actually 'practice pentesting ninjutsu,' isn't as accurate, as some might believe, and that process leaves you very open to the MANY who do, and have likely been on your boxes, already, if you're vulnerable. (And I completely agree that, if you're sitting on vulnerable boxes, and don't do your best to remedy as much as you can, then yes, you should be kicked.)
I agree with you, with regards to the noise from Metasploit, etc. It's for that very reason that I don't think the REAL hackers are using it to get to your boxes, and rather, are using either their own attack vectors, or some other means. Not saying the script kiddies that get a hold of it, aren't using it, and being VERY noisy with it, just as they probably are very noisy with their nmap scans, etc. Just that, a general statement that 'tools from Metasploit make it easy for anyone with little skill to change details and hide files, but all of that makes noise - that noise increases the chances of me knowing and bring in help to track down what's happened.' I agree with it, for the unskilled hackers. But the unskilled hackers are NOT the ones I'm ultimately as worried about, for that very reason. I can see what they are doing. I'm more concerned with those whom I cannot see.
This is why I truly try to follow the thinking of Sun Tzu, as stated in my signature. If you KNOW your enemy, it's easy to fight against them. If you don't, well, you're likely to lose. You can know your own systems like the back of your hand, but if you don't anticipate and understand the 'real' attackers, then if you don't catch them with your logs, you're a sitting duck.
But again, I agree with you, about 99%, with regards to these posts. Just not on the statistical pieces. The ones you see in those logs from bots, etc, are usually 'attempts.' They don't adequately reflect the 'successes,' nor can they, if any percentage of the successes are from anyone with skills.
Last edited by hayabusa
on Thu May 13, 2010 7:15 am, edited 1 time in total.
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH