Intelligence Gathering Techniques
By Stephen Northcutt
Chapter 8 from Network Intrusion Detection: An Analyst's Handbook, published by New Riders Publishing
In Chapter 3,"Architectural Issues," we raised the issue that CIRTs have to focus primarily on compromised systems. And they do! How would you feel if you were on the phone with your CIRT trying to get information you need to deal with the latest nasty Trojan horse code, and they said, "Sorry, we are devoting all our resources to a new intelligence gathering technique"?
The wise intrusion analyst will devote a lot of attention to the prevention, detection, and reporting of mapping techniques. They know that recon is just part of the game. As attackers amass high-quality information about the layout of networks and distribution of operating systems, they allow themselves to specifically target their attacks. You do not want to allow your organization to get in a one exploit, one kill situation!
The line between exploit/denial of service and recon probe couldn't be thinner. Any exploit that fails (or succeeds) also provides intelligence about the target.
This chapter contains many traces showing information gathering techniques. We will consider some of the ways an attacker might map the network and its hosts. We will take a short look at NetBIOS-specific issues since there are so many deployed Windows systems, and finally examine some of the so-called "stealth" mapping techniques.
at : http://www.microsoft.com/technet/security/topics/networksecurity/intel.mspx