Consider these examples:
- Given a set of memory dumps from compromised machines, search them using the Snorting Memory techniques for activity missed when those dumps were first collected.
- Review Web proxy logs for the presence of IDN in URIs.
- Query old BGP announcements for signs of past MITM attacks.
You get the idea. The key concept is that none of us are smart enough to know how a certain set of advanced threats are exploiting us right now, or how they exploited us in the past. Once we get a clue to their actions, we can mine our security evidence for indicators of that activity. When we find signs of malicious activity we can focus our methods and expand our view until we have a better idea of the scope of an incident.
This strategy is the only one that has ever worked for digital intrusion victims who are constrained to purely defensive operations. A better alternative, as outlined in The Best Cyber Defense, is to conduct aggressive counterintelligence to find out what the enemy knows about you. Since that tactic is outside the scope for the vast majority of us, we should adopt a mindset, toolset, and tactics that enable retrospective security analysis -- the ability to review past evidence for indicators of modern attacks.
If you only rely on your security products to produce alerts of any type, or blocks of any type, you will consistently be "protected" from only the most basic threats. Advanced threats know how to evade many defenses because they test and hone their techniques before deploying them in the wild.
NSM has always implemented retrospective security analysis, but the idea applies to a wide variety of security evidence.
Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.