Any country or non-state actor could attack you at any time, and it could come from anywhere.
It therefore becomes increasingly important to develop a security plan that profiles attackers. Many organizations immediately attempt to remove the source and symptoms of an attack without much interest in analyzing the skill of the attackers, or determining what the hackers were after. There are really two security approaches that can be helpful here: honeypots and extrusion detection technology.
Honeypots are systems that act as bait for attackers. Either set them to mimic standard desktops or server-class machines. In either case, there are machines that should never be interacted with. As soon as someone from the outside engages them, begin monitoring every action on the network and on the hosts to see what the attackers are doing. Before diving into this sort of project, however, I recommend taking the time to become familiar with the tools and reference papers at the Honeynet Project, a research organization designed to share ideas on the subject.
I would also start looking at your outbound traffic. What websites are visited? Where are they located? What protocols (i.e. ICMP, and UDP) are leaving your network? With this approach, instead of assuming that the attackers are outside trying to get in, instead the focus is on the traffic leaving the network and verifying all of it. I recommend network monitoring tools like Wireshark and BotHunter to cut through the tremendous amount of data being reviewed. It will be difficult at first, but these tools will turn up some surprising results, and your team will learn more about the environment they are protecting (which is always a good thing).
This was first published in April 2009