Supply Chain Security, Assumptions & Blind Spots

Chinese Cyberspies Appear to be Preparing Supply-Chain Attacks

First and foremost, attackers appear to favor spear-phishing individual targets, preferring to collect credentials and then entering accounts without utilizing malware for establishing an initial foothold.

We have observed spear-phishing campaigns that target human resources and hiring managers, IT staff, and internal information security staff, which are generally very effective,” 401TRG experts said about the 2017 campaigns.

Hackers focus on collecting network credentials and then spreading laterally inside a company.

Attackers then use a technique known as “living off the land,” which refers to the use of locally installed apps for malicious purposes. Tools often used in these intrusions include standard Windows utilities, but also penetration testing utilities such as Metasploit and Cobalt Strike. Malware is only deployed if necessary, attackers fearing detection, which often implies losing their foothold on a target’s network.


First, don’t forget the ‘supply chain’ isn’t just raw materials or parts or assemblies or their ilk. It’s the HVAC and fish tank maintenance companies, too.

I like the phrase LotL (“Living off the Land”). I think, tho need to check, it translates well.

Tl;dr: Orgs with strong security & defense-in-depth can still harbor blind spots & inaccurate assumptions.

Continue reading Supply Chain Security, Assumptions & Blind Spots

Shinjuku, Tokyo, Japan

Also on:

Using the hosts file for system-wide ad blocking


There are potential issues with web site functionality, ethics, and breaking your OS if you follow the below steps. Your Mileage May Vary. If you break something or find yourself in existential anguish over the moral implications of this recipe (see Ethics, &c. below), they are totally on you.


I take a “defense in-depth” approach to security. While I use ad blocking add-ons in my web browsers and often use text-only browsers to reduce the attack surface, they don’t help for other apps. Here is how I keep my hosts file updated for another layer of ad blocking on my hosts.

First, we need to get the latest version of an ad blocking hosts file. I get mine from

cd ~/Downloads

Then we need to calculate the difference between the system’s current hosts file and the one we downloaded.

diff -ud /etc/hosts hosts.txt > hosts.patch

Let’s back up the hosts file including permissions in case we make an error.

sudo cp -p /etc/hosts hosts.bak

Next, we apply the patch to the hosts file as root.

sudo patch -b /etc/hosts hosts.patch

Finally, we need to refresh the DNS cache to reflect the changes.

sudo killall -HUP mDNSResponder && echo macOS DNS Cache Reset

If you find something is wrong with your host or your soul, you can revert the change.

sudo cp -p ~/Downloads/hosts.bak /etc/hosts

… and then re-execute the DNS cache refresh command just above.

For Windows hosts, download the file from the above link. It includes a batch file to automate the process.

For GNU/Linux, BSD, and Unix hosts something similar to the macOS instructions will work for you.

Ethics, &t.

Many will argue that this type of system-wide ad blocking is unethical up to and including theft. This is a valid argument. However, I do subscribe to the sites and services I value the most, such as the New York Times & Japan Times for home delivery(!), magazines like the Atlantic, and websites like the Brooks Review.

There are security risks, privacy concerns, and system performance issues that are equally valid. And some ads (auto-playing videos, anyone?) consume an inordinate amount of bandwidth at additional cost to me when I am on a metered network. These tip the scales toward blocking, in my humble opinion.

Once ad networks and the sites that use them prove their commitment to effective security practices, exhibit proper security hygiene, and respect users’ privacy by default I will reconsider my approach.

Please feel free to comment constructively. Don’t be evil.

Also on:

What Users Should Require in Software-as-a-Service (SaaS)

We, the users, should stop thinking about software as a thing to own. The direction is toward a service model for better and worse.

What should a keen-eyed shopper value?

  • No data lock-in – the user should own their data and be able to export it at any time through the native user interface without having to jump through hoops (except for encrypted data – see below). The export should be in a common format like plain text, XML, CSV, etc. and not a proprietary format.
  • Direct support – a web interface, email address, and chat at a minimum is required. Any service only offering support through an app store is a major red flag.
  • Multi-platform – unless you only live in Apple’s or Google’s ecosystem any SaaS must at least support your top two platforms. If you are GNU/Linux or Windows on your desktop, this is a must-have for your mobile devices.
  • Multi-cloud – unless you only live in Apple’s ecosystem any SaaS must support Dropbox as a second option at a minimum. iCloud is limited to macOS, iOS, and Windows but the Windows support is abysmal IMHO.
  • Mobile support – must handle landscape and portrait layouts and support tablet sizes. I am surprised at the software that still does not do this basic task.
  • Encryption – must support industry standard best encryption options. If a SaaS offers its own custom encryption RUN AWAY! Exporting encrypted data should offer unencrypted and GPG-passphrase-encrypted options though few do today.
  • Active development – this is easiest to verify if they have a public GitHub or similar repository. App stores will also show when the last update hit. Careful reviews of app store ratings can help figure out the historical time line. Check in Reddit and StackExchange and other public forums.
  • Native (non app store) desktop releases – on the desktop the ability to get the software outside of the Apple or Microsoft or Google app stores is a plus. Even if you prefer the app store version – and most users should for the added security – the developer’s willingness to offer a direct-to-the-customer version of their software with a license is a good sign. Also, any revenue the developer gets from these direct sales is 100%. Apple app store versions costs the developer 30% or so.
  • In App Purchases – not bad in and of themselves, a developer should not “nickel and dime” customers with small features. There should be an option for some kind of a premium bundle which offers all add-ons for a reasonable 1 time fee.
  • Data sync – this is a tough one. Most SaaS developers will come up with their own sync solution after changes to DropBox made it more difficult for developers. iCloud on iOS & macOS works in the Apple ecosystem. OneDrive might eventually for Microsoft and some Android stuff, and Google Drive for the Google stuff. I think so long as the sync adheres to the above you are good.
  • Local storage – some apps like 1Password and TextExpander offered local repository options but deprecated them for IMHO less than compelling reasons related to sync and cloud. Users should have the option to store sensitive data locally and forgo sync & cloud for that data.
  • Feature & scope creep – watch out for Saas that suddenly introduce changes for enterprises and large groups while removing or reducing functionality for individual users in order to accommodate the expansion.

What else should users look for in a SaaS product?

Also on:

Microsoft Surface Pro 3 after 2 Weeks

The Surface Pro 3 and I bonded since I brought it home. Core i7, 256 GB storage, 8 GB RAM, and a fire engine red keyboard cover screamed “Buy ME!” in the Troy, MI Microsoft Store.

As an aside, when you go to the Microsoft Store in Troy, MI ask for Joe. Friendly, patient, knowledgeable, and the right kind of availability without hovering sets him up as my kind of sales associate or Microsoft-y or whatever they call their staff. Joe, well done!

This machine almost embodies my ideal:

  • Sharp, crisp screen
  • Snappy processor
  • Expandable storage in a micro SD card slot
  • USB 3
  • Mini Display Port
  • Responsive touch screen (something I’m still not sold on, more below)
  • Good stylus
  • OK keyboard cover (for $100+)

What is missing:

  • 16 GB RAM
  • Matte instead of glossy display
  • A right Control (Ctrl) key
  • A Menu key (I remapped Caps Lock to menu using AutoHotKey)
  • Less complicated & more foolproof touch interface/mouse emulation/virtual keyboard (more below)
  • Desktop and “Metro” app integration

Surprising items

I’m amazed at how much I like Windows 8.1. My pain points seem dealt with in Windows 10, so I’m looking forward to that. While this isn’t my daily work driver, I’m waiting for a more stable build before W10-ing this bad boy.

The keyboard (physical cover, not the on-screen) is surprisingly good. I miss the right control and menu keys as mentioned above. There’s room for them if the space bar shrinks and the arrow keys slim down.

Visio, Project, Office, and Visual Studio 2012 run well.

Some Metro-style apps like Nook & Kindle, NextgenReader, and Skype aren’t horrible.

Switching from OneNote to OneNote 2013 desktop works well. I recommend the move.

Microsoft cloud integration with OneNote, OneDrive, Office 2013, etc. is solid and stable.


Swapping Outlook 2013 desktop in for the default Mail app removes sharing functionality.

Skype runs better as a desktop app, though not with as sharp a look.

Evernote and Evernote Desktop do not share a common database.

The Windows key on the side of the display is inconveniently placed.

Only one USB port.

The LED on the power cord is BRIGHT – two layers of electrical tape to block it out bright.

No external battery option.

My keyboard cover trackpad seems to have an issue with the lower left click becoming stuck.


** Keyboard

  • Shrink left Control to “normal” size
  • Add right Control
  • Add Menu (on right)
  • Add right Windows (maybe?)
  • Shrink Spacebar
  • Shrink left and right arrow keys
  • Make Fn-Up Page Up and remove the F11 assignment
  • Make Fn-Down Page Down and remove the F12 assignment
  • Make Fn-Left Home and remove the F9 assignment
  • Make Fn-Right End and remove the F10 assignment
  • Assign, from F9 to F12:
  • Print screen
  • Scroll Lock
  • Number Lock (+ associated regular keys as number pad)
  • Insert
  • Make the function-key row the same size as regular keys
  • Add screen brightness controls
  • Make a second keyboard that includes a battery like the Surface Pro and Surface Pro 2

** Bezel

Really, my only comment here is about the Windows button. If it becomes the right Windows key on the keyboard, retaining its current functionality but expanding its usefulness, I’m on board.

** Soft Keyboard

  • Add all modifier keys – Windows (Super), App (Menu), Alt, etc.
  • Gesture based typing
  • Modify the raise/lower/cancel

** Stylus

  • When one disables the touch screen, allow the stylus to use gestures
  • Add another configurable button, this one middle click by default

** Tablet interface

  • Do something useful with all that wasted space. It’s a wide-screen device!
  • Figure out a way to share data between the tablet and the desktop versions of the same app.
Also on:

Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets | FireEye Blog

FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.

via Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets | FireEye Blog.

FireEye did a part II as well:
Operation DeputyDog Part 2: Zero-Day Exploit Analysis (CVE-2013-3893)

In our previous blog post my colleagues Ned and Nart provided a detailed analysis on the Advanced Persistent Threat (APT) Campaign Operation DeputyDog. The campaign leveraged a zero-day vulnerability of Microsoft Internet Explorer (CVE-2013-3893). Microsoft provided an advisory and ‘Fix it’ blog post.

I am happy to announce that Xiaobo Chen, a well-known security researcher, has recently joined FireEye Labs. We worked together on the analysis of this zero-day vulnerability. In this blog, we will provide a deep dive on the exploitation part of the campaign.

Despite the targeted nature of these attacks, the exploit identifies numerous language packs (en, zh, fr, de, ja, pt, ko, ru) and software versions, which is uses to specify the correct ROP chain. Commented-out code suggests that the exploit initially targeted IE8 XP users, and IE8 and IE9 Windows 7 users who also had MS Office 2007 installed. In our tests, we observed that the exploit ran successfully on systems running both MS Office 2007 and 2010.

My Firefox Extensions & Tweaks

I’ve had/wanted to rebuild my work laptop several times over the past few months. Sometimes I have another machine nearby to validate what I’m adding. Lately that case is the exception. To help me remember and to share with all of the ones of you, here are my must have Firefox Add-Ons/Extensions:

Several of the above are from my Widescreen Firefox post (signified by a *). The others are primarily for security & privacy (signified by a !) or convenience (signified by a ^).

Since I’m away from my main machine I might have missed an extension, but t These are the mainstays of my Firefox experience.

In the Customize Toolbar dialog I enable “Use Small Icons” and remove the search bar, the home button, and the bookmarks button.

There are more customizations, but this is enough for now. I will post additional tweaks to this later.

The other todo is coming up with a good mechanism for distributing the various add-ons’ configurations to other systems. Dropbox may be the obvious solution, but check back here for updates.

Has this been helpful to you? What are your must have extensions or tweaks to Firefox? I didn’t even get into my about:config adjustments. Those will be updated here, too.

Widescreen Firefox

One of the reasons I still use Firefox as my primary browser is because of the reconfigurability of it. Intrigued by articles about Firefox on widescreen displays I read years ago, one from and another here I implemented their recommendations. Today you’ll find some of their tips out of date but the concept remains sound. Here’s what I’ve done since then.

Wide screen usage with Firefox is superb. With it I can reduce the horizontal and vertical space taken up by tabs and menu bars. Thus I maximize the space for what I want – the content. I also make extensive use of keyboard shortcuts, so extra menus and bars aren’t needed. I also don’t want extra windows popping up or blank pages when downloading attachments.

Here’s the recipe so you can make use of it this way, too. Many of these tips work on Windows, Linux, and Mac OSX. Windows has the full widescreen experience. I’ve used variations on this for the last two or three years. I’m running Firefox 15 at the time of writing.

Widescreen Firefox Recipe

First, install the latest Firefox. I make it my primary browser everywhere except on my work laptop where “the job” requires IE.

Next, install the following add-ons:

Download Statusbar

Turn on “Mini Mode” to replace the Downloads pop-up window. I move the icon into Nav Bar toolbar at the top of the Firefox window.

Nav Bar on Titlebar

This Windows-only add-on (at the time of writing) moves the main Nav Bar to the window’s title bar. There are a few settings one can configure but I keep it to the default.


Stylish allows for script installs, scripts that alter web pages’ appearance as well as configuration elements to change the overall appearance of the Firefox interface. The one I use for maximizing Firefox is “Hide Forward/Back Buttons When not Needed“.

One other one I like is “Google Reader Readable” as I’m a heavy Reader user. It’s not required.

Head to to see a huge collection of scripts you may find useful.

Tab Mix Plus

This extension possesses configuration options about tabs, sessions, and a multitude of tweaks. Spelling them out or even attaching screen shots of every possible tab would push this post even longer than it already is.

Instead, my config is here: TMPpref. You can import it into your TMP. Adjust for your own tastes.

Tiny Menu

UPDATE: Windows has the orange Firefox button. Ubuntu Unity embeds the menu in the top menu bar. Mac OS X does something similar. In all other cases or if you disable those you want Tiny Menu. With it and some toolbar customization you can minimize the vertical space you’d otherwise waste, putting the navigation and tool bars onto one while keeping the horizontal usage in check.

Vertical Tabs

This moves the tab bar from along the top horizontally to along the side vertically. You can drag the tab bar to the left which is where I prefer it. You can also resize the width, which I do. I make it wide enough to see the tab icon.

Final config

Move icons around so the few add-ons you need and some informational icons are on the one title/nav bar. Some might be on the status bar at screen bottom.

Close the status bar when you’re done.


Here’s the final look. Note I have other add-ons installed.

If you’re able to make use of this and it works for you, please leave a comment below. I’d also love to hear about other tips and tricks to maximize browser space.

Belvedere on Windows – Keeping a tidy Desktop

Belvedere is a Windows app that automates actions for your PC.

The one biggest advantage of Belvedere is keeping my desktop clean. I hate it when an app decides to install an icon on my desktop. Belvedere helps with that.

First, follow this Lifehacker article. Then add a folder for c:\Users\Public\Desktop and make a transaction to delete the lnk files in that folder.

This will make sure that no app icons will end up on your desktop.

Refactoring Emacs’ Org-mode, GTD, Information Capture, Good Data, 6 W’s, & the Kitchen Sink

This post can use a serious refactoring all by itself. I won’t. This is more of a thought experiment, internal discussion open to all, and a mild rambling brain dump. If anyone gets any value out of it (including me), excelsior!

I use EmacsOrg-mode for my GTD workflow. Emacs is ubiquitous for me on my computers. Org-mode is an add-on that I place a lot of stock in for information management and GTD. Mobileorg, the method/app that gets the Org-mode data to and from smartphones and tablets, is installed on my mobile devices.

Right now I use Org-mode mostly for work. Everything is in three basic files: for capture, for note handling, and for task handling. These are more theoretical than practical. For example, I configured the org-capture function in org-mode to completely miss the inbox and place captured notes and tasks into their respective files. They should go instead into the inbox where I daily and weekly review and refile.

I also need my personal life captured in here. The line between personal and business time is beyond blurry. It’s more of a wind blown wave in the sand. Because of that and the highly similar nature of my day – it’s usual if not common for me to step out of the office for an hour or so to run an errand while I can be up the wee hours in my home office or hotel room working on budgets – I need to reflect my whole life in there and obliterate the microscopic distinction between the two. Plus my work life is generally more interesting of the two these days. Correcting that is a task in the new system.

This leaves me with a few open questions I’ve been pondering for a spell:

  1. Is org-mode the right choice?
  2. Is a one large file approach, several files approach, or a file per topic/project approach going to work out the best for me based on my current understanding and assumptions?
  3. How will I share this information with others as needed?
  4. How important are contexts in this new mix? For instance, will I care if I’m in the office or at home when doing most tasks? Do I care about a phone context since I always have at least one phone nearby? Same with a computer (though a keyboard context for writing might be good).
  5. How much of the rest of my time is spent in Emacs?
  6. How to keep safe, secure, and available?

The last shall be the first, the first shall be the second, and the rest shall fall where they may.

6 – I will keep my org files in Wuala. My mobileorg publishing will be done with Dropbox. Both are cross platform and cross OS options. Wuala is encrypted for data in transit and data at rest with me holding the keys. Dropbox isn’t as secure, but it is the only method I can make work of disseminating the data between my device platforms. Mobileorg allows for simple encryption for the data in transit. I hope the developers continue to improve it and maybe offer different cloud storage options. I don’t like using external services for such things. There is no similar solution in-house, and no explicit prohibition of a public option for tangentially relevant data. Until there is a viable internal option I am using the tools that are available. Having two separate solutions will allow provider diversity, though I could integrate an internal SharePoint option later. I continue to take appropriate actions, such as checks for data integrity and

1- I think Org-mode and Emacs will stay my tools of choice, at least for now. I need to affix GTD as a habit more than I have. The tool used is largely irrelevant. When I bust out org-mode I not only feel like I have a better grasp on what I am doing, I actually accomplish things in a more strategic fashion. This is especially true in comparison to my Inbox. I always get burned when I use my Inbox as my todo list.

5 – Quite a lot of my time is spent in Emacs, actually, considering that my technical role is wafer thin. It is almost always running. Probably my best use is again with org-mode, but for doing presentations. I like drafting it in org-mode before subjecting it to MS PowerPoint or Keynote. It’s my external editor for Lotus Notes and my default for many file types in Windows. I used to use it for my Twitter client. I should dust that off. Emacs’ w3 is a great distraction-free web browser.

4 – I will ditch contexts in my GTD except for two – detached and keyboard. “Detached” (or maybe untethered) is for those times when I don’t need a network connection to work. These contexts should have all of the information needed stored locally. The other, keyboard, I need as mentioned above. Other tasks I can complete using an iPhone, iPad, Android device, or whatever. These contexts will be managed as tags on existing entries prefixed with the ‘at’ sign (@).

3 – Sharing information outside of org-mode is both incredibly easy and insanely difficult. org-mode uses flat text files. Internal logic presents the data in an efficient manner. While any old program can open text files, they can’t necessarily understand them. I think I can get around this by setting up agenda views published to HTML on the corporate SharePoint portal, for example. My group uses Lotus Notes for email and calendar, so I need to come up with a workable way to share at least the calendar stuff. Email I’m less concerned about at the moment, though if I can convince the powers that be to turn on secure IMAP …

2 – How to structure the file(s)? This is really where things go wonky for me and why I kept it for last. I love the idea of "one file to rule them all". A monolithic file will eventually get too big, too unwieldy, and too vertical for me to get Emacs and org-mode to handle it all. Too many small files takes the vertical problem and makes it horizontal. Having a separate file for each project, for example, is a great idea until one note or one task needs to be shared between two or more projects. My current sparse files option might be the best, but not how they’re currently setup. Notes and tasks need to be together.

I think my concept is sound if I just use it.

I will kick things off with three main files:,, and All of my daily capture will go into the inbox. All of my current stuff will reside in world. Nothing should go into world directly. Older items will go into archive. Daily I will empty my inbox. Weekly, monthly, and annually I will review the world. I will quarterly and annually review the archive. I will also have a “Someday/Maybe”-type file and a “reading room”-type file. I was going to have some miscellaneous files, but I don’t want to go too far afield on what I can see. Miscellaneous files may end up being out of normal view. I will reconsider this as things go.

I will keep my work calendar in Notes for the time being. If I can figure out a way to automate sharing the calendar between that and org-mode/Emacs calendar I will do so.

I will make projects contexts, tags prefixed with a ‘@’. A note or a task can be tagged with as many as needed.

Another thing I can do, and this is something of an aside but an important one, is I will be able to open notes and tasks associated with my team (and others). So, when I’m with them on the phone or standing at their desk I should be able to pull everything up about them as a tag filter across projects and everything. That kills off the far too frequent "What was that other thing I wanted to talk with you about?" query.

This reflection and rambling course of action brings up another issue, one that is not specific to any tool or method. I need to capture better information. I had a conversation with one of my bosses not too long ago. It was a long chat. There were many concrete tasks I needed to deliver. One item should have been concrete and easy to do but I wrote it down incorrectly. By the time I got back to it in a late review I couldn’t remember the "what" and "why" of the conversation though I had a time frame.

I may have mentioned somewhere that I was a Journalism and Broadcasting major in college. I trained for capturing accurate information. I did this by asking six simple questions:

  • Who?
  • What?
  • Where?
  • When?
  • Why?
  • How?

Why I don’t do this at certain times is fodder for yet another post yet another time.

Some of you may ask, "But I don’t need all of those when capturing data, do I"?

No. A good rule of thumb is no fewer than three. In my vague example above what, when, and why would probably have been sufficient. Who was a given value of "me". Where and how wasn’t part of the equation.

My management style rarely has a "How" or "Where" component to tasks I assign, though from time to time one of those can be introduced. Since I travel constantly for work, the "Where" bit can play a role.

Before sharing your data with others, especially higher ups and customers, you need all W’s answered. You should have references where possible.

I think the most frustrating thing around this process is that it’s not as simple as it should be. A colleague of mine constantly rails against managing to the exception (pot-kettle-black; another post), and he’s right, but how do you define what constitutes an exception. That takes us off into yet another post for another day.

Am I addressing my personal life, such as it is, in this? Is this actually going to help or hurt or make no difference? I won’t know until I take the plunge. One thing that I might alter will be the Someday/Maybe stuff. Items for my employer I will want to separate from my personal stuff. There will be an occasional overlap. I’ll deal with those as they come.

Another issue that is still out there is the data. If I leave my employer, who owns the data? If I mix the personal with the professional with the employer-specific stuff, how do I divorce it if need be?

I need to make a task to roll in my aborted OneNote experiment. I tried using OneNote. It’s a surprisingly great tool. The lack of an easy-to-use internal reference system, the inability to dock it at login, difficulty in reorganizing or refiling data, no overarching view of tasks, and its GUI-only nature limits its usefulness. Maybe if I was on Outlook & Exchange and never left a Windows/iOS environment it would work better. It does have a lot of things I quite like: templates (though not as easy to use as they should be), audio capture as part of note taking, tabs & pages & notebooks as its metaphor, OS-integrated capture, some third party tools to fill some gaps, and integration with SharePoint and MSN/MS Live with strong encryption for the data in transit (not sure about data-at-rest). I can see using it as a replacement for org-mode, but it will take a lot of work and decisions by people senior to me to make it a true replacement for work.

Two other things play a role in org-mode: Emacs calendar/diary and BBDB. The calendar is as described. The Big Brother DataBase (BBDB) is another animal. BBDB is a contact list. More value comes from using it in an integrated Emacs environment. My contacts are all over the place and in serious need of review. BBDB will be my main contact repository. I can move things in and out somewhat easily.

This post exceeded any reasonable expectation for length, breadth, and buckshot content.

It brings up another important point. I should be able to edit posts in Emacs, too! Someday/Maybe, perhaps. There must be a WordPress option for Emacs.

I have some concrete deliverables from this, some things to work on, and some “nice-to-haves” down the road.

Here endeth the … whatever this is. Analyzing Teredo with tshark and Wireshark

Johannes Ullrich wrote up a nice article on Teredo, the IPv6 tunneling protocol built in to all modern versions of Windows. If you’re not sure what terado is,

The protocol tunnels IPv6 traffic from hosts behind NAT gateways via UDP packets, exposing them via IPv6 and possibly evading commonly used controls like Intrusion Detection Systems (IDS), Proxies or other network defenses.

This is an excellent read for how to detect and analyze the traffic.