An effective technique to improve detection capabilities is to add contextual information that can help validate attacks that otherwise would be disregarded. Let’s look at another incident example from an IDP. If you have a public web server, you can be sure it will be scanned for vulnerabilities daily, if not hourly. Most IDPs have literally thousands of signatures that can detect different attacks. The following are a few Snort signatures that are commonly triggered during a web server attack:

WEB-IIS ISAPI .ida attempt
WEB-IIS cmd.exe access
WEB-IIS msadcs.dll access

Are these signatures actionable incidents? Maybe. These signatures could be indicative of a failed exploit attempt, but they may also represent a successful compromise of the web server. The problem is that based on these example signatures, a failed attempt and successful compromise may look exactly the same. You need more information to corroborate whether or not the attack was successful. By leveraging directionality, if your web server started to initiate attacks to other hosts on the Internet, the compromise is confirmed. However, if the attacker’s footprints are more subtle, you may need to look for other indications of a successful exploit.

One readily available source of additional context can be found in your firewall or router logs. These technologies commonly record when and how a host connects to another host. For example, a connection from host A to host B on TCP port 80 ...