Chapter 16, “Architectural Issues,” raised the issue that CIRTs have to focus primarily on compromised systems. And they do! How would you feel if you were on the phone with your CIRT trying to get information you need to deal with the latest nasty Trojan horse code and they said, “Sorry we are devoting all our resources to a new intelligence-gathering technique?”

Wise intrusion analysts devote a lot of attention to the prevention, detection, and reporting of mapping techniques. They know that recon is just part of the game. As attackers amass high-quality information about the layout of networks and ...