I find it strange that the techniques described in this chapter are often not supported by comprehensive research, published white papers, or readily available tools. With the attack tracking craze initiated by Lance Spitzner’s honeypot research, and only fueled by products such as intrusion detection systems, one would expect to see fewer efforts to identify attacks (which are usually not particularly exciting themselves and which typically use well-documented vectors and flaws) and more attempts to determine the intent and origin of an attack and to correlate events that are meaningless alone, but that can signal a problem when combined.

I can only shed some light on the tip of an iceberg, but needless to say, this may be one ...