Upload
gervais-cannon
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
1
Figure 10-4: Intrusion Detection Systems (IDSs)
Actions
Alarms
Interactive analysis
Manual event inspection of raw log file
Pattern retrieval
Reporting
2
Figure 10-4: Intrusion Detection Systems (IDSs)
Actions Automated response
Dangerous
Special danger of attack-back (might be illegal; might hurt victim)
Automation for clear attacks brings speed of response
3
Figure 10-4: Intrusion Detection Systems (IDSs)
Managing IDSs Tuning for precision
Too many false positives can overwhelm administrators, dull interest
False negatives allow attacks to proceed unseen
Tuning for false positives turns off unnecessary rules, reduces alarm levels of unlikely rules
IDS might make tuning difficult
4
Figure 10-4: Intrusion Detection Systems (IDSs)
Managing IDSs Updates
Program, attack signatures must be updated periodically
Performance
If processing speed cannot keep up with network traffic, some packets will not be examined
This can make IDSs useless during DoS attacks
5
Figure 10-4: Intrusion Detection Systems (IDSs)
Managing IDSs
Performance
If memory requirements are too large, system might crash
Making logs smaller by saving them more frequently hurts longer-duration event correlation
6
Figure 10-8: Intrusion Detection Processes
For Major Incidents
Organizational Preparation
Incident response procedures
Formation of a Computer Emergency Response Team (CERT) for major incidents
Communication procedures
Rehearsals
7
Figure 10-8: Intrusion Detection Processes
Initiation and Analysis
Initiation
Report a potential incident
Everyone must know how to report incidents
Analysis
Confirm that the incident is real
Determine its scope: Who is attacking; what are they doing
8
Figure 10-8: Intrusion Detection Processes
Containment
Disconnection of the system from the site network or the site network from the internet (damaging)
Harmful, so must be done only with proper authorization
Black-holing the attacker (only works for a short time)
Continue to collect data (allows harm to continue) to understand the situation better
9
Figure 10-8: Intrusion Detection Processes
Recovery
Repair of running system (hard to do but keeps system operating with no data loss)
Restoration from backup tapes (loses data since last backup)
Reinstallation of operating system and applications Must have good configuration documentation
before the incident
10
Figure 10-8: Intrusion Detection Processes
Punishment
Punishing employees is fairly easy
The decision to pursue prosecution
Cost and effort
Probable success if pursue (often attackers are minor)
Loss of reputation
11
Figure 10-8: Intrusion Detection Processes
Punishment Collecting and managing evidence
Call the authorities for help
Preserving evidence (the computer’s state changes rapidly)
Information on disk: Do immediate backup
Ephemeral information: Stored in RAM (who is logged in, etc.)
12
Figure 10-8: Intrusion Detection Processes
Punishment
Collecting and managing evidence
Protecting evidence and documenting the chain of custody
Ask upstream ISPs for a trap and trace to identify the attacker
13
Figure 10-8: Intrusion Detection Processes
Communication
Warn affected people: Other departments, customers
Might need to communicate with the media; Only do so via public relations
Protecting the System in the Future
Hacked system must be hardened
Especially important because many hackers will attack it in following weeks or months