1

Figure 10-4: Intrusion Detection Systems (IDSs)

Actions

Alarms

Interactive analysis

Manual event inspection of raw log file

Pattern retrieval

Reporting

2

Figure 10-4: Intrusion Detection Systems (IDSs)

Actions Automated response

Dangerous

Special danger of attack-back (might be illegal; might hurt victim)

Automation for clear attacks brings speed of response

3

Figure 10-4: Intrusion Detection Systems (IDSs)

Managing IDSs Tuning for precision

Too many false positives can overwhelm administrators, dull interest

False negatives allow attacks to proceed unseen

Tuning for false positives turns off unnecessary rules, reduces alarm levels of unlikely rules

IDS might make tuning difficult

4

Figure 10-4: Intrusion Detection Systems (IDSs)

Managing IDSs Updates

Program, attack signatures must be updated periodically

Performance

If processing speed cannot keep up with network traffic, some packets will not be examined

This can make IDSs useless during DoS attacks

5

Figure 10-4: Intrusion Detection Systems (IDSs)

Managing IDSs

Performance

If memory requirements are too large, system might crash

Making logs smaller by saving them more frequently hurts longer-duration event correlation

6

Figure 10-8: Intrusion Detection Processes

For Major Incidents

Organizational Preparation

Incident response procedures

Formation of a Computer Emergency Response Team (CERT) for major incidents

Communication procedures

Rehearsals

7

Figure 10-8: Intrusion Detection Processes

Initiation and Analysis

Initiation

Report a potential incident

Everyone must know how to report incidents

Analysis

Confirm that the incident is real

Determine its scope: Who is attacking; what are they doing

8

Figure 10-8: Intrusion Detection Processes

Containment

Disconnection of the system from the site network or the site network from the internet (damaging)

Harmful, so must be done only with proper authorization

Black-holing the attacker (only works for a short time)

Continue to collect data (allows harm to continue) to understand the situation better

9

Figure 10-8: Intrusion Detection Processes

Recovery

Repair of running system (hard to do but keeps system operating with no data loss)

Restoration from backup tapes (loses data since last backup)

Reinstallation of operating system and applications Must have good configuration documentation

before the incident

10

Figure 10-8: Intrusion Detection Processes

Punishment

Punishing employees is fairly easy

The decision to pursue prosecution

Cost and effort

Probable success if pursue (often attackers are minor)

Loss of reputation

11

Figure 10-8: Intrusion Detection Processes

Punishment Collecting and managing evidence

Call the authorities for help

Preserving evidence (the computer’s state changes rapidly)

Information on disk: Do immediate backup

Ephemeral information: Stored in RAM (who is logged in, etc.)

12

Figure 10-8: Intrusion Detection Processes

Punishment

Collecting and managing evidence

Protecting evidence and documenting the chain of custody

Ask upstream ISPs for a trap and trace to identify the attacker

13

Figure 10-8: Intrusion Detection Processes

Communication

Warn affected people: Other departments, customers

Might need to communicate with the media; Only do so via public relations

Protecting the System in the Future

Hacked system must be hardened

Especially important because many hackers will attack it in following weeks or months