Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident...
-
Upload
lauren-quinn -
Category
Documents
-
view
218 -
download
1
Transcript of Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident...
![Page 1: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/1.jpg)
Guide to Network Defense and Countermeasures Second Edition
Chapter 8Intrusion Detection: Incident Response
![Page 2: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/2.jpg)
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Configure an IDS and develop filter rules
• Develop a security incident response team for your organization
• Explain the six-step incident response process
• Describe how to respond to false alarms to reduce reoccurrences
• Explain options for dealing with legitimate security alerts
![Page 3: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/3.jpg)
Guide to Network Defense and Countermeasures, Second Edition 3
Developing IDS Filter Rules
• IDS effectiveness depends on its database– Database should be complete and up to date
• IDS can have its own set of rules– You can edit it in response to scans and attacks
• IDS can be used proactively– Block attacks– Move from intrusion detection to intrusion prevention
![Page 4: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/4.jpg)
Guide to Network Defense and Countermeasures, Second Edition 4
Rule Actions
• IDS has a passive and reactive nature
• Configure IDS to take actions– Other than simply triggering alarms– Provides another layer of network defense
• IDSs include documentation for writing rules
• Customized rules can increase false positives during the learning process– Test your rules before using them in a real system
![Page 5: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/5.jpg)
Guide to Network Defense and Countermeasures, Second Edition 5
Rule Actions (continued)
• Snort actions for rules– Alert– Log– Pass– Activate– Dynamic
![Page 6: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/6.jpg)
Guide to Network Defense and Countermeasures, Second Edition 6
Rule Data
• Specify the action you want Snort to perform
• Specify the rest of the data that applies to the rule– Protocol– Source and destination IP addresses– Port number– Direction
![Page 7: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/7.jpg)
Guide to Network Defense and Countermeasures, Second Edition 7
Rule Options
• Make Snort more precise
• Options are enclosed in parentheses
• Snort options– msg– ttl– id– flags– ack– content– logo
![Page 8: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/8.jpg)
Guide to Network Defense and Countermeasures, Second Edition 8
Rule Options (continued)
• TCP flags are designated by a single character
• Rule base for an IDS is different from a packet-filtering rule base– IDS rules assume packets have been already filtered
• Log any traffic that gets through the packet filter– And matches a signature in the IDS
![Page 9: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/9.jpg)
Guide to Network Defense and Countermeasures, Second Edition 9
Developing a Security Incident Response Team (SIRT)
• Response options– Taking countermeasures to block intrusion– Making corrections to packet-filtering rules and proxy
servers– Modifying security policies to cover new vulnerabilities
• Security Incident Response Team (SIRT)– Gives your organization flexibility to carry out these
response options
![Page 10: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/10.jpg)
Guide to Network Defense and Countermeasures, Second Edition 10
Goals of a Security Incident Response Team (SIRT)
• Security Incident Response Team (SIRT)– Known as computer incident response team (CIRT)– Group of people assigned to respond effectively to
security breaches• Primary functions
– Preparation– Notification– Response– Countermeasures– Recovery– Follow-up
![Page 11: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/11.jpg)
Guide to Network Defense and Countermeasures, Second Edition 11
![Page 12: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/12.jpg)
Guide to Network Defense and Countermeasures, Second Edition 12
Responsibilities of Team Members
• Look within the organization for SIRT members
• SIRT members should stop any work they have– To respond to a security incident– They should have enough authority to take decisions
• Deciding what roles team members will assume– SIRT should contain employees representing a cross-
section of the organization– This ensures all parts of the organization are
represented
![Page 13: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/13.jpg)
Guide to Network Defense and Countermeasures, Second Edition 13
Responsibilities of Team Members (continued)
• Typically, SIRT members come from– Management– Legal– Information Technology (IT)– Physical security– Information Security Services (ISS)– Human Resources (HR)– Public Relations (PR)– Finance/Accounting
![Page 14: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/14.jpg)
Guide to Network Defense and Countermeasures, Second Edition 14
Responsibilities of Team Members (continued)
• Staffing and training– Virtual team
• Consists of employees with other jobs
• Team exists only during meetings or when an incident becomes serious enough
• Tends to get out of touch and need retraining
– If budget allows it, assemble a team whose sole responsibility is security incident response
• Might be economically feasible only to large organizations
![Page 15: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/15.jpg)
Guide to Network Defense and Countermeasures, Second Edition 15
Responsibilities of Team Members (continued)
• Staging Fire Drills– Conduct a security drill
• You might need to convince upper management
– Drills can pay off in the long run• Making response more effective and coordinated
– Pick a time for the drill and follow a scenario– Drills can be scheduled or spontaneous– Intended to identify any holes in security procedures
• And make sure SIRT members know their duties and responsibilities
![Page 16: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/16.jpg)
Guide to Network Defense and Countermeasures, Second Edition 16
Public Resource Teams
• Teams around the world publish notices and articles about serious security incidents– You can notify these teams if you encounter a
significant security event
• These groups also provide training for response team members– CERT Coordination Center– DFN-CERT
![Page 17: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/17.jpg)
Guide to Network Defense and Countermeasures, Second Edition 17
Outsourcing Incident Response
• Hire a company that monitors your network and IDS sensors– Tells you whether an intrusion has occurred
• Advantages– Result in lower overall costs
• Disadvantages– Hard to achieve timely, effective incident response
• Get references from current and former customers before hiring an incident response service
![Page 18: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/18.jpg)
Guide to Network Defense and Countermeasures, Second Edition 18
How to Respond: The Incident Respond Process
• Steps– Preparation– Notification– Response– Countermeasures– Recovery– Follow-Up
![Page 19: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/19.jpg)
Guide to Network Defense and Countermeasures, Second Edition 19
Step 1: Preparation
• Using risk analysis to prepare your responses– Risk analysis identifies what needs to be protected
• It is used to prepare a security policy– Use security policy as a guideline when responding to
incidents• Many security policies include a section on incident
response– Everyone involved in incident response should know
where these guidelines are
![Page 20: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/20.jpg)
Guide to Network Defense and Countermeasures, Second Edition 20
Step 1: Preparation (continued)
• Active network monitoring– Essential activity
• SIRT members might be dedicated to this task– Considered a proactive task
• Can prevent incidents from occurring• Can reduce false positives
– Involves actively testing your network• Use a network vulnerability analyzer
– Security Administrator’s Integrated Network Tool (SAINT)
– WebSAINT– Nessus
![Page 21: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/21.jpg)
Guide to Network Defense and Countermeasures, Second Edition 21
![Page 22: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/22.jpg)
Guide to Network Defense and Countermeasures, Second Edition 22
Step 2: Notification
• Process by which SIRT members receive news about security incidents
• Notifications come from– Firewalls or IDSs– SIRT members– Network administrators– Employees
• After notification, SIRT members should assess level of damage
• Not all incidents should be reported to all SIRT members
![Page 23: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/23.jpg)
Guide to Network Defense and Countermeasures, Second Edition 23
Step 3: Response
• SIRT members should keep in mind– Do not panic– Follow established procedures
• Take time to analyze all reported events– Do not simply react
• Important to have clear escalation procedures– Key to efficient response– Create a flowchart for the escalation procedures
![Page 24: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/24.jpg)
Guide to Network Defense and Countermeasures, Second Edition 24
![Page 25: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/25.jpg)
Guide to Network Defense and Countermeasures, Second Edition 25
Step 3: Response (continued)
• Determining the need for escalation– Determine
• What needs to be reported• Who needs to know it• How quickly you need to do the reporting
– Report the basic facts surrounding the incidents– Figure out how people will be notified
• Out-of-band notification using other communication devices
– Consider reporting to the community serious security incidents
![Page 26: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/26.jpg)
Guide to Network Defense and Countermeasures, Second Edition 26
![Page 27: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/27.jpg)
Guide to Network Defense and Countermeasures, Second Edition 27
Step 3: Response (continued)
• Following standard response procedures– Avoid contacting everyone by e-mail
• Attacker can be in control of your mail servers– Set up a hotline– Set up a list of people to contact– Try not to overreact to intrusions– Follow procedures in place that tell you exactly what
to do for each situation
![Page 28: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/28.jpg)
Guide to Network Defense and Countermeasures, Second Edition 28
Step 4: Countermeasures
• Containment of damage– Containment
• Preventing spreading to other resources– Consider doing the following
• Shut down the affected system
• Disable user and group accounts
• Disable services that were exploited
• Make backups of affected systems to protect the originals as evidence
– Define a set of containment procedures
![Page 29: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/29.jpg)
Guide to Network Defense and Countermeasures, Second Edition 29
Step 4: Countermeasures (continued)
• Eradication of data introduced by an intrusion– Eradication
• Removing any files or programs that resulted from the intrusion
– Can be tedious and time consuming– SIRT members should do the following
• Check user accounts to make sure no additional users have been added
• Check services
• Check .dll files and the Windows Registry
• Make sure files created during the attack are legitimate
![Page 30: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/30.jpg)
Guide to Network Defense and Countermeasures, Second Edition 30
Step 5: Recovery
• Putting compromised items back in service• Monitor restored devices for at least 24 hours
– Make sure network is operating properly• SIRT members can require users to sign a
document– Agreeing the computer has been serviced and
returned in working order• Adjust packet-filtering rules
– To block communications to or from Web sites involved in the attack
![Page 31: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/31.jpg)
Guide to Network Defense and Countermeasures, Second Edition 31
Step 6: Follow-Up
• Follow-up– Process of documenting
• What took place after an intrusion was detected
• And a response occurred
– Prevents similar intrusions from reoccurring
• Recordkeeping– Recording all events associated with security incident– Helps fellow SIRT members deal with similar
situations
![Page 32: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/32.jpg)
Guide to Network Defense and Countermeasures, Second Edition 32
Step 6: Follow-Up (continued)
• Recordkeeping (continued)– Do not keep your notes on your computer– Documentation is essential for prosecuting offenders
• Reevaluation policies– You can recommend changes to the security policy
based on previous attacks• Information should be included in a follow-up database
– Details on security incidents are for internal use only• Security policy should state this
• Prevent bad public relations
![Page 33: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/33.jpg)
Guide to Network Defense and Countermeasures, Second Edition 33
Dealing with False Alarms
• Minimize false positives and false negatives– Essential part of managing an IDS
• Tuning your system can degrade its performance
• Better to adjust existing rules if needed– Create new rules only if absolutely necessary
![Page 34: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/34.jpg)
Guide to Network Defense and Countermeasures, Second Edition 34
Filtering Alerts
• To reduce false alarms adjust rules used by– Firewalls– Packet filters– IDSs
• Exclude specific signature from connecting to a selected IP address– Both internal and external addresses– Can even exclude an entire subnet or network
![Page 35: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/35.jpg)
Guide to Network Defense and Countermeasures, Second Edition 35
Disabling Signatures
• You might want to disable entire signatures– So they do not trigger alarms
• Disable signatures when testing your network• False alarms should be recorded on a tracking chart• Exclude duplicated signatures from IDSs
– To improve efficiency
![Page 36: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/36.jpg)
Guide to Network Defense and Countermeasures, Second Edition 36
![Page 37: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/37.jpg)
Guide to Network Defense and Countermeasures, Second Edition 37
Dealing with Legitimate Security Alerts
• Determine whether the attack is a false alarm– Look for indications such as
• You notice system crashes
• New user accounts suddenly appear on the network
• Sporadic user accounts suddenly have heavy activity
• New files appear, often with strange file names
• A series of unsuccessful logon attempts occurs
• Respond calmly and follow established procedures• Call law enforcement personnel if necessary
– To handle the intrusion
![Page 38: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/38.jpg)
Guide to Network Defense and Countermeasures, Second Edition 38
Assessing the Impact
• Was any host on your network compromised• Determine the extend of the damage• Determine the scope and impact of the problem• Determine if the firewall was compromised
– If firewall was compromised, computers on network could be accessed
– Reconstruct firewall from scratch
![Page 39: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/39.jpg)
Guide to Network Defense and Countermeasures, Second Edition 39
Developing an Action Plan
• Action plan might involve the following steps:– Assess seriousness of the attack– Notify team leader immediately– Begin to document all actions– Contain the threat– Determine the extend of the damage– Make a complete bit-stream backup of the media
• If you plan to prosecute– Eradicate the problem– Restore the system– Record a summary of the incident
![Page 40: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/40.jpg)
Guide to Network Defense and Countermeasures, Second Edition 40
Handling Internal Versus External Incidents
• Intrusions and security breaches often originate from inside an organization
• Your response needs to be more measured
• Avoid notifying the entire staff
• Human Resources and Legal departments should be made aware of the problem
• Notify the entire staff only when they need to know something serious happened
![Page 41: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/41.jpg)
Guide to Network Defense and Countermeasures, Second Edition 41
Taking Corrective Measures to Prevent Reoccurrences
• Take steps to prevent intrusions from recurring
• Set up intrusion rules that send alarms when the same intrusions are detected
• Notify others on the Internet about your attack
![Page 42: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/42.jpg)
Guide to Network Defense and Countermeasures, Second Edition 42
Working Under Pressure
• Incident response activities need to be carried out with discretion
• Sometimes it is best to allow the incident to continue for a while– This gives you time to monitor the attack
• Gather evidence according to the goal of your actions– Prosecution– Corrective measures
• Do not rush to respond to incidents
![Page 43: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/43.jpg)
Guide to Network Defense and Countermeasures, Second Edition 43
![Page 44: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/44.jpg)
Guide to Network Defense and Countermeasures, Second Edition 44
Gathering Data for Prosecution
• Rules to handle evidence– Make sure two people handle the data at all times– Write everything down– Lock it up!
• Chain of custody– Record of who handled an object to be used as
evidence in court– Decide SIRT members that will handle the evidence
• Before an incident occurs, decide whether you will prosecute or not– Include this in your security policy
![Page 45: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/45.jpg)
Guide to Network Defense and Countermeasures, Second Edition 45
Gathering Data for Prosecution (continued)
• Steps for handling and examining hard disks and other computer data– Secure the area– Prepare the system– Examine the system– Shut down the system– Secure the system– Prepare the system for acquisition– Examine the system– Connect target media– Secure evidence
![Page 46: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/46.jpg)
Guide to Network Defense and Countermeasures, Second Edition 46
Summary
• IDS devices can have their own set of filter rules
• SIRT members should come from all major departments
• Incident response steps– Preparation– Notification– Response– Countermeasures– Recovery– Follow-up
![Page 47: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/47.jpg)
Guide to Network Defense and Countermeasures, Second Edition 47
Summary (continued)
• Response procedures should be stated in a document
• SIRT members should assess the level of the incident
• Types of countermeasures– Containment– Eradication
• After eradication is complete, affected media need to be recovered– And monitored for a couple of days
![Page 48: Guide to Network Defense and Countermeasures Second Edition Chapter 8 Intrusion Detection: Incident Response.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649dc05503460f94ab4ca4/html5/thumbnails/48.jpg)
Guide to Network Defense and Countermeasures, Second Edition 48
Summary (continued)
• False alarms are almost inevitable with any IDS– Reduce them adjusting rules in your security devices
• Legitimate attacks require a calm, systematic, and thorough response
• External attacks by attackers you can identify might call for prosecution in court