2. 1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval  Reporting

3. 2 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Automated response Dangerous Special danger of attack-back (might be illegal; might hurt victim) Automation for clear attacks brings speed of response

4. 3 Figure 10-4: Intrusion Detection Systems (IDSs) Managing IDSs  Tuning for precision Too many false positives can overwhelm administrators, dull interest False negatives allow attacks to proceed unseen Tuning for false positives turns off unnecessary rules, reduces alarm levels of unlikely rules IDS might make tuning difficult

5. 4 Figure 10-4: Intrusion Detection Systems (IDSs) Managing IDSs  Updates Program, attack signatures must be updated periodically  Performance If processing speed cannot keep up with network traffic, some packets will not be examined  This can make IDSs useless during DoS attacks

6. 5 Figure 10-4: Intrusion Detection Systems (IDSs) Managing IDSs  Performance If memory requirements are too large, system might crash  Making logs smaller by saving them more frequently hurts longer-duration event correlation

7. 6 Figure 10-8: Intrusion Detection Processes For Major Incidents Organizational Preparation  Incident response procedures  Formation of a Computer Emergency Response Team (CERT) for major incidents  Communication procedures  Rehearsals

8. 7 Figure 10-8: Intrusion Detection Processes Initiation and Analysis  Initiation Report a potential incident Everyone must know how to report incidents  Analysis Confirm that the incident is real Determine its scope: Who is attacking; what are they doing

9. 8 Figure 10-8: Intrusion Detection Processes Containment  Disconnection of the system from the site network or the site network from the internet (damaging) Harmful, so must be done only with proper authorization  Black-holing the attacker (only works for a short time)  Continue to collect data (allows harm to continue) to understand the situation better

10. 9 Figure 10-8: Intrusion Detection Processes Recovery  Repair of running system (hard to do but keeps system operating with no data loss)  Restoration from backup tapes (loses data since last backup)  Reinstallation of operating system and applications Must have good configuration documentation before the incident

11. 10 Figure 10-8: Intrusion Detection Processes Punishment  Punishing employees is fairly easy  The decision to pursue prosecution Cost and effort Probable success if pursue (often attackers are minor) Loss of reputation

12. 11 Figure 10-8: Intrusion Detection Processes Punishment  Collecting and managing evidence Call the authorities for help Preserving evidence (the computer’s state changes rapidly)  Information on disk: Do immediate backup  Ephemeral information: Stored in RAM (who is logged in, etc.)

13. 12 Figure 10-8: Intrusion Detection Processes Punishment  Collecting and managing evidence Protecting evidence and documenting the chain of custody  Ask upstream ISPs for a trap and trace to identify the attacker

14. 13 Figure 10-8: Intrusion Detection Processes Communication  Warn affected people: Other departments, customers  Might need to communicate with the media; Only do so via public relations Protecting the System in the Future  Hacked system must be hardened  Especially important because many hackers will attack it in following weeks or months