The intrusion detection system is a network security equipment that monitors network transmission in real-time, sends out an alarm, or takes active response measures when the suspicious transmission is found. It differs from other network security equipment in that IDS is a proactive security protection technology.
IDS is a computer monitoring system. It monitors the system in real-time and sends out warnings once abnormal conditions are found. According to the difference of information sources and detection methods, it can be divided into several categories: according to the information source, it can be divided into host-based IDS and network-based IDS, and according to detection methods, it can be divided into abnormal intrusion detection and misuse intrusion detection. Unlike a firewall, the IDS intrusion detection system is a monitoring device that is not connected to any link and can work without network traffic flowing through it.
Hi Zibai, IDS is an important mechanism which could help company and organizations to prevent intrusion of any kind and minimize the impact and losses. The benefit of the device is that it does not need network traffic flow through it.
Great points! There are many benefits of IDS such as ability to identify security incidents, help analyze quantity and types of attacks. IDS also helps organization identify bugs with their network device configurations. These can then be used to assess future risks.
Incident can be categorized in to different severity. Not all incidents are equally severe. Incidents range from situations mild enough to ignore to threats against the very continuity of the business. It can be divided into four scale which including: false alarms, minor incidents, major incidents, and disasters. For false alarms, they are the situations that seem to be incidents but turn out to be innocent activities. Minor incidents refers to true breaches that the on-duty staff can handle and that do not have broader implications for the firm. The third one is major incidents, which refers to an impact too large for the on-duty IT staff to handle. The fourth is disaster, which refer to fires, floods, and other disasters are beyond the abilities of even CSIRTs.(Computer security incident response team) Disasters often threaten business continuity, which is the maintenance of the day-to0day revenue-generating operations of the firm.
I think you spoke about an important detail about incidents, in that not all incidents are bad or severe. Your explanation of four major types of incidents is also a key point. Having a classification system for the different types of incidents will help an organization determine how best to solve the incidents at hand, or if it can be ignored all together.
A business continuity plan outlines how a business will continue operating during an unplanned disruption in service, or how a company plans to maintain or restore core business operations from accidents (such as natural disasters, fires, and cyberterrorism). BCP is an important part of the organization’s risk management strategy, it involves defining any and all risks that can affect the company’s operations. There are some basic principles for the BCP management, the first job of planning and event management is to provide for the safety of people; people are not at their best cognitively during crises; rigid pre-planning should not lead to a loss of flexibility in response; and in crises, communication inevitably breaks down because technology cannot survive building damage or prolonged periods without electrical power.
Hi Xinyi,
Thank you for your sharing. A key point from Chapter 10 is the relationship between Business Continuity Planning and Disaster Recovery. IT Disaster Recovery is a subset of BCP focused on restoring IT functionality after an accident, disaster, etc. Business Continuity Planning has a wider scope and consists of the “plan of action”. A Business Continuity Plan specifies how a company plans to maintain or restore core business operations when disasters occur.
IT disaster recovery (IT DRP) specifies how a company can get IT back into operation specifically looking at the technical aspects. IT disaster recovery is critical to successful business continuity recovery. Disasters can include natural events such as earthquake or hurricanes, equipment failure, cyber-attacks, etc. With IT DRP in place, companies respond quickly to a disaster and take immediate action to reduce damage and resume operations as quickly as possible. A IT DRP typically includes:
1. Critical IT assets and their maximum allowed outage time
2. Tools or technologies that should be used for recovery
3. Emergency procedures
4. Disaster recovery team and their contact information
The most important aspect of every IT DRP is to have a way to replicate data. Data can be replicated to on-site cold storage, off-site cold storage, on-site warm backup, and off-site warm backup.
Hi Priyanka….I like your summary of the items included in an IT DRP. And I agree with your assessment that data replication is important and I also think that recovery testing with some type of frequency (annual, semi annual or quarterly). Testing is a significant lift and is expensive, however, it has been proven that better recovery decisions and actions are taken if the plan is tested periodically.
Intrusion Detection System (IDS) provides identification of common attack patterns and alert by detecting the network communication. There are four major functions of IDS:
– Logging: It can be utilized to recognize the network traffic and capture discrete activities. It could also be very significant evidence as a potential source of a cybercriminal.
– Automated analysis by the IDS: The administrators can use attack signatures that identify known attack patterns and anomaly detection that find out the deviations from historical traffic patterns.
– Administrator actions: The security administrators can use the log summary reports with alarms to eliminate the vulnerabilities.
– Management: After these analyses, the management should have a useful policy to manage the IDS, and the employees should be aware of any activities, which they will be monitored.
Since IDS is proactive to monitor and notify the network or systems of malicious activities and violations, the management should be aware of how to use it effectively.
Hi Cami,
Thanks for your sharing. We should note that Incorrectly adjusting IDS will lead to an increase in false positives, which will result in the inability to capture and diagnose actual attacks. At the same time, this is the reason why some companies cannot afford the IDS system, because they require a lot of professional technical knowledge, and these professional knowledge usually bring high costs.
I learned from this reading about the different types of Intrusion Detection Systems. There are IDSs that monitor specific areas of the network known as network intrusion detection systems (NIDS) that are standalone devices or software built into a switch or router. The NIDS can see and filter all packets passing through the portion of the network they are established to monitor. NIDS can only collect data for its portion of the network and cannot filter encrypted packets leaving potential blind spots in the data collected. Host Intrusion Detection Systems (HIDS) provide very detailed information for a specific host but only has a limited viewpoint specific to the host it is monitoring. One point I found interesting is that the event monitoring of each IDS can be different if purchased from different vendors making it difficult to merge and filter the data through an overall IDS management system that uses all the data to determine alerting.
Hi Heather,
I agree with your point of view. NIDS has some disadvantages, including undetectable faked IP, frequent false positives, and no encrypted packets. However, it can make it easier to meet security regulations, and it can analyze vulnerabilities and use them to implement risk assessments.
At the organization I work we declare incidents when necessary. The postmortem after the incident is the most important part of the process in my opinion. The postmortem can be used to help analyze what went wrong and what went right. It’s an opportunity for the organization to create alerts and develop better processes so the incident doesn’t happen again in the future. It’s important for the postmortem to be a blameless process where you don’t spend time telling people that they were wrong and how bad of a job they did. Instead, having a blameless process allows for a more open communication and can help prevent judgement against a person or department.
Hi Jonathan, I agree with your thinking, post mortem is the most important part of the process and where we can learn the most information from. Using what’s collected post morterm, we can better understand our organization’s strengths and weaknesses and know what to prepare for so this attack doesn’t happen again. Post mortem would also be great because it is blameless and fewer people are likely to become defensive. The process will just be objectively reviewed and we can learn without compromising anything out of scope.
An important part of an organization is to have an incident and disaster response plan in place. An incident is going to occur, and it’s only a matter of when, not if. An important process is to have a business continuity plan in place. This BCP is how a company stays operational when a disaster occurs. It answers the question, “what are the core features that need to stay on?” Once a BCP is in place, that will allow the company be running while the disaster recovery plan goes into effect. The DRP could be its own entity, or part of the BCP, and details more technical aspects of how the organization can get back to a previous state by using backup utilities. These backups can be local, off-site, or cloud, and are essential in making sure as little data is lost in the event of a disaster. Both BCP and DRP are important issues an organization has to consider to make sure their data and information is safe and secure.
Hi Krish,
Thanks for your sharing. Another interesting topic in Chapter 10 is the development of a computer security incident response team. Usually, people think that such a team should only be reserved for IT and network security personnel, but the CSIRT members are selected from various departments, such as the human resources department, the company’s legal department, and the members of the affected business department. The public relations director of the organization and the company. The CSIRT team is usually led by senior managers with rich experience in the organization. Decisions in major events are business decisions.
One of the key takeaways this chapter is the incident response process. The process is designed to identify and recover from any potential cyberattacks. The first step is detection. There are many tools available that can help identify a potential attack and it is critical these technologies are implemented within an organization. After a suspicious attack is identified, analysis is performed to determine if a real threat is underway. If an attack is confirmed, it is escalated to the appropriate teams to address the issue and inform stakeholders. Response teams will contain the issue so it does not spread and affect other areas within the network and stops the attack. The last step within the incident response process is recover, which returns the system to normal operations and ensure the attacker cannot infiltrate the system through the same path again.
Hi, Anthony. Thank you for your sharing, I’d like to add one point on the first step detection. Company should never underestimate its human resources, Frequently, nontechnical employee will be the first person to notice that a system has failed or appears to be malfunctioning.
Most enterprises have devices or systems that are open to the boundaries of the Internet, such as VPN systems, virtualized desktop systems, mail service systems, official websites, etc. Because these devices or systems can be accessed directly from the side of the Internet, they are often the first entry points that attackers try to break through. Such devices or systems usually access important business on the Intranet. In order to avoid affecting the use of employees, many enterprises do not add more protective means on their transmission channels. In addition, such systems will be integrated unified login, once obtained a staff account password, you can break through the boundary of these systems directly into the internal network to. Taking advantage of people’s lack of security awareness or ability to carry out social engineering attacks, and tricking people through phishing emails or social platforms are often social work methods used by attack experts. In many cases, “people” is much easier than “systems.”
I think this is very relevant to the last year plus, as there have always been certain organizations using these, however there are a ton of org’s that moved to this set up in the past year or so. The biggest ting we’ve learned is that these industries that have recently changed over have been the ones getting attacked. This is most likely due to the immediate change and because of the quick change there was a lack of security followed or corners cut for the sake of getting employees back online ASAP.
To me the most important part of the chapter is the business continuity plan. Similar to insurance, while the goal would be to never have to use the plan, it needs to be in place as events are unpredictable and if something was to happen not having this plan could cripple the business. These plans ensure there are strategies and guidelines for if specific things do happen that can ensure to the organizations stakeholders that operations can continue/get back on their feet sooner rather than later.
Hi Austin, I saw in the reading a story of two law firms that were in buildings between the twin towers on 9/11. One law firm had a strong backup and recovery plan with periodic testing the other did not. 18 months later only the firm that had a backup and recovery plan still was in business. The recovery plan is critical to business viability after an event.
I’m glad there is a real world example of almost two identical firms that truly shows future companies the impact something like this has. While it may sit on a shelf for years while it gets tweaked, this is still one of the most important things a company can possess as we see without it, it could cost everything.
The key point take away from this chapter is three phrases of the intrusion response process for major incidents. The first is detection to learn quickly that an incident has occurred. But on point in here need to be notice is company should never underestimate its human resources, Frequently, nontechnical employee will be the first person to notice that a system has failed or appears to be malfunctioning. The second is analysis to understand the incident to be sure that it is a real event, to determine its damage potential, and to gather information needed to begin planning for containment and recovery, once an intrusion response begins, the security analyst must understand the situation before effective action can be taken. The third is escalation, the third is to handle the incident with the on-duty staff or to escalate handling to the CSIRT or business continuity team.
Hi Zhen,
I agree with points you made. In order to ensure that the test system is properly configured and can be used in any analysis or side test, Deploy a newly installed patched and secure system. The use of the compromised system may lead to further exposure and damage to these systems.
One of the main things I learned from Chapter 10 “Incident and Disaster Response” is the relationship between business continuity planning and disaster recovery. Disaster recovery is a subset of business continuity planning that focuses on restoring IT functions after a disaster. The scope of the business continuity plan is broader and consists of an action plan that specifies how to maintain business operations during a disaster or how to restore core business in the event of a disaster.
One of the topics that caught my eye in this weeks reading is Honeypots. A honeypot is one type of IDS. A honeypot is basically a fake server or entire network segment with multiple clients and servers. Legitimate users should never try to reach resources on the honeypot as its a fake operational server targeted to attract the attackers. Any attempted access to the honeypot is likely to be an attack. If an alarm is sent with every non-transient access attempt, the security administrator has a good chance of catching attackers. In practice, honeypots are also used primarily by researchers studying attacker behavior by recording everything.
The key takeaway from this chapter is the process for managing major incidents:
– Detection, analysis and escalation – this highlights reporting, gathering of information, interpretation of incidents and then passing it along to the right team.
– Containment – which is the taking down of the impacted system
– Recovery – this involves the recovery of data, reinstallation of software
– Apology – the public management of the breach or incident,
– Punishment – the repercussions of the incident, internal punishments, prosecution, forensic evidence.
– Post-mortem – Analysis of the situation, cause, effect, repercussions and outcomes.
This chapter covers accident response and recovery. In my opinion, almost everything comes down to the right plan. Business Continuity Planning (BCP) and business impact analysis (BIA) are the key first steps necessary for any business to ensure a successful recovery. The main goal of the business continuity plan is to get the business back to normal. It requires a detailed plan with a clear line of responsibility and a clear vision. Most importantly, BCP should be checked before the event. This will help determine the gaps in the plan, the modifications required, and the feasibility of the plan. I always include BIA because I believe you need to identify the key areas of impact. What is the most important to the enterprise? Adjusting the BCP and BIA will help to plan for a successful recovery.
The section on log files was interesting to me. Many companies import log file data from multiple host IDSs and NIDs. These log files are then stored on one computer or syslog server. The log files are aggregated from multiple sources into a single integrated log file that has data from many places on the network. It is important to try and use the same IDS devices from the same vendor as each vendor may use a different format for their log files. It also important to utilize the NTP (network time protocol) in the environment. This protocol synchronizes the time across all the devices. If some of the devices are off by even a few seconds of each other, it will be difficult to really have a good understanding of what is going on in the network. Log files are very useful for event correlation as well. Single events may be suspicious, but attackers will perform many of hte same actions that ordinary people do. However, correlating the one-off events on different machines may help uncover a malicious actor.
In the incident and disaster response chapter, I thought it was interesting to read why some firms are reluctant to prosecute the attackers that harmed the organization. Some issues that deter the firms are the costs and efforts to track the case to remediation. Costs of lawyer fees and other resources may accumulate within the months or even years the investigation drags on. Some firms choose to forego those costs and remediate them internally. The probability of success within these cases is sometimes not even be worth the effort. The attacker maybe someone from outside the country or just a teenager who at most, will only receive a few months at a detention center. The prosecution is also a very public process, having the companies’ losses out in the public may cause public criticism. Reputational loss and customer loyalty may become damaged if the prosecution process is made public. Although in the perfect world, criminals will be punished and locked up, realistically some are just let go to become other people’s problems because of the complexity it takes to prosecute these adversaries.
The intrusion detection system is a network security equipment that monitors network transmission in real-time, sends out an alarm, or takes active response measures when the suspicious transmission is found. It differs from other network security equipment in that IDS is a proactive security protection technology.
IDS is a computer monitoring system. It monitors the system in real-time and sends out warnings once abnormal conditions are found. According to the difference of information sources and detection methods, it can be divided into several categories: according to the information source, it can be divided into host-based IDS and network-based IDS, and according to detection methods, it can be divided into abnormal intrusion detection and misuse intrusion detection. Unlike a firewall, the IDS intrusion detection system is a monitoring device that is not connected to any link and can work without network traffic flowing through it.
Hi Zibai, IDS is an important mechanism which could help company and organizations to prevent intrusion of any kind and minimize the impact and losses. The benefit of the device is that it does not need network traffic flow through it.
Hi Zibai,
Great points! There are many benefits of IDS such as ability to identify security incidents, help analyze quantity and types of attacks. IDS also helps organization identify bugs with their network device configurations. These can then be used to assess future risks.
Incident can be categorized in to different severity. Not all incidents are equally severe. Incidents range from situations mild enough to ignore to threats against the very continuity of the business. It can be divided into four scale which including: false alarms, minor incidents, major incidents, and disasters. For false alarms, they are the situations that seem to be incidents but turn out to be innocent activities. Minor incidents refers to true breaches that the on-duty staff can handle and that do not have broader implications for the firm. The third one is major incidents, which refers to an impact too large for the on-duty IT staff to handle. The fourth is disaster, which refer to fires, floods, and other disasters are beyond the abilities of even CSIRTs.(Computer security incident response team) Disasters often threaten business continuity, which is the maintenance of the day-to0day revenue-generating operations of the firm.
Hello Ting-Yen,
I think you spoke about an important detail about incidents, in that not all incidents are bad or severe. Your explanation of four major types of incidents is also a key point. Having a classification system for the different types of incidents will help an organization determine how best to solve the incidents at hand, or if it can be ignored all together.
A business continuity plan outlines how a business will continue operating during an unplanned disruption in service, or how a company plans to maintain or restore core business operations from accidents (such as natural disasters, fires, and cyberterrorism). BCP is an important part of the organization’s risk management strategy, it involves defining any and all risks that can affect the company’s operations. There are some basic principles for the BCP management, the first job of planning and event management is to provide for the safety of people; people are not at their best cognitively during crises; rigid pre-planning should not lead to a loss of flexibility in response; and in crises, communication inevitably breaks down because technology cannot survive building damage or prolonged periods without electrical power.
Hi Xinyi,
Thank you for your sharing. A key point from Chapter 10 is the relationship between Business Continuity Planning and Disaster Recovery. IT Disaster Recovery is a subset of BCP focused on restoring IT functionality after an accident, disaster, etc. Business Continuity Planning has a wider scope and consists of the “plan of action”. A Business Continuity Plan specifies how a company plans to maintain or restore core business operations when disasters occur.
IT disaster recovery (IT DRP) specifies how a company can get IT back into operation specifically looking at the technical aspects. IT disaster recovery is critical to successful business continuity recovery. Disasters can include natural events such as earthquake or hurricanes, equipment failure, cyber-attacks, etc. With IT DRP in place, companies respond quickly to a disaster and take immediate action to reduce damage and resume operations as quickly as possible. A IT DRP typically includes:
1. Critical IT assets and their maximum allowed outage time
2. Tools or technologies that should be used for recovery
3. Emergency procedures
4. Disaster recovery team and their contact information
The most important aspect of every IT DRP is to have a way to replicate data. Data can be replicated to on-site cold storage, off-site cold storage, on-site warm backup, and off-site warm backup.
Hi Priyanka….I like your summary of the items included in an IT DRP. And I agree with your assessment that data replication is important and I also think that recovery testing with some type of frequency (annual, semi annual or quarterly). Testing is a significant lift and is expensive, however, it has been proven that better recovery decisions and actions are taken if the plan is tested periodically.
Intrusion Detection System (IDS) provides identification of common attack patterns and alert by detecting the network communication. There are four major functions of IDS:
– Logging: It can be utilized to recognize the network traffic and capture discrete activities. It could also be very significant evidence as a potential source of a cybercriminal.
– Automated analysis by the IDS: The administrators can use attack signatures that identify known attack patterns and anomaly detection that find out the deviations from historical traffic patterns.
– Administrator actions: The security administrators can use the log summary reports with alarms to eliminate the vulnerabilities.
– Management: After these analyses, the management should have a useful policy to manage the IDS, and the employees should be aware of any activities, which they will be monitored.
Since IDS is proactive to monitor and notify the network or systems of malicious activities and violations, the management should be aware of how to use it effectively.
Hi Cami,
Thanks for your sharing. We should note that Incorrectly adjusting IDS will lead to an increase in false positives, which will result in the inability to capture and diagnose actual attacks. At the same time, this is the reason why some companies cannot afford the IDS system, because they require a lot of professional technical knowledge, and these professional knowledge usually bring high costs.
I learned from this reading about the different types of Intrusion Detection Systems. There are IDSs that monitor specific areas of the network known as network intrusion detection systems (NIDS) that are standalone devices or software built into a switch or router. The NIDS can see and filter all packets passing through the portion of the network they are established to monitor. NIDS can only collect data for its portion of the network and cannot filter encrypted packets leaving potential blind spots in the data collected. Host Intrusion Detection Systems (HIDS) provide very detailed information for a specific host but only has a limited viewpoint specific to the host it is monitoring. One point I found interesting is that the event monitoring of each IDS can be different if purchased from different vendors making it difficult to merge and filter the data through an overall IDS management system that uses all the data to determine alerting.
Hi Heather,
I agree with your point of view. NIDS has some disadvantages, including undetectable faked IP, frequent false positives, and no encrypted packets. However, it can make it easier to meet security regulations, and it can analyze vulnerabilities and use them to implement risk assessments.
At the organization I work we declare incidents when necessary. The postmortem after the incident is the most important part of the process in my opinion. The postmortem can be used to help analyze what went wrong and what went right. It’s an opportunity for the organization to create alerts and develop better processes so the incident doesn’t happen again in the future. It’s important for the postmortem to be a blameless process where you don’t spend time telling people that they were wrong and how bad of a job they did. Instead, having a blameless process allows for a more open communication and can help prevent judgement against a person or department.
Hi Jonathan, I agree with your thinking, post mortem is the most important part of the process and where we can learn the most information from. Using what’s collected post morterm, we can better understand our organization’s strengths and weaknesses and know what to prepare for so this attack doesn’t happen again. Post mortem would also be great because it is blameless and fewer people are likely to become defensive. The process will just be objectively reviewed and we can learn without compromising anything out of scope.
An important part of an organization is to have an incident and disaster response plan in place. An incident is going to occur, and it’s only a matter of when, not if. An important process is to have a business continuity plan in place. This BCP is how a company stays operational when a disaster occurs. It answers the question, “what are the core features that need to stay on?” Once a BCP is in place, that will allow the company be running while the disaster recovery plan goes into effect. The DRP could be its own entity, or part of the BCP, and details more technical aspects of how the organization can get back to a previous state by using backup utilities. These backups can be local, off-site, or cloud, and are essential in making sure as little data is lost in the event of a disaster. Both BCP and DRP are important issues an organization has to consider to make sure their data and information is safe and secure.
Hi Krish,
Thanks for your sharing. Another interesting topic in Chapter 10 is the development of a computer security incident response team. Usually, people think that such a team should only be reserved for IT and network security personnel, but the CSIRT members are selected from various departments, such as the human resources department, the company’s legal department, and the members of the affected business department. The public relations director of the organization and the company. The CSIRT team is usually led by senior managers with rich experience in the organization. Decisions in major events are business decisions.
One of the key takeaways this chapter is the incident response process. The process is designed to identify and recover from any potential cyberattacks. The first step is detection. There are many tools available that can help identify a potential attack and it is critical these technologies are implemented within an organization. After a suspicious attack is identified, analysis is performed to determine if a real threat is underway. If an attack is confirmed, it is escalated to the appropriate teams to address the issue and inform stakeholders. Response teams will contain the issue so it does not spread and affect other areas within the network and stops the attack. The last step within the incident response process is recover, which returns the system to normal operations and ensure the attacker cannot infiltrate the system through the same path again.
Hi, Anthony. Thank you for your sharing, I’d like to add one point on the first step detection. Company should never underestimate its human resources, Frequently, nontechnical employee will be the first person to notice that a system has failed or appears to be malfunctioning.
Most enterprises have devices or systems that are open to the boundaries of the Internet, such as VPN systems, virtualized desktop systems, mail service systems, official websites, etc. Because these devices or systems can be accessed directly from the side of the Internet, they are often the first entry points that attackers try to break through. Such devices or systems usually access important business on the Intranet. In order to avoid affecting the use of employees, many enterprises do not add more protective means on their transmission channels. In addition, such systems will be integrated unified login, once obtained a staff account password, you can break through the boundary of these systems directly into the internal network to. Taking advantage of people’s lack of security awareness or ability to carry out social engineering attacks, and tricking people through phishing emails or social platforms are often social work methods used by attack experts. In many cases, “people” is much easier than “systems.”
I think this is very relevant to the last year plus, as there have always been certain organizations using these, however there are a ton of org’s that moved to this set up in the past year or so. The biggest ting we’ve learned is that these industries that have recently changed over have been the ones getting attacked. This is most likely due to the immediate change and because of the quick change there was a lack of security followed or corners cut for the sake of getting employees back online ASAP.
To me the most important part of the chapter is the business continuity plan. Similar to insurance, while the goal would be to never have to use the plan, it needs to be in place as events are unpredictable and if something was to happen not having this plan could cripple the business. These plans ensure there are strategies and guidelines for if specific things do happen that can ensure to the organizations stakeholders that operations can continue/get back on their feet sooner rather than later.
Hi Austin, I saw in the reading a story of two law firms that were in buildings between the twin towers on 9/11. One law firm had a strong backup and recovery plan with periodic testing the other did not. 18 months later only the firm that had a backup and recovery plan still was in business. The recovery plan is critical to business viability after an event.
I’m glad there is a real world example of almost two identical firms that truly shows future companies the impact something like this has. While it may sit on a shelf for years while it gets tweaked, this is still one of the most important things a company can possess as we see without it, it could cost everything.
The key point take away from this chapter is three phrases of the intrusion response process for major incidents. The first is detection to learn quickly that an incident has occurred. But on point in here need to be notice is company should never underestimate its human resources, Frequently, nontechnical employee will be the first person to notice that a system has failed or appears to be malfunctioning. The second is analysis to understand the incident to be sure that it is a real event, to determine its damage potential, and to gather information needed to begin planning for containment and recovery, once an intrusion response begins, the security analyst must understand the situation before effective action can be taken. The third is escalation, the third is to handle the incident with the on-duty staff or to escalate handling to the CSIRT or business continuity team.
Hi Zhen,
I agree with points you made. In order to ensure that the test system is properly configured and can be used in any analysis or side test, Deploy a newly installed patched and secure system. The use of the compromised system may lead to further exposure and damage to these systems.
One of the main things I learned from Chapter 10 “Incident and Disaster Response” is the relationship between business continuity planning and disaster recovery. Disaster recovery is a subset of business continuity planning that focuses on restoring IT functions after a disaster. The scope of the business continuity plan is broader and consists of an action plan that specifies how to maintain business operations during a disaster or how to restore core business in the event of a disaster.
One of the topics that caught my eye in this weeks reading is Honeypots. A honeypot is one type of IDS. A honeypot is basically a fake server or entire network segment with multiple clients and servers. Legitimate users should never try to reach resources on the honeypot as its a fake operational server targeted to attract the attackers. Any attempted access to the honeypot is likely to be an attack. If an alarm is sent with every non-transient access attempt, the security administrator has a good chance of catching attackers. In practice, honeypots are also used primarily by researchers studying attacker behavior by recording everything.
The key takeaway from this chapter is the process for managing major incidents:
– Detection, analysis and escalation – this highlights reporting, gathering of information, interpretation of incidents and then passing it along to the right team.
– Containment – which is the taking down of the impacted system
– Recovery – this involves the recovery of data, reinstallation of software
– Apology – the public management of the breach or incident,
– Punishment – the repercussions of the incident, internal punishments, prosecution, forensic evidence.
– Post-mortem – Analysis of the situation, cause, effect, repercussions and outcomes.
This chapter covers accident response and recovery. In my opinion, almost everything comes down to the right plan. Business Continuity Planning (BCP) and business impact analysis (BIA) are the key first steps necessary for any business to ensure a successful recovery. The main goal of the business continuity plan is to get the business back to normal. It requires a detailed plan with a clear line of responsibility and a clear vision. Most importantly, BCP should be checked before the event. This will help determine the gaps in the plan, the modifications required, and the feasibility of the plan. I always include BIA because I believe you need to identify the key areas of impact. What is the most important to the enterprise? Adjusting the BCP and BIA will help to plan for a successful recovery.
The section on log files was interesting to me. Many companies import log file data from multiple host IDSs and NIDs. These log files are then stored on one computer or syslog server. The log files are aggregated from multiple sources into a single integrated log file that has data from many places on the network. It is important to try and use the same IDS devices from the same vendor as each vendor may use a different format for their log files. It also important to utilize the NTP (network time protocol) in the environment. This protocol synchronizes the time across all the devices. If some of the devices are off by even a few seconds of each other, it will be difficult to really have a good understanding of what is going on in the network. Log files are very useful for event correlation as well. Single events may be suspicious, but attackers will perform many of hte same actions that ordinary people do. However, correlating the one-off events on different machines may help uncover a malicious actor.
In the incident and disaster response chapter, I thought it was interesting to read why some firms are reluctant to prosecute the attackers that harmed the organization. Some issues that deter the firms are the costs and efforts to track the case to remediation. Costs of lawyer fees and other resources may accumulate within the months or even years the investigation drags on. Some firms choose to forego those costs and remediate them internally. The probability of success within these cases is sometimes not even be worth the effort. The attacker maybe someone from outside the country or just a teenager who at most, will only receive a few months at a detention center. The prosecution is also a very public process, having the companies’ losses out in the public may cause public criticism. Reputational loss and customer loyalty may become damaged if the prosecution process is made public. Although in the perfect world, criminals will be punished and locked up, realistically some are just let go to become other people’s problems because of the complexity it takes to prosecute these adversaries.