- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
6.9 Take Appropriate Actions
Upon discovering unauthorized, unexpected, or suspicious activity, you may need to (1) initiate your intrusion response procedures as described in Chapter 7 and (2) determine if the activity should be reflected in your characterization baseline, alerting, or other data collection mechanisms. Refer to Section 5.3 for information on developing a characterization baseline.
Identifying unauthorized or suspicious activities and then not taking appropriate follow-up actions will perpetuate any damage or other negative consequences. These consequences include possible loss of integrity, availability, or data confidentiality, as well as legal liability. In addition, these activities are likely to recur, placing your systems at considerable risk in the future.
6.9.1 Document Any Unusual Behavior or Activity That You Discover
Over time, you may see recurring kinds of unusual or suspicious activity. Maintaining records of these activities and noting your conclusion on their causes will help you and others to understand new occurrences more quickly and accurately.
For example, in Network Intrusion Detection Northcutt (99) writes:
Northcutt also recommends creating a directory to store data traces. The data traces can be examined when investigating an unknown attack pattern.
6.9.2 Investigate Each Documented Anomaly
Ask yourself the following questions:
Is the apparent anomaly the result of a legitimate new or updated characteristic of your system? (e.g., the unexpected process is executing a recently added administrative tool)
Can the anomaly be explained by the activities of an authorized user? (e.g., the user really was in Cairo last week and connected to the network; a legitimate user made a mistake)
Can the anomaly be explained by known system activity? (e.g., there was a power outage that caused the system to reboot)
Can the anomaly be explained by authorized changes to programs? (e.g., the mail log showed abnormal behavior because the system programmer made a mistake when the software was modified)
Did someone attempt to break into your system and fail?
Did someone break in successfully? Do you have the data that will tell you what he or she did?
6.9.3 Recognize the Iterative Nature of Analysis and Investigation
Often, you will observe an initial indication of suspicious behavior but will not have sufficient information to determine what occurred. In such cases you can take a number of steps:
Look for past occurrences of similar behavior and study the results of that investigation.
Formulate and ask different questions to better identify what data will best reveal what happened.
Modify the configuration of selected data collection mechanisms to collect additional data or better filter and select from existing data (refer to Section 5.3 for further guidance).
Add new data collection mechanisms.
6.9.4 Initiate Your Intrusion Response Procedures
If any activity or event cannot be attributed to authorized or explicable activity, initiate your intrusion response procedures immediately, as described in Chapter 7. Report such occurrences to your organization's designated security point of contact.
6.9.5 Update the Configuration of Alert Mechanisms
Updating the configuration of alert mechanisms is warranted if a previous event notification that occurred via logs, error reports, statistics reports, or another data collection mechanism is now of a sufficiently high priority.
The reverse is also true. An event that is reported as an alert all of the time may become less important and need to be changed to be captured as an error report.
6.9.6 Update All Characterization Information
Refer to Section 5.3 for a definition of typical characterization information. You need to reflect on what you learn from reviewing any unusual activity or event. This is important in four situations:
An unusual activity occurs frequently enough for you to consider it normal and expected, so that you should add it to an asset's characterization baseline.
A new activity has occurred and needs to be added to an asset's characterization baseline.
A previously normal or expected activity now needs to be considered suspicious or unexpected.
A previously normal or expected activity should be dropped from consideration for analysis altogether.
6.9.7 Update Logging and Data Collection Mechanism Configurations
Updating logging and data collection mechanism configurations is necessary to reflect information on new attack methods. Refer to Sections 5.3 (logging and data collection mechanisms) and Chapter 1 (information sources on new attack methods) for further guidance.
6.9.8 Dispose of Every Reported Event
You must somehow dispose of every reported event, either by resolution and closure, by deciding not to pursue it further unless it becomes more critical, or by taking no immediate action but preserving the event to see if it recurs or contributes to a pattern.
6.9.9 Policy Considerations
Your organization's networked systems security policy should do the following:
Specify the actions to be taken following the discovery of unexpected, unusual, or suspicious activity
Require the actions prescribed to be actually performed
Specify the responsibilities and authority of designated systems administrators and security personnel to take the prescribed actions