- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
6.8 Review Reports of Suspicious System and Network Behavior and Events
In security-conscious organizations, users will report suspicious events and behaviors. As a system or network administrator, you should use those reports, along with information you gather, to help identify possible intrusions. When appropriate, you should also use external sources of information, such as reports from incident response teams, to help you decide whether or not you need to augment your monitoring and incident analysis efforts. Potential sources are listed in Chapter 1.
Recruiting users and external contacts to assist you in security monitoring greatly extends your ability to detect intrusions, potentially enabling you to detect intrusions of which you were previously unaware. Not only does this step increase the number of people alert to possible intrusions, but these individuals can often be more aware of the "normal" behavior of their personal computing environments than you are. Many intrusions are not discovered until someone with day-to-day experience using a particular system notices something unusual. Users are susceptible to intruder-initiated social engineering attempts (for example, to obtain passwords or to gain physical access) and need to understand how to identify and report these.
Intruders often compromise multiple systems when they attack a target site. At each compromised system, there may be telltale signs of intrusive activities that users of the system discover. Although a single user report may not be sufficient evidence of an intrusion, analysis of several reports may reveal a pattern of attack under way. By consolidating users' reports of suspicious system behaviors, you may also be able to determine the extent of the attacks against your networked systems.
Administrators from other organizations may contact you if they have reason to believe that an intrusion into their systems may involve or affect your organization. Always thoroughly investigate any reports you receive from incident response teams, such as the CERT/CC, to determine if an intrusion has in fact occurred at your site. If your network environment supports connections to external networks, it is possible that your systems may have been compromised and are serving as unwitting participants in a large-scale attack (such as a distributed DoS attack7) against several sites.
6.8.1 Perform "Triage" upon Receipt of a Report
Immediately gather as much information as necessary to make an initial assessment of whether there has been a probable intrusion and if so how severe it seems to be. You may need to make direct contact with the user to get a description of what was observed. Also acquire any records or data from logging, monitoring, or other data collection mechanisms that illustrate the problem. If the information clearly indicates an intrusion attempt, investigate it immediately.
A report should include the following information:
Contact information for the individuals discovering the problem and any responsible parties involved (such as the system administrator)
Target systems and networks and all of their characteristics, such as operating system versions and IP addresses
The purpose of the systems under attack, including the types of services and applications they provide, as well as an indication of the importance or criticality of the system
Any evidence of intrusion, including methods of attacks used, vulnerability exploited, source IP address of attacker, and network contact information for this address
A list of parties to notify, such as legal, other technical, management, and public relations
Refer also to the CERT tech tip Incident Reporting Guidelines at the CERT web site.
6.8.2 Evaluate, Correlate, and Prioritize Each Report
On a regular basis (daily, if possible), review all user and external reports. These include new reports, reports currently under investigation, and any reports that remain unresolved after investigation. Look for correlations or patterns among the reports. Prioritize and schedule investigations of all reports based on your assessment of their severity. If the suspicion proves unfounded, close the report and provide feedback to the user who reported the problem.
6.8.3 Investigate Each Report or Set of Related Reports
Based on the nature of the report, you may need to contact other users to document their observations. You may also need to verify the integrity of directories and files (as described in Section 6.5), examine your system and network logs (as described in Sections 6.3 and 6.4), examine processes on affected systems (as described in Section 6.4), and install additional monitoring mechanisms to identify the cause of the anomalous behavior.
Document and report your findings. Regardless of the outcome of your investigation, record your findings and report them to the users who submitted the reports, the system and network administrators, the security personnel in your organization, and other appropriate individuals as specified in your organization's policies.
6.8.4 Policy Considerations
Your organization's networked systems security policy should establish the following guidelines:
Users should immediately report any unexpected or suspicious system behavior to their designated security official and system administrator.
Users should immediately report any physical intrusions to networked systems or offline data storage facilities to their designated security official and system administrator.
System administrators should investigate each reported suspicious activity to determine whether it represents an intrusion.
System administrators should notify users in advance of any changes that will be made to the systems they use, including software configurations, data storage and access, and revised procedures for using systems as a result of the changes.