Detecting Signs of Intrusion
- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
Intruders are always looking for new ways to break into networked computer systems. They may attempt to breach your network's perimeter defenses from remote locations or try to infiltrate your organization physically to gain access to information resources. Intruders seek old, unpatched vulnerabilities as well as newly discovered vulnerabilities in operating systems, network services, and protocols; and they take advantage of both. They develop and use sophisticated programs to penetrate systems rapidly. As a result, intrusions and the damage they cause can be achieved in seconds.
Even if your organization has implemented a number of the more popular information security protection measures, such as firewalls and intrusion detection systems, it is essential that you closely monitor your information assets and transactions involving these assets for signs of intrusion. Monitoring may be complicated, because intruder attack methods are constantly changing, and intruders often hide their activities by changing the systems they break into. An intrusion may have already happened without your noticing because everything seemed to be operating normally.
The practices contained in this chapter are designed to help you detect intrusions by looking for unexpected or suspicious behavior and "fingerprints" of known intrusion methods.
These practices are intended primarily for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.
The practices are applicable to your organization if its networked systems infrastructure includes any of the following:
Host systems providing services to multiple users (file servers, time-sharing systems, database servers, web servers, etc.)
Local area or wide area networks
Direct connections, gateways, or modem access to and from external networks, such as the Internet
The practices do not address the following issues:
Protecting user privacy while in the process of detecting signs of intrusion
Using security monitoring and reporting services provided by outside (third-party) organizations
6.1.1 The Need for Detecting Signs of Intrusion
If you do not know that an intrusion or an intrusion attempt has occurred, it is difficult, if not impossible, to determine later if your systems have been compromised. If the information necessary to detect an intrusion is not being collected and reviewed, you cannot determine what sensitive data, systems, and networks are being attacked and what breaches in confidentiality, integrity, or availability have occurred. As a result of an inadequate ability to detect signs of intrusion, your organization may face the following problems:
Inability to determine either the full extent of the intrusion and the damage it has caused, or whether or not you have completely removed the intruder from your systems and networks. This will significantly increase your time to recover.
Legal action. Intruders make use of systems they have compromised to launch attacks against others. If one of your systems is used in this way, you may be held liable for not exercising adequate due care with respect to security.
Lost business opportunities, coupled with loss of reputation.
If you are adequately prepared and have the necessary policies and procedures in place to detect signs of intrusion, you can mitigate your risk of exposure to such problems.
6.1.2 An Approach for Detecting Signs of Intrusion
The practices in this chapter assume that you have implemented the detection preparation practices described in Chapter 5. The general approach to detecting intrusions is threefold:
Observe your systems for anything unexpected or suspicious.
Investigate anything you find to be unusual.
If your investigation finds something that isn't explained by authorized activity, immediately initiate your intrusion response procedures as described in Chapter 7.
While this process sounds simple enough, implementing it is a resource-intensive activity that requires continuous, automated support and daily administrative effort. Furthermore, the scale of intrusion detection practices may need to change as threats, system configurations, or security requirements change. In all cases, however, four areas must be addressed:
The integrity of the software you use to detect intrusions
Monitoring of the behavior of your systems and the traffic on your networks
Physical forms of intrusion to your computer systems, offline data storage media, and output devices
Follow through, including the investigation of reports by users and other reliable sources (such as incident response teams) and action following unexpected activities
As you look for signs of intrusion, keep in mind that information from one source may not appear suspicious by itself. Inconsistencies among several sources can sometimes be the best indication of suspicious behavior or intrusions.
Table 6.1 Detecting Signs of Intrusion Practice Summary
Integrity of intrusion detection software
Ensure that the Software Used to Examine Systems Has Not Been Compromised
Section 6.2; page 234
Behavior of networks and systems
Monitor and Inspect Network Activities Monitor and Inspect System Activities Inspect Files and Directories for Unexpected Changes
Section 6.3; page 237
Section 6.4; page 243
Section 6.5; page 251
Physical forms of intrusion
Investigate Unauthorized Hardware Attached to the Network
Look for Signs of Unauthorized Access to Physical Resources
Section 6.6; page 254
Section 6.7; page 257
Review Reports of Suspicious System and Network Behavior and Events Take Appropriate Actions
Section 6.8; page 258
Section 6.9; page 261