Home > Articles > Security > Network Security

Detecting Signs of Intrusion

  • Print
  • + Share This
This sample chapter from The CERT Guide to System and Network Security Practices should help you detect intrusions by looking for unexpected or suspicious behavior and "fingerprints" of known intrusion methods.
This chapter is from the book

Intruders are always looking for new ways to break into networked computer systems. They may attempt to breach your network's perimeter defenses from remote locations or try to infiltrate your organization physically to gain access to information resources. Intruders seek old, unpatched vulnerabilities as well as newly discovered vulnerabilities in operating systems, network services, and protocols; and they take advantage of both. They develop and use sophisticated programs to penetrate systems rapidly. As a result, intrusions and the damage they cause can be achieved in seconds.

Even if your organization has implemented a number of the more popular information security protection measures, such as firewalls and intrusion detection systems, it is essential that you closely monitor your information assets and transactions involving these assets for signs of intrusion. Monitoring may be complicated, because intruder attack methods are constantly changing, and intruders often hide their activities by changing the systems they break into. An intrusion may have already happened without your noticing because everything seemed to be operating normally.

The practices contained in this chapter are designed to help you detect intrusions by looking for unexpected or suspicious behavior and "fingerprints" of known intrusion methods.

6.1 Overview

These practices are intended primarily for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.

The practices are applicable to your organization if its networked systems infrastructure includes any of the following:

  • Host systems providing services to multiple users (file servers, time-sharing systems, database servers, web servers, etc.)

  • Local area or wide area networks

  • Direct connections, gateways, or modem access to and from external networks, such as the Internet

The practices do not address the following issues:

  • Protecting user privacy while in the process of detecting signs of intrusion

  • Using security monitoring and reporting services provided by outside (third-party) organizations

6.1.1 The Need for Detecting Signs of Intrusion

If you do not know that an intrusion or an intrusion attempt has occurred, it is difficult, if not impossible, to determine later if your systems have been compromised. If the information necessary to detect an intrusion is not being collected and reviewed, you cannot determine what sensitive data, systems, and networks are being attacked and what breaches in confidentiality, integrity, or availability have occurred. As a result of an inadequate ability to detect signs of intrusion, your organization may face the following problems:

  • Inability to determine either the full extent of the intrusion and the damage it has caused, or whether or not you have completely removed the intruder from your systems and networks. This will significantly increase your time to recover.

  • Legal action. Intruders make use of systems they have compromised to launch attacks against others. If one of your systems is used in this way, you may be held liable for not exercising adequate due care with respect to security.

  • Lost business opportunities, coupled with loss of reputation.

If you are adequately prepared and have the necessary policies and procedures in place to detect signs of intrusion, you can mitigate your risk of exposure to such problems.

6.1.2 An Approach for Detecting Signs of Intrusion

The practices in this chapter assume that you have implemented the detection preparation practices described in Chapter 5. The general approach to detecting intrusions is threefold:

  1. Observe your systems for anything unexpected or suspicious.

  2. Investigate anything you find to be unusual.

  3. If your investigation finds something that isn't explained by authorized activity, immediately initiate your intrusion response procedures as described in Chapter 7.

While this process sounds simple enough, implementing it is a resource-intensive activity that requires continuous, automated support and daily administrative effort. Furthermore, the scale of intrusion detection practices may need to change as threats, system configurations, or security requirements change. In all cases, however, four areas must be addressed:

  1. The integrity of the software you use to detect intrusions

  2. Monitoring of the behavior of your systems and the traffic on your networks

  3. Physical forms of intrusion to your computer systems, offline data storage media, and output devices

  4. Follow through, including the investigation of reports by users and other reliable sources (such as incident response teams) and action following unexpected activities

As you look for signs of intrusion, keep in mind that information from one source may not appear suspicious by itself. Inconsistencies among several sources can sometimes be the best indication of suspicious behavior or intrusions.

Table 6.1 Detecting Signs of Intrusion Practice Summary




Integrity of intrusion detection software

Ensure that the Software Used to Examine Systems Has Not Been Compromised

Section 6.2; page 234

Behavior of networks and systems

Monitor and Inspect Network Activities Monitor and Inspect System Activities Inspect Files and Directories for Unexpected Changes

Section 6.3; page 237

Section 6.4; page 243

Section 6.5; page 251

Physical forms of intrusion

Investigate Unauthorized Hardware Attached to the Network

Look for Signs of Unauthorized Access to Physical Resources

Section 6.6; page 254

Section 6.7; page 257

Follow through

Review Reports of Suspicious System and Network Behavior and Events Take Appropriate Actions

Section 6.8; page 258

Section 6.9; page 261

  • + Share This
  • 🔖 Save To Your Account