APPENDIX E: MANAGING AND RESPONDING TO INTRUSION DETECTION EVENTS 135
• Are all of your systems at the most recent revision of operating system and patch
• level? Patches and hot-fixes are extremely important for Microsoft platforms.
• Have my network platforms been upgraded to avoid unnecessary risks? SNMP, if
• leaked to the outside world, can be a troublesome protocol.
• Have I used the Signature Profiler to tune the CC-NOC to watch for the traffic I’m really
concerned about? The Signature Profiler is available under the Admin menu on your CC-
NOC. Click the Configure Intrusion Detection link.
• Have I drilled down into the detail view of the event and checked the other sources for
information? CVE, Bugtraq, Whitehats, and Raritan are all reliable, trusted sources for
information on security threats.
• Has someone installed something on my network that I’m not aware of? This might include
new applications as well as new systems or network gear.
• Is this event or notification part of a category that I’m not interested in? Can I review my CC-
NOC event configuration details, on the CC-NOC: Admin tab under Intrusion Detection
Configuration, and not receive these events/notifications in the future?
• Is this a false positive? Have I checked out this potential threat and am confident that this is
not a risk?
What if I have been hacked?
Unfortunately, there’s not often much you can do to react gracefully to a successful
intrusion event—the important thing is to react quickly.
Depending on the nature of your business, the type of attack and possible loss involved, and the
potential for further loss, your reactions may vary. However, you might want to consider one or
more of the following responses. They might not save you this time around, but considering the
threats at play and the responses you’ll need to take, developing a planned response before an
event is a critical piece of an overall solution as well. Forewarned is forearmed.
• Are you still connected to the source of the attack? If the intruder came in via the
Internet, is your connection still up? Should it be?
• Is only one system compromised or are there others? Are you sure?
• Once a system is compromised, it’s difficult to recover cleanly, as you have no idea what
tools the offender may have left behind. Plan for a complete drive format and reinstall of the
compromised platforms, restoring from a known good backup, if at all possible.
• Have passwords been compromised? Force your users to change their passwords
immediately.
• Have you confirmed the attack and verified that it has in fact occurred?
• Are there preventative steps you can take to keep this from happening again?
• Establish a relationship with a local, trusted “go-to” partner who can provide security-
related expertise, insights, and assistance when needed.
• Do you have a comprehensive security policy documented and in force?
• Will you be pursuing legal action in response to the attack? Are you preserving the
necessary evidence to support that action?
• Is it possible to overreact?
Security – An Elusive Goal
While intrusion detection alone is not a security plan, it certainly is a critical component in the
complete approach. And as is so often the case, the best weapon is knowledge. Having the right
information at the right time is paramount when protecting your mission critical business
infrastructure from threats unknown.
Raritan is here to help provide that information and the tools you need to get it to the right people.
As before with network and systems management and now in security, Raritan is your eye on the
network.