General discussion

Locked

What to do upon Intrusion Detection?

By navtec ·
So, the NetAdmin has done quite a bit of homework (read lots of TechRepublic papers, etc. on how to setup security) and feels pretty good about the existing security policy, then the question is asked...What ACTIONS DO YOU TAKE upon intrusion detection?

Are there any templates or guidelines that would be useful to develop a policy/procedure(s) for WHAT TO DO, if and when an intrusion or intrusion attempt has been detected?

Thanks,

TomW / NavTec

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

What to do upon Intrusion Detection?

by Alpha-Male In reply to What to do upon Intrusion ...

You should draw up an Intrusion Response policy. This article has very good information on that and the kind of steps you may want to take including levels of response, setting up a Security Incident Response Team (SIRT) etc.:

http://www.sans.org/newlook/resources/IDFAQ/deploy.htm

Also, a great resource for "what to do" is CERT's Intruder detection checklist:

http://www.cert.org/tech_tips/win_intruder_detection_checklist.html

make sure to remove any spaces in the above URLs. Good Luck...hope this helps!

Collapse -

What to do upon Intrusion Detection?

by Alpha-Male In reply to What to do upon Intrusion ...

I got to the SANS link with a direct cut and paste. Maybe they (or something in between) were having trouble when you tried to access them. The article is unfortunately to long to past here...but is outstanding. I'll e-mail you the text of it...

Collapse -

What to do upon Intrusion Detection?

by Alpha-Male In reply to What to do upon Intrusion ...

Sorry, I mean the cert list. Make sure to delete the space in the URL

Collapse -

What to do upon Intrusion Detection?

by navtec In reply to What to do upon Intrusion ...

Hi Alpha,

Finally got to CERT.ORG. This is exactly what I needed. Excellent content! Can't say thanks enough...so...Thanks,

TomW / NavTec

Collapse -

What to do upon Intrusion Detection?

by navtec In reply to What to do upon Intrusion ...

Hi Alpha-Male,

Thank you for the info. The Sans link is great. I could not get to the cert.org link in any "way-shape-or form". Tried just going to wwww.cert.org, did search on netscape using intrusion+detection+tech+tips, which brought up thesame link and still could not get on, oh well. Maybe they are having trouble. Will keep trying. PS: found some other links off of the search that look useful too.

TomW

Collapse -

What to do upon Intrusion Detection?

by dlafrombois In reply to What to do upon Intrusion ...

In addition to the policy manual, always document everything that is happening before reporting to your local or federal law enforcement agency. Once it turned over, my understanding, you may no longer document.

Collapse -

What to do upon Intrusion Detection?

by navtec In reply to What to do upon Intrusion ...

Hi dlafrombois,

Thanks for the input. I probably would not have thought of this one. Good point.

TomW / NavTec

Collapse -

What to do upon Intrusion Detection?

by bcaldwell In reply to What to do upon Intrusion ...

This is a very good topic. I still have not found any templates out there regarding the most basic steps to take after an attack. Has anyone seen any templates at all on this topic?
Bob

Collapse -

What to do upon Intrusion Detection?

by navtec In reply to What to do upon Intrusion ...

Hi Alpha & dlafrombois,

Thanks for the input. Finally got to CERT.ORG.

Good stuff, but, it is a bit conceptual in content, as is the other info that i have found in my searches. I can certainly develop a procedural plan, but I would rather not
"re-invent the wheel" if I can avoid it. There must be someone and/or some organization that has been at this long enough that has developed and can outline a step-step procedure for handling attacks:

To define the nature of the attack: do this

If the attack is this type: do this, if this doesn't work, do that, etc.

Have had some discussion on this, and I realize there are way too many possibilities to be comprehensive, but there must be an outline of some sort out there to help usnewbies, ya think?

Anymore thoughts on this, thanks,

TomW

Collapse -

What to do upon Intrusion Detection?

by navtec In reply to What to do upon Intrusion ...

Point value changed by question poster.

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums