Embed Size (px)
Citation preview
PROCESS OF CONDUCTING A DOS/IDS
INCIDENT ANALYSIS
• As computer systems and the Internet have grown in size, complexity and usage the these systems has also grown.
• This has lead to a demand for automated systems for detecting malicious activity.
• This has lead to the development of a range of Intrusion Detection Systems
Intrusion Detection System
• A Intrusion detection system is generally considered to be any system designed to detect attempts compromise the integrity, confidentiality or availability.
• A Network Intrusion Detection System (NIDS) aims to detect attempted compromises by monitoring network traffic.
• A host based IDS (HIDS) monitors a single system for signs of compromise.
• A distributed denial of service attack is malicous dos attack involving more than one source.
• DDOS attacks usually involve a large number of compromised systems attacking a single target.
DISTRIBUTED DENIAL OF SERVICE
TYPES OF ATTACKS
• Buffer Overflow Attacks
• SYN Attacks
• Teardrop Attacks
• Smurf Attacks
• Viruses
• Infrastructure Attacks
SYMPTOMS OF DOS ATTACK
• Slow Network Performance.
• A website is unavailable
• Inability to access anything outside LAN.
• Increase in the number of SPAM e-mails.
SECURITY ANALYSIS
• Preparation
• Detection and Analysis
• Containment, Eradication and Recovery
• Post Incident Recovery
• Documentation
PREPARATION• Form Incident Response Team.• Main Contact Information.• On-call Roster,• Incident Report Mechanism.• Incident operations center.• Evidence Secure Storage.• Spare Computers/Servers• Removable Media.• Digital forensic Kit• Spare Printers• Network Diagrams• Network Baselines
MONITOR NETWORK FOR SIGNS OF INCIDENT
• Reconnaissance activity• Network Scanning• Remote Logon attempts• Increase in volume of traffic• Log suspicious traffic• Consolidate reports for analysis.
CONTAINMENT, ERADICATION AND RECOVERY
• Identify the type of attack.• Block the Attack.• Blocked Access from Source IP Address.
• RECOVERY• Update firewall• Update all users passwords• Reinstalled Software
POST INCIDENT ACTIVITY
• Summary of Incident• What can we do better• What was good• Evidence Handling• Evidence Retention• Subjective Overall Assessment
POST INCIDENT DOCUMENTATION
• Create after actions report.• Incident handling checklist• Update Knowledge Base
WHAT CAN EMPLOYEES DO?
• Email and Attachments• Password Policies• Scan all files• Use Antivirus• Physical Security
REFERENCES• Allen, J. Christie, A. William, F. McHugh, J. Pickel, J. Stoner, E. (2000) State
of the Practice of Intrusion Detection Technologies. Carnegie Mellon Software Engineering Institute.
• Richard P. Lippmann, Robert K. Cunningham, David J. Fried, Issac Graf, Kris R. Kendall, Seth E. Webster, Marc A. Zissman(1999). Results of the DARPA 1998 Offline Intrusion Detection Evaluation, slides presented at RAID 1999 Conference, September 7-9, 1999, West Lafayette, Indiana.
• Haines, J, W. Lippmann, R, P. Fried, R, P. Korba, J. & Das, K. (1999) The 1999 DARPA Off-Line Intrusion Detection Evaluation.
• Haines, J, W. Lippmann, R, P. Fried, R, P. Zissman, M, A. Tran, E. & Bosswell , S, B. (1999) DARPA Intrusion Detection Evaluation: Design and Procedures. Lincoln Laboratory, Massachusetts Institute of Technology.
