Fri Apr 8 06:47:17 PDT 2016
Incidents: Detection: Are intrusions detected, and if so, how?
Option 1: Ignore detection and wait till consequences reveal attacks.
Option 2: Occasionally or periodically examine log files and systems to detect intrusions and/or anomalies.
Option 3: Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
Option 4: Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.
Option 5: Use a network-wide intrusion and/or anomaly detection and analysis system.
Option 6: Devise a system to detect event sequences with potentially serious negative consequences.
Option 7: Add expertise.
Option A: Favor anomaly detection.
Option I: Favor intrusion detection.
Ignore detection and wait till consequences reveal attacks.
Ignoring intrusion detection and waiting till an attack is
obvious from its consequences has two major problems. (a) Many attacks
are not immediately detectable by their consequences, leading to far
greater harm. (b) Attacks can happen quite quickly and covertly. In
many cases the attack is over long before the consequences become
apparent. The only exception is small low-risk networks.
Occasionally or periodically examine log files and systems to detect intrusions and/or anomalies.
For certain classes of attacks, like long term infestation of
systems by intruders, this approach is marginally effective. Many attackers erase
logging information about their attacks as part of their attack
process, but this can be mitigated by the use of logging servers. We
advise periodic checks with the period determined by the harm from
different infestation times and random checks to augment periodic
checks in case an attacker understands and tries to take advantage of
Use automation to collect and analyze log files and other indicators of intrusions and/or anomalies.
Automation is used to collect and analyze log files and other
indicators of intrusions. This can provide more rapid detection,
reducing the exposure time, and be automated, reducing the time and
effort required to do the job. It produces false negatives, but so
does human examination. It can also produce false positives, but the
workload for investigation false positives is less than for examining
the audit information by hand. For medium and high risk situations,
internal automation is preferred. When there are a substantial number
of available sources of information and they are not otherwise
gathered together, commercial collection and fusion systems should be
used and tailored to needs.
Use intrusion and/or anomaly detection products that independently detect intrusions and/or anomalies.
In cases where there are substantial vulnerabilities and
consequences of undetected break-ins, intrusion detection products
that independently detect intrusions are important. In cases without
strong preventive controls, substantial consequences of unidentified
attacks, and when there are intrusion types not detected by the normal
control mechanisms, intrusion detection products that independently
detect intrusions are advised. These mechanisms should be devised to
detect otherwise unprotected event sequences that can lead to serious
negative consequences and failures in other protective mechanisms.
Use a network-wide intrusion and/or anomaly detection and analysis system.
Network-wide intrusion detection and analysis systems are
typically used for networks with at least 100 computers. They
consolidate audit and detection records, correlate them, rank them
according to preset and customer modifiable settings, and present
their results in real-time to network operations center staff. These
systems are expensive but far less so than humans doing the same
Devise a system to detect event sequences with potentially serious negative consequences.
For situations in which the consequences and threats justify
in-depth analysis and preparation in order top respond in time, it is
necessary to develop a system that identifies indicators and produces
warnings of pending event sequences when the level of consequence
justifies the effort.
For any enterprise with a network involving hundreds or more
computers (big), it is necessary to get additional expertise if
existing expertise is inadequate. This can often be outsourced to
specialist intrusion and/or anomaly detection and response firms.
Favor intrusion or anomaly detection? Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
Intrusion and/or anomaly detection mechanisms provide the means to
detect unauthorized or unusual activities within systems and
networks. The value of these systems is that they allow these
unauthorized or unusual activities to be detected when they might
otherwise not be detected, or to be detected more quickly than they
would otherwise be detected. If the business consequences of these
activities warrant the costs of detection, then detection is called
for. Detection mechanisms range from audit records and methods to
analyze those records, to automated systems that use surveillance
methods to detect known intrusions or deviations from normal
behavior. Essentially all such systems produce an unlimited number of
false positives and false negatives, and investigation is required to
follow-up on indications provided by these systems. As a general rule,
when a system is designed so that its normal behaviors are known or it
behaves in very much the same manner during all normal operations,
anomaly detection is the better approach. When behavior is not
predictable or consistent over time, or when known attack methods are
of concern, intrusion detection is appropriate.