Automated Response
Introduction
Introduction
The automated alert response feature of
Response programs allow you to automatically capture alerts as they are generated by the
The response programs are executed on the agent system that generates the alert, thus allowing for near
General Guidelines
Consider these guidelines when responding to an intrusion attempt on your systems:
1.Do not do anything that is illegal in your region of the world.
Consult your local legal counsel before devising any response strategy.
2.Balance the response against the threat.
Not every target of an attack justifies an equal response, and the response should be in proportion to the threat.
3.Determine if attack isolation is more important than continuous availability.
In response to an attack, you may decide to disable the networking on a server to isolate it from further attacks. This isolation also serves to preserve any evidence of an intrusion. However, by isolating the server you may interfere with legitimate business activities.
Response Methods
Responses to intrusions generally fall into one of the following methods.
1.Forwarding Information
Information about the alert can be forwarded by sending an
2.Halting Further Attacks
It may be possible to halt further attacks by changing an attribute of the system. For example, disabling an account, disabling remote logins, changing a directory's access permissions. See examples in“Halting any further attacks” on page 198.
3.“Preservation of evidence” on page 200
If evidence is to be preserved and analyzed, a response script may halt all further processing on the system. Alternatively it could disable network connections so that the machine is preserved in a running state. See examples in “Preservation of evidence” on page 200.
4.Restoration of a Known Good State
Appendix B | 183 |
