Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Do you have an intrusion detection response plan?

Jim Reavis
Network World on Security, 09/13/99

Many readers have contacted us recently, interested in information about developing an intrusion detection response plan. People are interested for a good reason - according to available research most of you do not have a written plan.

It is impossible to create a response plan that reflects your organization's values without an accurate risk assessment. You need to know the value of your data and the impact upon business operations if specific systems become unavailable or compromised. Knowing and appreciating the value of your systems is the foundation to know how closely to monitor systems, how quickly to respond to attacks and even how many resources to deploy.

In surveying some of the available documentation for intrusion detection response plans, some of the key components common to many are:

General guidelines and standards of intrusion detection requirements. Each intrusion that occurs is unique and does not necessarily fit the textbook examples of what you are expecting. General guidelines that spell out how long a system under attack can remain plugged into a network, how soon to shut down a compromised host and how quickly to go to backups, can help crystallize response steps for IT workers when they believe systems are under attack but have not identified the source of the problems.

Documentation of tools and training requirements. It is important to document and inventory the tools needed for intrusion response, including ID software, backups and file system recovery tools. There also need to be written requirements for training IT staff how to deal with intrusions. This can be SANS courses, CERT's Software Engineering Institute, training offered for your intrusion detection tools, or even custom training developed in-house. Training should also include some form of regular fire drill. If your organization does not have a formalized Computer Security Incident Response Team I recommend that it be assembled and organized along the lines of "Handbook for Computer Security Incident Response Teams," also from the Software Engineering Institute.

Build an offline kit of standard system utilities. Depending upon how quick you are in detecting an intruder, you may or may not be able to trust normal utilities, for example, on Unix: ls, ps, top, mount, cp, mv or grep, to help you detect tampering. Skilled attackers may substitute their own versions of ls and top, which conveniently filter out rogue daemons they have installed. You should have clean copies of these utilities ready to use.

Incident reporting and contact forms. Documenting incidents is very important, not only as an aid for solving the intrusion problem, but also for an audit trail that may even be used in criminal proceedings. It is critical to capture as much information as possible and create forms enabling users who are not ID specialists to provide as much information as possible. Some of the important elements of incident reporting forms are:

  • Contact information for person(s) discovering problem and/or responsible parties.
  • Target systems and/or networks. Know all about the systems under attack, including operating system versions, IP addresses and so on.
  • Purpose of systems under attack. What are the systems used for (payroll, R&D and so on), as well as some kind of a ranking of the importance of the system.
  • Evidence of intrusion. Discover anything that is known about the intrusion, method of attacks used, source IP address of attacker and network contact information for this address.
  • List of parties to notify. This can include the technical contacts, internal legal contacts and possibly the legal authorities.

Response steps. After gaining the report of the intrusion, it is time to take countermeasure steps:

Define the type of attack. Is it a denial of service attack? Root compromise? Has the attack destroyed data? Compromised systems? Is the attack ongoing?

Inform users. Systems may need to be quickly shut down, so users should be prepared to close files and look for alternative work options.

Contain the intrusion. Particularly if the attack is ongoing, it is critical to prevent the intrusion from spreading. If the attack is a denial of service, but the security and data of a host system is intact, filtering countermeasures should be employed to prevent the attacker's source address from getting through. If the attack is more serious involving the compromise of local security, the system should probably be shut down, unplugged from the network and restarted in single user mode with tools to analyze the file system, log files and processes.

Identify the source. You can't always expect to be accurate, but you can at least identify the IP addresses that it appears to be coming from. You can then look up the contact information for these IP addresses at ARIN and contact the network administrator. You likely aren't contacting the source, but are probably contacting an innocent third party. However, this person may be able to track down the connection further, or may actually find the attacker on their systems.

Notify all interested parties. Management needs to ultimately make the call if it is safe to bring the system back online and if the attack warrants getting the legal authorities involved.

More detailed repair of the systems, if needed. If the security of a system is compromised, some degree of file repair, extending to restoring from backup, may be required.

Detailed postmortem of the intrusion. Write a detailed report of the intrusion and use the information to find ways to improve the long-term security of the network. Learn from your mistakes and find ways to patch the holes.


Jim Reavis, the founder of, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at

CERT Security Improvement module, Responding to Intrusions

CERT Handbook for Computer Security Incident Response Teams

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.