Role of IDS in Incident Response
As seen above, sometimes part of that response is accomplished FOR you, by the IDS doing what it can to stop the attack, determine the extent of the damage, and safeguard the system or your network from further attacks by taking actions like shutting down services.
At other times, its up to you to get the email, page, or alert on your computer screen, and race into action. Do you immediately shut the attacker off? Or do you let them continue for a while, and try to determine the source of the attack so that you might have a better lead on who could be prosecuted later? (Take note: few prosecutions of this sort are successful.)
Do you yank your sites Internet connection? All of these are potentially valid actions that the authors have seen network administrators take more than once.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.