Gain Top-Notch Cyber Skills. Register for SANS Chicago 2017. Save $400 thru June 28.

IDFAQ: What difficulties are associated on matching events with attacks. Why is event/data correlation important?

Intrusion Detection Policy

The building of an Intrusion Detection (ID) policy is a labor intensive task. What is an ID policy? It is the combination of all the policies used to protect a network. The ID policy is usually a combination of the firewall, the Intrusion Detection Systems (IDS), the router's Active Control List (ACL), Incident Response (IR) policy and all patch updates that apply. In order to build the best possible "Total Defense Policy", time must be spent on research and "tuning" the IDS software to reduce the false positive rate.

"Layered Defense" is a principle shared by all the interconnected devices at the perimeter. It has the possibility to affect the others in a negative way when a change is made to one (firewall, router, IDS).

Incident Handling

Upon detection of a suspicious event (alarm), the Incident Handling machine jumps into high gear. The analyst's first step is to analyze the attack scenario and the motive behind it. One cannot rush immediately into thinking they are under attack before using other correlating data. On a busy network, an analyst will often encounter situations where he/she cannot tell if the event of interest is part of a stimulus or an actual response.

It is imperative the event be accurately analyzed and cataloged. If no correlating data is available, the event will usually be placed on watch until enough evidence is collected to move forward. Sometimes a phone call or an e-mail is sufficient to resolve the event to satisfaction.


Here I would like to stress the need to use a combination of commercial or freeware signature-based and anomaly detection sensors (RealSecure, Axent, Snort, etc.) with a full blown packet sniffer (Shadow, tcpdump, windump, etc.). If you use Shadow with RealSecure or Snort, or any other signature-based and anomaly detection sensor, Shadow's biggest strength is its ability to reconstruct the entire event.

In my experience as an ID analyst, it is not possible to have one without the other. Signature-based and anomaly detection sensors are great tools. However, they only provide a snapshot of the event in time of what transpired and ends there. Unfortunately, the audit trail gets cold quickly if this was the only lead you had.

Guy Bruneau, GCIA