Incident Identification – CompTIA Security+ SY0-401: 2.5

One of the challenges of security incidents is recognizing that one has occurred. In this video, you’ll learn about some techniques that can help you detect incidents and attacks.

<< Previous Video: Preparing for an IncidentNext: Incident Escalation and Notification >>


Detecting a security incident is not the easiest thing to do. These incidents take many shapes and forms. They may have a different amount of detail. They may attacked different kinds of systems. You’re never quite certain exactly where the incident is going to come from. One of the challenges we have is that our networks are constantly under attack. If you’re connected to the internet there’s automated processes, bots, worms, and people maliciously trying to gain access to your systems. So the question really is, of this traffic, how much of it is a legitimate threat, and how much of it is going to be stopped by the existing systems that we have in place?

It’s multiple layers of security that we have to spread across every part of our infrastructure, and it really requires some specialized knowledge and tools to be able to accomplish that. It would be really great if we could identify that an incident was going to occur before it actually did occur. And one way to do that is to look at different pieces of our network to understand where these changes, or significant precursors, may be happening. One place to gather of these precursors is in something like a Web server log. You can look at what people are hitting your web server, and you can also see when different devices, or different scripts, may be running automated vulnerability checks against your servers, and this may give you a heads up at somebody’s trying to gain access into your systems.

Another precursor may be the very common monthly announcements vulnerabilities. Microsoft, for instance, announces vulnerabilities, and almost immediately, you see the bad guys trying to take advantage of these open holes in your operating systems, before you have a chance to patch them. So you may see an increase in the number of people trying to use those vulnerabilities, against the servers that you already have in place. And some precursors may be very obvious. The bad guys might contact you directly and say, that you need to pay them a certain amount of money, or they’re going to hit devices with a massive denial of service attack. In this particular case you have a decision to make on whether you pay them their money, or you protect your systems against these kinds of security incidents.

There’s a number of things that you can monitor to see if an attacker might be under way. This obviously is going to be important, because the sooner we can stop the attack, the less damage is going to be occurring in your network. One way is to look for things like buffer overflow attempts. Which is a very common way to take advantage of bad software in an application or an operating system. You can look to intrusion prevention systems to provide you with information about things like buffer overflows, because they tend to have signatures that are specifically designed to look for these on the network and inside of an operating system. On the devices themselves you can constantly update your anti-virus and your anti-malware signatures, so that they may also identify malicious software that may try to execute in the operating system itself. In those cases the software also generally contacts you, so you’ll have an idea of where these particular attack vectors are coming from.

It’s also very common in your file servers, where the operating system files, in the documents don’t change very often to lock them down and then monitor the files. That way if somebody does gain access into the operating system and they try to modify what exists, you’ll be notified that somebody’s made a change to these files that normally would never be changing. And another way to look for any type of security incidents that may be occurring is to look at your network traffic. Network tends to be very predictable day, after, day, after, day. If there are any significant changes, or things deviate, from what is normal it may be indicative of an ongoing problem. Hopefully, these precursors, and these active indicators, of a security incident can help you get a better idea of what might be happening in your environment.