The next category of network-based tools that we’re going to look at is network-based intrusion detection systems (IDS). However, we are specifically going to discuss IDS as it relates to incident response. At the point the IDS enters the picture, the incident has already been detected; what can the IDS do to help us out? For the record, IDS are tools that serve as perimeter tripwires or sentries, alerting network staff of suspicious network activity that may indicate an attack is in process.

When it comes to incident response per se, there’s a pretty big overlap between what we look for in the sort of network tools that we’ve just described and what most IDS products deliver. Basically, we want to monitor, alert, analyze, diagnose, and collect information (whether or not it may be needed as evidence). Clearly, it’s the monitoring and alerting where most of the current IDS products excel.

What we most often use IDS products for in incident response operations is monitoring and alerting for particular trigger events. Note that we said trigger events and not just known attacks. Those trigger events should include known attack profile signatures, but they often far extend beyond that. Watching for known attacks helps, among other things, alert you if the intruder that you’re watching makes use of known and documented attack tools. Also, it helps detect other systems on the network that may also be involved in the incident.

The most useful ...