The first step in responding to an attack is to know an attack has occurred or is occurring. Discovering an attack is often more difficult than it would seem. Experienced attackers know that the success of an exploit often depends on the amount of time vulnerable systems are exposed. Once an attack starts, a common goal of attackers is to become as inconspicuous as possible. Keeping a low profile often allows an attack to become more successful as time passes.

It is important to recognize what “normal” looks like. Usually, the only way to know something is not right is to compare suspect activity with normal activity, often called a baseline. The most common method of accomplishing this is to use activity and monitoring logs. Log files often contain evidence to detect that something abnormal has happened.

Once abnormal activity is identified, the next step is to analyze it. Not all suspect activity is bad. Some activity has a rational explanation. Perhaps the database server was under an unusual load due to too many users running large reports. Load balancing could have been disabled so that all network activity was sent through a single device. Both of these cases are abnormal but do not indicate attacks. Security information and event management (SIEM) tools can make the analysis phase much more efficient. SIEM tools collect and aggregate security-related information from multiple sources and devices and help prepare the data for correlation and analysis. These tools can often cross-reference known vulnerability databases to help identify suspect behavior. The analysis phase includes validating suspect activity as abnormal and then figuring out what is causing it.

The next step is to consult current vulnerability and security bulletin databases to see if others are experiencing the same activity. There are many security-related databases that serve this purpose, but several repositories are the most popular and commonly used to research vulnerabilities. TABLE 1-2 lists the most common repositories for security vulnerabilities and exposures.

The third step in the cycle is to remediate the activity. Simply put, this means to contain any damage that has occurred, recover from any loss, and implement controls to prevent a recurrence.

The particular steps to take in any of these phases depend on the nature of the attack. Most vulnerabilities and exposures that are documented in a public database are accompanied by suggested remediation steps.

It is possible to trace back from the discovery event that indicated abnormal activity occurred. Controls that prevent any new activity that results in the abnormal activity may be a good place to start. Ensure that any new controls comply with operational requirements and don’t interfere with critical business processes.