94 What Every Engineer Should Know About Cyber Security
• Understand normal behaviors of networks, systems, and applications
by reviewing log entries and security alerts so that abnormalities
can be easily identied.
• Create a log retention policy to determine how long log data from
rewalls, IDPSs, and applications should be stored. Log data are
helpful in the analysis of an incident.
• Perform event correlation between all of the available logs (e.g., rewall,
IDPS, application) as they all record different aspects of the attack.
• Keep all host clocks synchronized. As was discussed in the last
chapter, it is important during an investigation that all of the logs
show the same time that an attack occurred.
• Maintain a knowledge base of searchable information related to
incidents and the incident response process.
• Use a separate work station for web research on unusual activity.
• Run packet sniffers (congured to specied criteria) to collect
additional network trafc.
• Have a strategy in place to lter the data on categories of indicators
that are of high signicance to the organization’s situation.
• Have plan B in place. If the incident scope is larger than can be
handled by your team, seek assistance from external resources.
Finally, if an incident is a reality and the containment process is started,
make sure that any evidence is documented, a chain of custody of any
evidence collected is maintained, and the incident is reported to the
appropriate ofcials within a dened time period.
5.2.2 Containment
The goal of the containment stage is to minimize the scope and damage
ofthe incident. The containment strategy will depend on certain aspects of
the incident, such as the damage/theft of resources, the need for evidence
preservation, service availability, time and resources available to implement
the strategy, and duration of the solution (Cichonski et al. 2012). For example,
in a DDOS attack, shown in Figure5.2, the attacker is attempting to make
the resource unavailable to the users by a sending a ood of messages from
compromised computers, which the attacker is controlling, to a network.
Essentially, it is more trafc than it can handle, which means it will be
inaccessible to a legitimate user.
These types of attacks can bring your favorite social networking website to
a standstill for hours until the attack on the website stops. One containment
strategy for DDOS is ltering the trafc directed at the victim host and then
locating the machines doing the attacking. This is obviously more easily said
than done because there could be 300 to 400 unique IP addresses doing the