Last Updated: 2012-12-13 18:35:04 UTC
by Johannes Ullrich (Version: 1)
[guest diary submitted by Russell Eubanks]
If you knew your network was going to be attacked tomorrow, what specific actions would you take today? Treat yourself to lunch at your desk as you consider the following suggestions.
Look for opportunities to improve your detection capabilities. In your security lab, try changing operating system and application configurations to see if your current policies are able to detect and alert on these actions. If not, create new alerts that are labeled with the action you used to generate these events. This a great foundation to actively seek the activity that you are currently missing.
Update the contact information for everyone on your Incident Response Team. Be certain that everyone you have listed knows they are a part of the team and understands their role when an incident occurs. When was the last time you held an exercise to make sure that everyone listed on the team can be reached in an acceptable amount of time? Schedule an update for the team today. Consider providing them with lunch or an another appropriate token of your appreciation for serving on the team.
Leverage data from the Top 100 Source IP addresses as seen by the SANS Internet Storm Center at http://isc.sans.edu/ipsascii.html. Consider a daily report that shows the traffic between your hosts and those found on this list. Traffic to and from these hosts may not indicate an attack, but may very well prove worthy of your investigative efforts.
Create new alerts based on information found in your logs. These alerts can be scheduled to run every few minutes and configured to notify you if more than zero occur. Pay particular attention to trends that stand out over time. Can you determine the normal usage patterns over a given time period? How would you know if something outside of this baseline started to occur or stopped occurring? How quickly would you know if a critical system stopped sending logs to you?
Schedule and perform regular security architecture reviews. Start with a copy of your network diagram and assume the role of your attacker. Determine how its current defensive and monitoring capabilities could be defeated. Make sure you can detect this type of attack going forward. Implement changes based on that review session today to prevent that type of attack from succeeding. As a final step in this exercise, update your network diagram to reflect any changes you made.
Become familiar with the 20 Security Controls http://www.sans.org/critical-security-controls as a means to implement or enhance your continuous monitoring capabilities. Spend some time on the website to learn about the controls and how they can be applied in your network. Focus specifically on the Quick Wins section on each control to get a better sense of the intent behind each objective. If starting fresh, Controls 1 and 2 could very well be a good place to start.
Finally, use the following suggestions as a means to be intentional about network security monitoring. Conduct recurring IRT peer reviews to solicit their suggestions for improvements. Publish regular reports to the IRT, noting specific items that would be useful to the team. Invite the IRT to subscribe to the SANS Internet Storm Center Daily Podcast at https://itunes.apple.com/us/podcast/sans-internet-storm-center/id304863991. Make a recurring calendar appointment to do this activity with your IRT over and over again.
What additional suggestions do you have that support intentionally monitoring the security of your network?