Chapter 22 Incident Determination

is the event really a security incident? maybe HW failure or user or admin error

If availability, accuracy, or confidentiality is compromised it's a security incident

Without active system monitoring in place, unlikely to detect an intruder.

Administration's greatest advantage over attacker is knowledge of normal behavior of the system.

Indicators: possible (unusual things, might be incident), probable (things that could not occur without someone doing them), definite [positively]

Possible indicators:
unfamiliar files: esp. in system/config directories. source, purpose? compare with previously generated list of files.
unknown processes: rogue SW installed by attacker to exploit vulnerability or to monitor system.
consumption of resources: (CPU, RAM, network) that's unexpected.
system crashes: exploits often system-specific, will crash even slightly different configuration.

Probable indicators:
activities at unexpected times. investigate anomalies.
presence of new accounts
reported attack by a user or attacker
IDS notification

Definite indicators:
use of dormant accounts
changes to logs
presence of hacker tools
notification by partner that "you" are attacking them
notification by hacker