CERT Coordination Center
HomeSite IndexSearchContactFrequently Asked Questions
Incidents, Quick fixes, and VulnerabilitiesSecurity Practices and EvaluationsSurvivability Research and AnalysisTraining and Education
  

Detecting Signs of Intrusion1

A CERT® Security Improvement Module

Intruders are always looking for new ways to break into networked computer systems. They may attempt to breach your network's perimeter defenses from remote locations, or try to physically infiltrate your organization to access information resources. Intruders seek old, unpatched vulnerabilities as well as newly discovered vulnerabilities in operating systems, network services, and protocols and take advantage of both. They develop and use sophisticated programs to rapidly penetrate systems. As a result, intrusions and the damage they cause can be achieved in seconds2.

Even if your organization has implemented comprehensive information security protection measures (such as firewalls), it is essential that you closely monitor your information assets and transactions involving these assets for signs of intrusion. Monitoring may be complicated because intruders often hide their activities by changing the systems they break into. An intrusion may have already happened without you noticing because everything seemed to be operating normally.

A general security goal is to prevent intrusions. However, because no prevention measures are perfect, you also need a strategy for handling intrusions that includes preparation, detection, and response. This module focuses on preparation and detection. The practices recommended below are designed to help you prepare for and detect intrusions by looking for unexpected or suspicious behavior and "fingerprints" of known intrusion methods.


 

Who should read these practices

These practices are intended primarily for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.

These practices are applicable to your organization if its networked systems infrastructure includes

  • host systems providing services to multiple users (file servers, timesharing systems, database servers, web servers, etc.)

  • local-area or wide-area networks

  • direct connections, gateways, or modem access to and from external networks, such as the Internet


 

What these practices do not cover

These practices do not cover
  • preventing intrusions

  • responding to intrusions. Refer to Responding to Intrusions [Kossakowski 99].

  • establishing initial configurations of applications, operating systems, networks, or workstations. Refer to Securing Desktop Workstations [Ford 99], Securing Network Servers [Allen 00], and Securing Public Web Servers [Kossakowski 00].

  • protecting user privacy while in the process of detecting signs of intrusion

  • using security monitoring and reporting services provided by outside (third party) organizations


 

Security issues

If you do not know that an intrusion or an intrusion attempt has occurred, it is difficult, if not impossible, to later determine if your systems have been compromised. If the information necessary to detect an intrusion is not being collected and reviewed, you cannot determine what sensitive data, systems, and networks are being attacked and what breaches in confidentiality, integrity, or availability have occurred. As a result of an inadequate ability to detect signs of intrusion, the following may occur:
  1. You will be unable to detect such signs in a timely manner due to the absence of necessary warning mechanisms and review procedures.

  2. You will be unable to identify intrusions because of the absence of expected state information with which to compare your current operational state. Differences between this expected configuration and your current state can provide an indication that an intrusion has occurred.

  3. You will be unable to determine the full extent of the intrusion and the damage it has caused. You will also be unable to tell whether or not you have completely removed the intruder from your systems and networks. This will significantly increase your time to recover.

  4. Your organization may be subject to legal action. Intruders make use of systems they have compromised to launch attacks against others. If one of your systems is used in this way, you may be held liable for not exercising adequate due care with respect to security.

  5. Your organization may experience lost business opportunities and its reputation may suffer.

If you are adequately prepared and if you have the necessary policies and procedures in place to detect signs of intrusion, then you can mitigate your risk of exposure to intrusion and mitigate possible damage to your systems.


 

Security improvement approach

These practices assume that
  • You have performed security planning (such as policy formulation, disaster recovery and business continuity planning, risk assessment, identification of critical information assets) that addresses your organization's business objectives.

  • You have performed trade-off analyses to determine the cost of protecting versus the cost of reconstituting critical assets (data, systems, networks, workstations, tools) in the event of an intrusion. Protecting an asset includes consideration of the loss of confidentiality and customer confidence if the asset is disclosed (e.g., confidential, competitive information). It is likely not feasible to protect all assets.

  • You have a documented disaster recovery policy and procedures that include determining what assets are critical to protect and with what priority. The policy identifies who has responsibility for and authority to access each asset that needs to be recovered, under what conditions, and by what means.

The general approach to detecting intrusions is

  1. Observe your systems for anything unexpected or suspicious.

  2. Investigate anything you find to be unusual.

  3. If your investigation finds something that isn't explained by authorized activity, immediately initiate your intrusion response procedures.

While this process sounds simple enough, implementing it is a resource-intensive activity that requires continuous, automated support and daily administrative effort. Furthermore, the scale of intrusion detection practices may need to change as threats, system configurations, or security requirements change. In all cases, however, there are five areas that must be addressed:

  • adequate preparation, which should include defining the required policies and procedures necessary to meet your business objectives and prepare your staff and systems to detect signs of intrusion

  • integrity of the software you use to detect intrusions

  • monitoring the behavior of your systems and the traffic on your networks

  • physical forms of intrusion to your computer systems, offline data storage media, and output devices

  • follow through, including investigation of reports by users and other reliable sources (such as incident response teams) and taking action when unexpected activities occur

As you look for signs of intrusion, keep in mind that information from one source may not appear suspicious by itself. Inconsistencies among several sources can sometimes be the best indication of suspicious behavior or intrusions.


 

Summary of recommended practices

Area Recommended Practice
Preparation 1. Establish a policy and procedures that prepare your
   organization to detect signs of intrusion.

2. Identify data that characterize systems and aid in
   detecting signs of suspicious behavior.

3. Manage logging and other data collection mechanisms.

Integrity of intrusion detection software 4. Ensure that the software used to examine systems has not
   been compromised.
Behavior of networks and systems 5. Monitor and inspect network activities for unexpected
   behavior.

6. Monitor and inspect system activities for unexpected
   behavior.

7. Inspect files and directories for unexpected changes.

Physical forms of intrusion 8. Investigate unauthorized hardware attached to your
   organization's network.

9. Inspect physical resources for signs of unauthorized access.

Follow through 10. Review reports by users and external contacts about
    suspicious and unexpected behavior.

11. Take appropriate actions upon discovering unauthorized,
    unexpected, or suspicious activity.


 

Abbreviations used in these practices

ACK Acknowledgement
ARP Address Resolution Protocol
ASCII American Standard Code for Information Interchange
ACL Access Control List
BOOTP Boot Protocol
CGI Common Gateway Interface
CPU Central Processing Unit
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
FTP File Transfer Protocol
HAVAL Hashing Algorithm with VAriable Length
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IP Internet Protocol
IRC Internet Relay Chat
ISP Internet Service Provider
MAC Media Access Control
NTP Network Time Protocol
PGP Pretty Good Privacy
SHA Secure Hash Algorithm
SNMP Simple Network Management Protocol
SYN Synchronize
TCP Transmission Control Protocol
UDP User Datagram Protocol
WORM Write Once Read Many


 

References and sources


[Alberts 00] Alberts, Christopher J., et al. Health Information Risk Assessment and Management: Toolkit Section 4.5

[Alberts 99] Alberts, Christopher J., et al. Operationally Critical Threat, Assets, and Vulnerability EvaluationSM (OCTAVESM) Framework, Version 1.0. (CMU/SEI-99-TR-017). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999.

[Allen 99] Allen, Julia, et al. State of the Practice of Intrusion Detection Technologies. (CMU/SEI-99/TR-028). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999.

[Allen 00] Allen, Julia, et al. Securing Network Servers. (CMU/SEI-SIM-010). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2000

[Bejtlich] Bejtlich, Richard. Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events

[CERIAS] Center for Education, Research, and Information Assurance Security (CERIAS) [formerly known as Computer Operations, Audit, and Security (COAST)], Monitoring and intrusion detection tools available for downloading (2000).

[CERT/CC] CERT® Coordination Center. Advisories, incident notes, vulnerability notes, and tech tips. Relevant tech tips include Intrusion Detection Checklist and Steps for Recovering from a UNIX Root Compromise (2000).

[Dunigan 99] Dunigan, Tom & Hinkel, Greg. Intrusion Detection and Intrusion Prevention on a Large Network: A Case Study. Proceedings of the 1st Workshop on Intrusion Detection and Network Monitoring. Santa Clara, CA. April 9-12, 1999.

[Firth 97] Firth, Robert, et al. An Approach for Selecting and Specifying Tools for Information Survivability. (CMU/SEI-97-TR-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1997.

[Garfinkel 96] Garfinkel, S. & Spafford, G. Practical UNIX and Internet Security, Second Edition. Sebastopol, CA: O'Reilly & Associates, Inc., 1996.

[Guttman 97] Guttman, B. & Bagwill, R. Internet Security Policy: A Technical Guide -Draft. Gaithersburg, MD: NIST Special Publication 800-XX, 1997

[IETF 97] Internet Engineering Task Force Network Working Group. RFC 2196 Site Security Handbook. Edited by Barbara Fraser, (1997).

[Kessler 00] Kessler, Gary C. Securing Your Web Site.(February 2000).

[Kossakowski 99] Kossakowski, Peter, et al. Responding to Intrusions. (CMU/SEI-SIM- 006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999.

[Kossakowski 00] Kossakowski, Peter, at al. Securing Public Web Servers. (CMU/SEI- SIM-010). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2000.

[Maximum 97] Anonymous. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. Indianapolis, IN: Sams.net Publishing, 1997

[Newsham 98] Newsham, Tim & Ptacek, Tom. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection (1998).

[Northcutt 99] Northcutt, Stephen. Network Intrusion Detection: An Analyst's Handbook. Indianapolis, IN: New Rider, 1999.

[Pichnarczyk 94] Pichnarczyk, Karyn; Weeber, Steve; & Feingold, Richard. Unix Incident Guide: How to Detect an Intrusion. (CIAC-2305 R.1). Livermore, CA: Lawrence Livermore National Laboratory, Department of Energy Computer Incident Advisory Capability, December 1994

[Ranum 99] Ranum, Marcus. "Some Tips on Network Forensics." Computer Security Institute, 198 (September 1999): 1-8.

[Reavis 99] Reavis, Jim. Do you have an intrusion detection response plan?, Network World Fusion (September 13, 1999)

[Ruiu 99] Ruiu, Dragos. Cautionary Tales: Stealth Coordinated Attack HOWTO (1999).

[SANS 00] The SANS Institute. How To Eliminate The Ten Most Critical Internet Security Threats: The Experts' Consensus, Version 1.25 (2000).

[Seifried 00] Seifried, Kurt. Creating and Preventing Backdoors in UNIX Systems SecurityPortal (June 28, 2000)

[Sellens 00] Sellens, John. "System and Network Monitoring."; login: 25, 3 (June 2000).

[Simmel 99] Simmel, Derek, et al. Securing Desktop Workstations. (CMU/SEI-SIM- 004). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999
[Stevens 94] Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. Reading, MA: Addison-Wesley, 1994.
[Summers 97] Summers, Rita C. Secure Computing. New York, NY: McGraw-Hill, 1997.


 

Footnotes

  1.  This module replaces the previous versions of Detecting Signs of Intrusion [1997] and Preparing to Detect Sign of Intrusion [1998]. We have added information about asset characterization and system and network monitoring.

  2.  Refer to Figure 1-2 and the accompanying description in State of the Practice of Intrusion Detection Technologies [Allen 00].
Copyright 2000 Carnegie Mellon University.

CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark office.

See the conditions for use, disclaimers, and copyright information.

This page was last updated on April 25, 2001.