okay, The next step in our instant response life cycle is identification, so we've prepared. Now it comes down to identifying an actual incident. And, you know, we have to consider the fact that the mechanisms and devices that we use in order to detect incidents,
Right intrusion, detection and prevention systems can have false positives. We can have activities that were monitoring that might indicate an incident, but it might turn out to be something accidental, or it might turn out to be legitimate activity. That's just a little out of the norm.
So we have to before running full steam ahead into our instant response plan.
We have to make sure that what we're dealing with truly is an incident. And sometimes you'll hear that refer to his violation analysis. Has a violation really happened? What's the nature of the violation? Is there any chance it's a false positive or some other eyes? There's some other explanation for what's going on.
We need to be able to do that very quickly because we want to move into responding to the incidents
very quickly, so we're gonna look for things we've set triggers. We have configured monitoring tools and alerts so that we can be notified with specific details in the event that some sort of malicious activity or some sort of incident would be taking place.
So we have tools like honey pots.
Honey pots detect activities by providing a decoy for an attacker often will put these in our demilitarized zones, and they look appealing because they appears that they're vulnerable. Host. Actually, there is honey pot software that collects a lot of information
about the proposed attack
with the, uh, with the origin what tools were being used? Honey pots are very, very hopeful in detection and gathering information,
Um, will conduct network stands looking for unauthorized host for unauthorized service's regular basis. We have intrusion detection systems and intrusion prevention systems and were alerted,
um, analyzed performance network traffic system performance because when we see something out of line like No, no, no, look, att network traffic increasing as people go home. That should be I should know what in
and the various from that
that's gonna indicate that some sort of action or activity is going on
Cool, right? I want to be proactive as much as possible, so we want live time monitoring of our environment and our network.
But also, we need reactive monitoring as well. We need to be able to go back and look ATT, audit logs and audit files and, um
and really go back and understand. Um,
you know, even if it's after the fact, what are the characteristics of this attack? We want to make sure that we have a regular schedule which we view these logs because many times we can see the steps leading up to an attack. Sadly, many times we think about checking the logs after the fact.
So this step with identifying
is all about determining. Is this really an attack, or is it a false positive and then as much information as we can gain on the attack itself?