Network-Based Tools
Many general-purpose network diagnostic tools can be useful during incident response operations. These include network protocol analyzers, sniffers, and network-based Intrusion Detection Systems (IDSs). In fact, network-based tools are probably the most useful diagnosis and analysis available today to the incident response practitioner. Their applicability is enormous. The most common incident response uses of network-based tools include the following:
- Attack detection
Although not part of incident response per se, a good Intrusion Detection System (IDS) architecture can be a superb means of electronically watching over an information infrastructure for indicators of attack. In fact, an IDS and an IRT function are really two complementary parts of a robust information security program. Further, many IDS tools have features that are highly applicable to incident response operations. Note that we are referring to Intrusion Detection here in a very broad sense, not just dedicated special-purpose IDS tools. Included in this category of Attack Detection is any network or system component that provides event logging data that detects whether an incident has taken place. This could include, for example, standard operating system event logs, router event logs, and so forth. When these logs are appropriately monitored for anomalies, they can be tremendously useful at alerting the operations staff to possible security incidents.
- Attack diagnosis
Once an incident has been ...
Get Incident Response now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
