Intruders are always looking for new ways to break into networked computer systems. Even if your organisation has implemented comprehensive information security protection measures (such as firewalls), it is essential that you closely monitor your information assets and transactions involving these assets for signs of intrusion. Monitoring may be complicated because intruders often hide their activities by changing the systems they break into.

A general security goal is to prevent intrusions. However, because no prevention measures are perfect, you also need a strategy for handling intrusions that includes preparation, detection, and response. The following focuses on preparation and detection. The practices recommended below are designed to help you prepare for and detect intrusions by looking for unexpected or suspicious behaviour and "fingerprints" of known intrusion methods.
These practices do not cover

• preventing intrusions
• responding to intrusions. Refer to Responding to Intrusions [Kossakowski 99].
• establishing initial configurations of applications, operating systems,
• networks, or workstations. Refer to Securing Desktop Workstations [Ford 99],
• Securing Network Servers [Allen 00], and Securing Public Web Servers [Kossakowski 00].
• protecting user privacy while in the process of detecting signs of intrusion
• using security monitoring and reporting services provided by outside (third party) organisations

If you do not know that an intrusion or an intrusion attempt has occurred, it is difficult, if not impossible, to later determine if your systems have been compromised. If the information necessary to detect an intrusion is not being collected and reviewed, you cannot determine what sensitive data, systems, and networks are being attacked and what breaches in confidentiality, integrity, or availability have occurred. As a result of an inadequate ability to detect signs of intrusion, the following may occur:

• You will be unable to detect such signs in a timely manner due to the absence of necessary warning mechanisms and review procedures.
• You will be unable to identify intrusions because of the absence of expected state information with which to compare your current operational state.

  Differences between this expected configuration and your current state can provide an indication that an intrusion has occurred.

• You will be unable to determine the full extent of the intrusion and the damage it has caused. You will also be unable to tell whether or not you have completely removed the intruder from your systems and networks. This will significantly increase your time to recover.
• Your organisation may be subject to legal action. Intruders make use of systems they have compromised to launch attacks against others. If one of your systems is used in this way, you may be held liable for not exercising adequate due care with respect to security.
• Your organisation may experience lost business opportunities and its reputation may suffer.

The general approach to detecting intrusions is

• Observe your systems for anything unexpected or suspicious.
• Investigate anything you find to be unusual.
• If your investigation finds something that isn't explained by authorised activity, immediately initiate your intrusion response procedures.

While this process sounds simple enough, implementing it is a resource-intensive activity that requires continuous, automated support and daily administrative effort. Furthermore, the scale of intrusion detection practices may need to change as threats, system configurations, or security requirements change. In all cases, however, there are five areas that must be addressed.

Adequate preparation, which should include

• defining the required policies and procedures necessary to meet your business objectives and prepare your staff and systems to detect signs of intrusion
• integrity of the software you use to detect intrusions
• monitoring the behaviour of your systems and the traffic on your networks
• physical forms of intrusion to your computer systems, off-line data storage media, and output devices
• follow through, including investigation of reports by users and other reliable sources (such as incident response teams) and taking action when unexpected activities occur

1. Establish a policy and procedures that prepare your organisation to detect signs of intrusion.
2. Identify data that characterise systems and aid in detecting signs of suspicious behaviour.
3. Manage logging and other data collection mechanisms. Integrity of intrusion detection software
4. Ensure that the software used to examine systems has not been compromised. Behaviour of networks and systems
5. Monitor and inspect network activities for unexpected behaviour.
6. Monitor and inspect system activities for unexpected behaviour.
7. Inspect files and directories for unexpected changes. Physical forms of intrusion
8. Investigate unauthorised hardware attached to your organisation's network.
9. Inspect physical resources for signs of unauthorised access.
10. Review reports by users and external contacts about suspicious and unexpected behaviour.
11. Take appropriate actions upon discovering unauthorised, unexpected, or suspicious activity.