When your intrusion detection system triggers an intrusion alarm, you need to respond quickly to minimize the effects of the intrusion. The longer it takes to respond the higher the chances that your system will be damaged severely. If you do not have proper plan and concepts of what you have to do when you detect or suspect an intrusion, you will only panic for nothing and allow the attackers ample of time to let him do what he intends to do with your system and data.
The first thing you need to do is make sure your intrusion detection system did not trigger any false positive alarm. As you know that false positive alarms are those events that an IDS(intrusion detection system) considers as a real intrusion, but in reality it is not. Do you really want to press the panic button of your mind when you fail to determine if an alarm is false positive or negative. The solution to this problem is to study and to make a list of false positive alarms so as you know what exactly going on when you detect an intrusion alarm.
Note: remember that network or host based intrusion detection systems are not perfect, and they may trigger alarm for non-malicious traffic and activities. Most of the critical alarm needs human intervention and judgement because the automated response is effective for only a few specific types of attacks.
Response you can take when you detect an intrusion
Block the source IP: you can block the attacker’s IP from accessing your network. IDSs easily block IP that it considers as the source of attack. Blocking IP can be effective against SPAM and DOD (denial of service) attacks, but it will be ineffective when an attacker use spoofed source IP.
Firewalls are ideal for blocking IP. But blocking IP may not be an ideal solution when attacker sends forge IP address to force the firewall blocking that IP. Attackers may forge legitimate users IP to send packets to the victim machine and the firewall may mistakenly block legitimate users when they send access requests.
It is also known as knockdown. In session snipping, the existing communication between the intruder machine and the host is reset. By sending TCP packets with RESET bit on to the attacker machine you can break down the TCP connection.
Session snipping may not work if both the victim and the intruder’s machine handle TCP RESET differently.
Gather additional information: one of the worst enemies during a suspected attack time is panic. If you are a network security administrator, you need to make sure that you do not panic when your organization need you the most. You may arrange intrusion response rehearsal on regular basis, and make a comprehensive response plan that you and your team need to undertake during the time of needs. Always audit your logs generated by sensory and security devices. Look for patterns in your gathered information and study attack patterns to make your IDS more robust and intuitive. Besides, prepare a plan to take legitimate action when you identify the origin of the attack. Remember that the source of attack can be not only from your own country but also from any other country in the world. So, it is better to have a quick intrusion response plan when you discover that a foreign country is responsible for the intrusion.