Responding to events and notifications, Event categories, What do i do when – Raritan Computer COMMANDCENTER NOC User Manual

134

COMMANDCENTER NOC ADMINISTRATOR GUIDE

as to whether or not new signatures should be applied to a given CC-NOC. This reduces your
workload, while automating the most difficult part of intrusion detection—keeping it up-to-date.

Responding to Events and Notifications

Once you’ve used the Signature Profiler to build a model of your network and systems
infrastructure, your CC-NOC is now ready to start generating events and notifications. Now the
question becomes “What events/notifications will I receive, and what will I do with them once
I’ve got them?”

Event Categories

• Successful Administrator Privilege Gain: This category includes threats in which the traffic

indicates that an attempt to compromise the security on a system at an administrator level has
occurred, and that attempt was successful.

• Attempted Administrator Privilege Gain: This category includes threats in which an attempt

to compromise the system security at an administrator level has occurred, but there are no
indications as to whether or not the attempt succeeded.

• Successful User Privilege Gain: This category includes attempts to compromise
• systems at a user level, and the traffic indicates that this attempt was successful.
• Attempted User Privilege Gain: This category includes attempts to compromise
• systems at a user level, with no indication as to whether or not the attack succeeded.
• Unsuccessful User Privilege Gain: This category includes attempts to compromise
• systems at a user level that have failed.
• Denial of Service: This category identifies traffic patterns designed to disable a service or

user access to a machine through excessive network traffic or system exploits.

• Attempted Denial of Service: This category identifies attempts to generate the traffic or

exploits necessary to create a denial of service attack.

• Large Scale Information Leak: This category includes attacks in which the loss of system or

environmental information across a number of nodes was incurred, including access to
password lists or user information. This is significant, as these types of attacks usually
precede more in-depth and destructive attacks.

• Information Leak: This category includes attacks where some system information is

compromised which could aid in future attacks.

• Attempted Information Leak: This category includes attacks that indicate an attempt to
• gather information about systems or users that could aid in future, larger scale attacks.
• Potentially Bad Traffic: This category includes any traffic that may be normal in the
• course of business, but is likely to be traffic that really should not occur.
• Unknown traffic: This category includes traffic recognized as abnormal, but that is not

associated with a known attack or intrusion. Events from this category are ignored by default.

• Normal traffic: This category includes traffic that doesn’t fit into any other categories,

because it hasn’t triggered a signature, and is really useful only for troubleshooting the CC-
NOC. Events from this category are ignored by default.

What do I do when…

The CC-NOC’s job is to inform when you and your infrastructure are potentially at risk, and the
decision as to how to respond is left to you—the one with the understanding of your infrastructure
and your business. While we cannot provide a list of how to respond to each particular potential
threat, we can share this list of things to consider when receiving events and notifications from
your CC-NOC:

• Does this event mean that traffic is coming through my firewall that shouldn’t be? Can I

further refine my firewall configuration to disallow this type of traffic? What about traffic
to/from this source/destination address?