Table of Contents
Advertisement
19
C H A P T E R
Incident Investigation and Mitigation
An incident is a chain of events that are correlated by a rule to signal an attack upon your network.
MARS simplifies and expedites the detection, mitigation, reporting, and analysis of the incident. The
Network Summary dashboard and the Incident pages help to detect recent incidents and show the rules
and the events that compose them. Mitigation refers to the ability of the MARS to isolate the attacking
and compromised network devices by identifying and configuring enforcing devices that act as choke
points in the network. Queries and reports reveal the scope of a problem and gather data for analysis and
regulatory compliance. All this information can be captured in a case report with Case Management and
escalated to the relevant personnel.
Incidents Overview
An attack can consist of a reconnaissance activity (for instance, a port scan), followed by a penetration
attempt (such as, a buffer overflow), and followed by malicious activity on the target host (for example,
a local privilege escalation attack or the installation of backdoors).
An incident, which is generated by a Local Controller, collects the interesting events that constitute an
attack scenario and uses rules to describe them. MARS provides you with pre-defined, system
rules—which you can fine tune—and gives you the ability to create your own rules.
Incidents are sub-divided into instances to make it easier for you to investigate the attack scenario. Each
instance alone is a full attack scenario.
For example, if your network is probed for a DoS attack and then attacked, a rule fires when it sees the
follow up attack. The incident displays the instances of this attack.
User Guide for Cisco Security MARS Local Controller
19-1
78-17020-01
Advertisement
Table of Contents
Troubleshooting
