Abnormal and Suspicious Activity The key to identifying incidents is to identify any abnormal or suspicious activity. Hopefully, any suspicious activity will also be abnormal. The only way to identify abnormal behavior is to know what normal behavior looks like. Every system is different. Although you can detect many attacks by their characteristic signatures, experienced attackers know how to “fly under the radar.” You must be very aware of how your system operates normally. Abnormal or suspicious activity is any system activity that does not normally occur on your system. An attacker with a high level of skills generally has little obvious impact on your system. The impact will be there, but it might take substantial skill to detect it. It is not uncommon for expe- rienced attackers to replace common operating system monitoring utilities with copies that do not report system activity correctly. Even though you may suspect that an incident is in progress and you investigate, you may see no unusual activity. In this case, the activity exists but has been hidden from the casual administrator. Always use multiple sources of data when investigating an incident. Be suspicious of any- thing that does not make sense. Ensure that you can clearly explain any activity you see is not normal for your system. If it just does not “feel” right, it could be the only clue you have to suc- cessfully intervene in an ongoing incident. Confiscating Equipment, Software, and Data Once you determine that an incident has occurred, the next step is to choose a course of action. Your security policy should specify steps to take for various types of incidents. Always proceed with the assumption that an incident will end up in a court of law. Treat any evidence you col- lect as if it must pass admissibility standards. Once you taint evidence, there is no going back. You must ensure that the chain of evidence is maintained. It is common to confiscate equipment, software, or data to perform a proper investigation. The manner in which the evidence is confiscated is important. Confiscation of evidence must be carried out in a proper fashion. There are three basic alternatives. First, the person who owns the evidence could voluntarily surrender it. This method is gener- ally only appropriate when the attacker is not the owner. Few guilty parties willingly surrender evidence they know will incriminate them. Less-experienced attackers may believe they have suc- cessfully covered their tracks and voluntarily surrender important evidence. A good forensic inves- tigator can extract much “covered up” information from a computer. In most cases, asking for evidence from a suspected attacker just alerts the suspect that you are close to taking legal action. Second, you could get a court to issue a subpoena, or court order, that compels an individual or organization to surrender evidence and have the subpoena served by law enforcement. Again, this course of action provides sufficient notice for someone to alter the evidence and render it useless in court. The last option is a search warrant. This option should be used only when you must have access to evidence without tipping off the evidence’s owner or other personnel. You must have a strong suspicion with credible reasoning to convince a judge to pursue this course of action. The three alternatives apply to confiscating equipment both inside and outside an organiza- tion, but there is another step you can take to ensure that the confiscation of equipment that belongs to your organization is carried out properly. It is becoming more common to have all new