Example: Investigation of suspected backdoor traffic
This scenario shows an example of incident investigation of a compromised server.
The administrator receives an IPS alert that there is active two-way backdoor traffic between a server in the organization's internal network and an unknown host in the Internet. The administrator then:
- Opens an Incident Case to help manage this incident.
- Searches for previous logs from the Firewall and IPS engines to identify the vulnerability that allowed the server to be compromised.
- Attaches the relevant logs to the incident case.
- Reinstalls the server, and installs patches to prevent the same vulnerability from being exploited again.
- Closes the incident case.