Proactive detection of incidents

In order to cope with the increasing number of complex cyber-attacks, CERTs, the digital fire-brigades need to improve their operational capabilities in proactive detection of attacks.

The most common approach used by CERTs to handle security incidents, is to wait for incoming incident reports, then try to "treat" the effects of the attacks but not necessarily treat the "cause". In this case the incident already happened and potentially had an impact on the production environment.

There is also another approach when dealing with security incidents and that is being proactive in detecting and blocking attacks by using for example tools like honeypots or collect data from external security feeds.

ENISA has published 2 reports on the proactive detection of incidents area. The first report refers to using external security feeds to detect attacks and the second one is a best practice document on honeypots which does a comprehensive analysis of the available honeypot solution.