How to design a system to determine the attack vector a hacker used?

What I want to know is what simple to more compl开发者_StackOverflowex things should any systems designer implement that will give details about how a hacker got into the system. I think this would be helpful in closing any "backdoors" and resecuring the system after intrusion.

I live in a Windows/IIS/.NET/MSSQL world.

This is the basis of a web application firewall (WAF). In short it is a system of regular expressions to fingerprint attacks as they happen. Requests that match an attack can be blocked or logged for the future.

Another approach is to: LOG EVERYTHING.

If you don't know where the vulnerabilities might be then you should at least be logging all user input. But then you should be validating all user input anyway, making logging it all a bit pointless. Prevention is better then after-the-fact remedies. By then it's too late anyway.

Like OrangeDog points out, the only things you can really do are log, and try to detect breaches.

More generally, there are lots of tools that exist for exactly these purposes, such as TripWire (detect that changes were made to a file), NIDS/HIDS (detect attacks are underway), SEIMs (log collection & correlation), authentication servers (separate devices for tracking what happens), and so on.

Try going to securityfocus.com and looking at the tools. That will give you an idea of the breadth of the task to which you ask.