Chapter 7 Summary: Responding To Intrusions
Most organizations are not adequately prepared for responding to a computer system intrusion. A well defined strategy must be documented and executed in order to minimize the impact of a computer system intrusion. Note that an appropriate structured response is contingent upon discovering the intrusion. Staff members must be trained to respond quickly and appropriately. The response must include a contact list so that the appropriate personnel are contacted. Contact must be made discretely and securely to avoid leaking information about the intrusion. It may be desired to not alert the intruder immediately. It is sometimes necessary to monitor the intrusion in order to find breaches and the extent of damage. It may be necessary to disable the attack as soon as possible. These decision actions need to be documented so staff can respond in an appropriate manner. Appropriate response to intrusions is important to
1. prevent further damage to the breached systems,
2. prevent the spread to other systems,
3. find and patch the vulnerabilities,
4. prevent negative exposure and damage to the organizations reputation.
5. stop possible legal liability and prosecution for failing to exercise an adequate standard of due care.
All data records, checksums, system logs must be analyzed carefully upon the discovery of a system breach. The effected systems must eventually be isolated from other systems to prevent further contamination. Compromised systems must be backed up and repaired. Systems appearing to be unaffected must be carefully examined. A comprehensive report indicating the extent of damage must be documented. When the extent of damage if fully understood, staff must implement actions to patch weaknesses in the security plan. All normal service must eventually be returned to the user community in a timely manner.
Chapter 7 Checklist
Upon discovery of an intrusion, staff must act quickly in a well structured manner.
Contact appropriate systems personnel (this implies a contact list!)
1. Securely (don’t send e-mail using a compromised network)
2. Discretely (Contact only those who are on your contact list without announcing the event to everyone)
Analyze all available information
1. Capture and record the impacted systems’ information.
2. Backup the compromised systems
3. Isolate the compromised systems
4. Inspect other systems for possible intrusion
5. Examine system logs
6. Examine files with integrity checkers (checksums)
7. Identify the attacks used to gain access.
8. Identify the damage
Document the intrusion event
1. collect all relevant information about the incident
2. Preserve the evidence chain of custody
Contain the Intrusion
1. Temporarily shutdown the effected systems
2. Disconnect the effected systems
3. Disable access, services, or accounts if needed.
4. Carefully monitor system and network activity
5. Verify that other systems are not compromised
Eliminate all means of intruder access
1. change passwords
2. remove all means for intruder access
3. reinstall compromised systems from a verifiable backup image
4. update with security patches and upgrades
5. Correct any system and network vulnerabilities
Return systems to normal operation
1. determine the requirements and timeframe to restore back to normal operation.
2. Restore data
3. restore services
4. monitor for repeat attempts of intrusion
Write an incident report
Update security policies and procedures as needed
Chapter 7.
Responding to Intrusions Practice Summary
1. Analyze all available information.
2. Communicate with relevant parties
3. collect and protect information
4. contain the intrusion
5. Eliminate intruder access
6. return systems to normal operation
7. debrief and implement new counter measures to prevent similar intrusions.
I Analyze
What attacks were used to gain access
What systems and data were accessed by intruders
What did the intruder actually do?
Capture and record system information
Current network connections
Current processes
Active users
Open files
Memory dump
Back up compromised systems
May need to reinstall on a test system
If the backup is to be analyzed, make a copy and store the copy off site.
An intruder may have a Trojan horse that deletes log files.
Isolate the compromised system
Disconnected the compromised system
Search on other systems for signs of intrusion
Examine Logs
ID the Attacks used to gain access
Password guessing
Sendmail command
ID What the intruder actually did
These are the common traces created by intruders:
1. Change the log files to hide their presence
2. Actions to modify a system utility so that it does not list processes started by the intruder.
3. Trojan horses, back doors, new system commands.
Communicate with relevant parties
Follow your information dissemination procedures
Name
Title
Phone
Authentication
Create a contact tree showing the order to contact individuals in case of a break-in
Use Secure communication channels: Do now send e-mail over compromised systems.
Here is a list of possible contacts in your contact tree:
Manager of the IS/SA group
Corporate Security officer, manager, personnel
ISP
HR if an employee is involved
Legal counsel
Law enforcement
Managers and other users
Vendors
Some of the above may have a specific set of responsibilities for dealing with intrusions.
The amount of information that must be disseminated to different groups
Information disclosure.
Collect and protect information
Collect all relevant information from system logs, written logs, backups, video tapes photographs. Document all information securely. Keep descriptoions of each event separate so as not to confuse the facts. Include dates and times of
When the event occurred
When it was discovered
Who was notified and when (date and time)
The data collected
The actions taken (dates and times of actions)
Students should write a simulated event entry as described above.
Collect and preserve evidence
Preserve the chain of custody of Evidence
Contact law enforcement if necessary
Containment (7.5)
Assessment:
Scope
Impact
Damage
Relevant results of investigation
What is the goal of the response to the intrustion
Note: changes to a system that is compromised may destroy evidence of the intrusion and make it difficult to do a complete analysis.
Goal is to regain control of the effected systems and deny intruder access to prevent further damage.
Denying intruder access
1. protects against further damage
2. prevents the intruder from destroying evidence
3. prevents the effected system from being used a launch point for additional attacks.
Shut Down effected systems
This will interrupt service, the shutdown should be minimized.
Disconnect the compromised system from the network as an alternative to shutdown
Disable Access, Services and Accounts
Disable the account, change the password.
Continue to monitor system activity to determine if the intruder has other means of access.
Check other systems to insure they are not subject to the same vulnerabilities.
Install backdoors by intrudors
Consider reinstalling the OS and all other services, applications (clean reinstall). Recover data from backups if it can be verified as untainted.
Intruders advertise compromised systems widely. Compromised systems are posted on the internet for others to access.
Determine if there are any security patches for the known compromise. Install the patches.
Reinstall new copies of the trusted software from original (read only) media.
Change all passwords.
Delete malicious programs and files.
Review system configurations
User accounts
System services and their configurations
Audit and monitoring facilities
Access control lists
Policy considerations:
1. Regular checks for system/network vulnerabilities
2. Evaluation and installation of patches
3. Update staff on new alerts (bulletins & advisories).
It is possible that a system may be required to return to service before adequate measures are taken to secure the system. This is a management decision.
An intruder may install a backdoor to gain access later.
It is possible to compromise data that would go unnoticed. Change the entry in a spreadsheet.
Hold a postmortem review:
1. Did the detection response work as intended?
2. Did the policies and procedure work as intended?
3. What methods of discovery and monitoring procedures would have improved the situation.
4. Updates to policies and procedures.
5. Communication by staff
Estimate the cost associated with an intrusion to support a business case for investment in better security.