فا

‫ Responding to Various Types of Incidents- Section 3

IRCAR201108110
Date: 2011-08-15
 
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Malicious Code Attacks, Probes and Network Mapping, Denial of Service and Inappropriate Usage were studied in the previous sections. This section is assigned to Espionage, Hoaxes and Unauthorized access.
 
Type 5: Espionage
Espionage is stealing information to subvert the interests of an organization or government. Many cases of unauthorized access to corporate systems are for espionage purposes.
 
Special Action 5.1: Maintain a very small core team
Espionage and insider criminal cases do not benefit from many helpers. The risk of an information leak or evidence contamination rises as additional workers are added to the investigation. A senior member of management such as the CIO, or Chief Security Officer must be advised as well as the incident handling team member on the legal staff. The technical lead should be one of the more seasoned members of the incident handling team, someone who has already proven capable in previous sensitive situations. One issue that often arises is whether to include the system administrator responsible for the system targeted in the attack. If you are reasonably sure the sysadmin is not involved in the espionage, the answer is probably yes.
 
Special Action 5.2: Maximize data collection
Ensure that access records of the affected facility are collected and protected. These may include records from badge access systems, phone records from your organization's PBX, log books, system logs, network logs and surveillance videos. Collect as much back data as possible.
 
Special Action 5.3: Consider mis-direction
If an outsider is collecting the information, you may be able to provide erroneous information and actually benefit from the incident. If you suspect the information is being collected and distributed by an insider, this is less likely to work.
 
Special Action 5.4: Target analysis
Review the lead or leads that tipped off the organization that they might be dealing with espionage. Ask what are the most probable targets of the activity. For each probable target, ask what the information is worth? Who (outside the organization) might benefit from having the information? What are all the possible ways to acquire these targets? What are the two or three most likely ways to acquire these targets? This process leads to a fairly simple, but important question: are monitoring capabilities in place for the most likely ways to acquire the most probable targets? If the answer is yes, begin reviewing the monitoring data immediately. If the answer is no, determine what is required to monitor the most likely ways to acquire the probable targets. Make it so.
 
Special Action 5.5: (Advanced) Establish a war room
A war room is a secure room with copies of evidence in the case. The purpose of a war room is to facilitate displaying the data in a meaningful way to help solve high risk or difficult cases. The walls of the room can be decorated with evidence, lines of investigation, charts from the target analysis process, maps of the area and blue prints of the facility. A tape player and TV/VCR should be available; it is often a good idea to record and play back interviews, or access tapes.
 
Type 6: Hoaxes
Warning: If you receive a mail message entitled "Here it is doodz" don't open it! If you do it will delete all the files on your hard disk, stop your pacemaker, and cause your dog to mess on the floor.
Note: In early 1995, hundreds of thousands of users with Internet access distributed information about a virus called the Good Times Virus, even though the virus did not exist. Hoaxes are valid incidents (remember, our definition of an incident included the threat of an adverse event). They tie up incident response resources as system administrators and incident handlers try to sort things out. Hoaxes also serve to make users uncomfortable with computing resources by spreading fear, uncertainty, and doubt.
 
 
Special Action 6.1: Use Hoaxes lists on the Internet.
 
Type 7: Unauthorized Access
Unauthorized access ranges from improperly logging into a user's account (e.g., when a hacker logs in to a legitimate user's account), to unauthorized access to files and directories stored on a system or storage media by obtaining superuser privileges. Unauthorized access could also entail access to additional computer systems facilitated by gathering logon names and passwords through an unauthorized "sniffer" program or device to capture all packets traversing the network at a particular point. Another common method used to gain unauthorized access is to exploit a vulnerability in information systems, routers, or even firewalls. Exploit scripts for gaining unauthorized access are widely available on hacker web sites.
 
Special Action 7.1: Examine firewall or filtering router protections
The single most likely avenue of attack from an outsider is through an organization's network connections, especially the Internet connection. If possible do not allow the "r-utilities", sunrpc, xwindows, or NetBIOS/IP. Telnet and FTP should be allowed only to systems that absolutely need to provide these services to the internet. Web, DNS servers and mail relay systems are always popular targets with attackers, run as few services on these systems as possible and ensure they are well protected.
 
Special Action 7.2: Regularly examine access services
It is not absolutely necessary to access another user's account to perpetrate an attack on a system or network. An intruder can access information, plant Trojan horse programs and so forth, by misusing available services. One example is outsiders using the network file system (NFS) or the file access mechanisms in Windows NT to reach files and directories in another of your organization's domain.
 
Related Links:
 
References:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0