‫ Responding to Various Types of Incidents- Section 1

Date: 2011-07-11 
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Type 1: Malicious Code Attacks
Malicious code is the name given to programs such as viruses, Trojan horses, worms, and scripts used by crackers/hackers to gain privileges, capture passwords, and to modify audit logs to hide unauthorized activity. Malicious code is usually designed to be difficult to detect and trace. Certain viruses can even modify their signature. NOTE: Even when your firewalls and other defenses stop adversaries, those attackers may be able to accomplish the same objective with Trojan horse code preinstalled on computers you purchase. In general, you should not rely on a single security component, such as a firewall, or a virus checker, to reliably protect yourself against malicious code.
Special Action 1: Use virus checkers
Anti-virus software can be effective at preventing the spread of common viruses, Trojan horses, and worms. Ensure that anti-virus software is widely available and that the signature files are kept up to date. Consider employing mechanisms that automate signature updates.
Special Action 2: Encourage users to report suspicious activity
Encourage users to report suspicious activity to help you detect an infection early on; educated users can act as effective anomaly sensors. Unexplained disk activity, unusual system messages, strange processes, and unexplained software behavior could be a sign of malicious code infection. Advertise an e-mail address or a phone number where internal users can report suspicious activity.
Special Action 3: Monitor for abnormal outgoing traffic (Advanced)
Malicious code specimens may attempt to communicate with external systems through HTTP, IRC, and other outbound protocols to propagate, announce their location, or download updates. Focus network monitoring systems to detect inexplicable packets originating from your organization bound for the Internet. Such activity occurs most frequently at system boot up, especially at the first bootup after the initial infection.
Special Action 4: Protect the software load process by doing it yourself (Advanced)
Develop processes to install all operating system software and applications locally, from tested configurations. Discourage users from installing software downloaded from the Internet, emphasizing the need for the use of trusted application images available internally.
Special Action 5: Consider alternative sources of support
Consider your actions in a scenario where you are infected by malicious code that is not widely known, in which case you might not be able to obtain detailed information about the program from anti-virus vendors. Have contact information at hand for relevant mailing lists (see Resources) and user groups that you may need to query for containment and eradication information.
Type 2: Probes and Network Mapping
Probes are a special case of unauthorized access attempts. One class of probe occurs when a potential intruder uses an exploit script against your information systems, or firewall, and the script fails. The failure occurs because the exploit script does not find the target vulnerability. The probe then attempts to map your network using SNMP or broadcast ICMP "ping" packets to determine the architecture of your network. Another class of probe is used simply for information gathering. In this case, the attacker tests a variety of ports (a behavior often called a port scan), or host addresses (called a host scan), attempting to map your facility. Some attackers "war dial" your organization's phones looking for modems. With the widespread use of wireless networks, attackers are now "war driving" using wireless scanners like NetStumbler to find these networks.
Special Action 1: Report probes to your CIRT
Even if your facility doesn't have vulnerability, your customers and suppliers may. If they have access to your systems, your facility could still suffer. There is some controversy as to whether one should "bother" CIRTs by reporting probes. AusCERT's guidance on this follows: "A reason for reporting probes to your CIRT is that they act as a central reporting agency. We have seen cases of probes that were not considered significant by individual sites being part of significantly larger attacks against many sites."
Special Action 2: Assess the damage
It is great if the intruders do not actually get inside and do damage, but ask whether they learned information about your operating systems and network architecture that they can use in the future. Examine logs carefully; if the exploit script or technique is available, consider running it against yourself to determine what information can be learned.
Type 3: Denial of Service
Users rely on services provided by networks and computers. Attackers use many tools to cause your network and/or computer to cease operating effectively: erasing a critical program, "mail spamming and mail bombing" (flooding a user account with electronic mail), and altering system functionality by installing a Trojan horse program.
Special Action 3.1: (Advanced) Employ backups for core services
The most likely targets in your organization for a network attack are DNS, web and mail servers. If your organization conducts a lot of business over the Internet, it may pay to establish backup facilities. Denial of service attacks is a problem because they are hard to trace, easy to execute and they are effective. In such a dangerous environment, it is sometimes smart to use backups to bring the system back from a denial attack.
Related Links:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0