by Chad Cook
|An Introduction to Incident Handling
by Chad Cook (firstname.lastname@example.org)
last updated Nov. 29, 2000
Incident handling is a generalized term that refers to the response by a person or organization to an attack. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster. This paper will provide a logical approach to handling two common forms of attack - virus outbreak and system compromise. The method that this article will propose includes the following sequence of steps that should be followed in the case of all types of attack.
Comprehensively addressing the issue of security includes methods to prevent attack as well as how to respond to a successful one. In order to minimize the potential damage from an attack, some level of preparation is needed. These practices include backup copies of all key data on a regular basis, monitoring and updating software on a regular basis, and creating and implementing a documented security policy. Regularly-scheduled backups minimize the potential loss of data should an attack occur. Monitoring vendors' and security web sites and mailing lists is a good way to keep up to date with the state of the software and patches. It is necessary to update software in order to patch vulnerabilities that are discovered. It is also vital to update anti-virus software in order to keep system protection up-to-date. A documented security policy that outlines the responses to incidents will prove helpful in the event of an attack, as a reliable set of instructions.
2) Identification of Attack
While preparation is vital for minimizing the effects of an attack, the first post-attack step in Incident handling is the identification of an incident. Identification of an incident becomes more difficult as the complexity of the attack grows. One needs to identify several characteristics of an attack before it can be properly contained: the fact that an attack is occurring, its effects on local and remote networks and systems and from where it originates.
3) Containment of Attack
Once an attack has been identified, steps must be taken to minimize the effects of the attack. Containment allows the user or administrator to protect other systems and networks from the attack and limit damage. The response phase details the methods used to stop the attack or virus outbreak. Once the attack has been contained, the final phases are recovery and analysis.
4) Recovery and Analysis
The recovery phase allows users to assess what damage has been incurred, what information has been lost and what the post-attack status of the system is. Once the user can be assured that the attack has been contained, it is helpful to conduct an analysis of the attack. Why did it happen? Was it handled promptly and properly? Could it have been handled better? The analysis phase allows the users and administrators to determine the reason the attack succeeded and the best course of action to protect against future attacks.
Incident Handling - Viruses
Viruses can cause irreparable harm to important files and records. The home and small office user is at even higher risk than larger organizations because the user often works with one computer or stores important information in a single location. Unlike larger organizations that have data spread across many systems in several locations, a virus outbreak in a home or small office could permanently destroy important data. This puts greater emphasis on the need for creating backups of all information. Additionally, backup disks should be kept in a separate location, away from the computer. This ensures that in case of an incident such as fire or theft of hardware that a backup copy of all information is still available.
The second crucial step in preparing for an attack is to install anti-virus software. Anti-virus software is readily available, easy to install and operate and is affordable. New viruses are created frequently, so it is important to be diligent with anti-virus software maintenance. Almost all anti-virus vendors make updates available on their websites. Users should update their anti-virus software on a regular basis.
Identification of Virus Attack
Viruses are particularly potent and frightening because of their ability to spread quickly to 'friendly' computers. Just think of the public relations nightmare your company could endure if you're the address book in your e-mail program was used to spread a virus to all your suppliers' and your customers' computers.
Early identification of an incident is crucial to ensuring that the virus does not spread to other computers. It is crucial that users are familiar with the symptoms of a virus attack, such as mass e-mailing, file destruction or other malevolent actions the results of which can be seen immediately. Stealthy viruses require a bit more attention. The user should be aware that periodic anomalous behavior on a system is not always an indicator of a virus attack. Other factors may cause the erratic behaviour; however, for the sake of security, the user should scan the computer comprehensively to clearly identify the cause. Configuring the anti-virus software to do real-time scanning of files and to periodically do complete system scans helps to both prevent and identify viruses.
Containment of the virus is pivotal in limiting the effects. Many viruses spread themselves automatically. If a non-replicating virus infects a single computer, containing the virus is fairly straightforward. The administrator, or user, should disconnect network access including shared directories and other components that may allow the virus to infect files and programs on other machines. Anti-virus software often has a "rescue" component that allows an administrator to scan and clean a system by booting from a specialized floppy disk or CDROM. If available, these tools should be utilized to disinfect the system.
Should the anti-virus software fail to clean the system or lack the features necessary to do the cleansing, it is advisable to try other software packages that may provide more comprehensive coverage. If the system has been altered beyond repair, the last resort is to clear the system entirely and reinstall the operating system and software. If reinstalling, care should be taken to use software that is known to be uninfected and to completely reformat the hard drive to assure the eradication of the virus.
Recovery and Analysis
Viruses cause varying degrees of destruction- some exist merely to replicate; others attach to and destroy files and programs. Anti-virus programs can generally restore files to their original state, but there are exceptions. If there is doubt to the reliability of the data held within a file, the user should compare the damaged file to a backup copy in order to assess whether or not damage has been sustained.
Once the system or systems have been returned to full operation, analysis should be done to determine where the defenses failed. Does fault lie in the anti-virus software, or the frequency and reliability of updates? Or did some user behaviour - such as opening files from an unknown or untrusted source - allow the system to become infected? Once the attack was identified, were appropriate and sufficient steps taken to minimize the damage that the system sustained? Analysis of the incident allows the user to learn from the unfortunate incident and ensure that it does not happen again.
System compromise is an attack in which an intruder breaks into a computer and, either sitting directly in front of it or from a remote network, is able to use that computer. The attacker typically has total access to a system and all information contained therein including files, applications and potentially any other system connected to it.
Managing system compromise is more daunting than managing virus outbreaks. The basic steps to help prepare in case of system compromise are basically the same as are used in preparation for virus outbreaks. All vital information should be backed up on a regular basis. Software updates are also crucial. System compromise often arises due to security vulnerabilities in common software, particularly in operating system software. Users and administrators should be sure to maintain current software patches in order to protect against attacks. Patches are available through vendors' websites. Users can learn about the latest patches by monitoring vendors' web sites, mailing lists and user forums related to the software and to security.
In order to prevent against unauthorized intrusion into a system, users should implement firewalls. Just as anti-virus software is the cornerstone of a virus prevention strategy, firewalls are extremely important in preventing unauthorized individuals from accessing network services and resources. Like anti-virus software, firewalls are relatively affordable and easy to use - they not only protect against intrusion, but some can be configured to notify the user if an intrusion is being attempted.
Systems compromise attacks are often indicated by missing or modified files, changes to the system configuration and services, greater memory and disk usage and unidentified network connections. Attackers will often seek to hide any indication of the intrusion by replacing files and programs with versions that protect the attacker. Programs that act normally on one occasion and strangely the next, as well as files and programs that have their time, date or size information modified may be indicative of an unauthorized intrusion. Comparison against backup copies may reveal changes to files.
Users and systems administrators can identify potential systems compromise attacks by monitoring network traffic and processes. The new wave of Intrusion Detection Systems (IDS) is extremely helpful in allowing for the monitoring of systems. By actively monitoring the network for known signs of attack and other anomalous conditions, an IDS notifies users as soon as it detects the event. IDS are useful in complex networked environments and where minimal technical staffing is available. By automatically monitoring and notifying users, an IDS can offload some responsibility from an overburdened administrator, making them invaluable resources for users and administrators in small offices and home offices.
Containment of an intrusion involves some effort on the part of the administrator. First, the administrator should freeze the current system as soon as an intrusion is suspected. This includes disconnecting the system from the network, stopping the operating system and disallowing anyone to use the system. As an operating system runs and people use the system files are naturally modified and updated depending on what they are doing. This normal functionality often erases important information that can be used to detect and trace an intrusion, therefore it is very important to stop the system as soon as possible after an attack is discovered. If possible, it is advisable to duplicate the hard disk of the system. This allows the administrator to begin the cleanup process on one disk and to give the other to an expert to determine the exact source and cause of the intrusion.
Recovery and Analysis
The most devastating but least-effort method of cleaning up a compromised system is to wipe the hard disk clean and re-install the operating system and software allowing a faster return to normal operation. A more painstaking approach is to compare each individual file and program against a copy known to be original in order to determine if any modifications have been made. It is important to do a minimal level of analysis in order to determine the cause of the intrusion. Once a cause is determined, changes to the environment should be made to avoid future attacks by that method. This includes updating affected software, access control methods that allow only certain users, systems and networks to use the services, firewalls and intrusion detection systems. A combination of these changes can provide a safer and more secure working environment.
Analysis of the attack provides several benefits. The user and administrator can determine the shortcomings in existing security policies, installation methods and configurations that allow attacks to succeed. Users and administrators should periodically review existing installations, configurations and security policies. New attacks and security vulnerabilities are found often and updating the existing environment can minimize the threats of future attack.
This paper provides a short overview and several guidelines to handle incidents with regards to three of the most common attacks - viruses, system compromise and denial of service. There are several general philosophies that foster security-minded thought and analysis. Forethought towards installation, configuration and the associated usage policies is important to the security of an organization. Rational and logical reactions to unnerving incidents help minimize the potential damage of attacks. Preparations such as backups, regular software updates and monitoring help an organization better deal with an incident and return to normal functionality as soon as possible after an attack. A high level of security within an organization can be provided with a bit of proactive consideration and planning, thereby avoiding reflexive responses that can prove disastrous.
Moment's Notice: The Immediate Steps of Incident Handling
Computer Security Incident Handling: Step-by-Step
Computer Security Incident Handling
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.