handling team member. Please get one thing straight in your head right now:You are going to take a hit. Between the outsider threat from the Internet, the insider threat, and the malicious code threat, you are definitely going to take a hit. Analysts sometimes get in a mindset that they are responsible to protect the organization.You can't! We don't expect rescue-squad workers to ensure no accidents occur on I-95, right? We just ask them to help in a professional manner after the accident has occurred. Consider what I have said carefully. I have led a large intrusion-detection team with many sites and have seen several analysts develop a mindset that they are personally responsible to make sure no attacks get through.
If we are going to take a hit, a system compromise can't be the end of the world. Rather, the point is to deal with it as effectively and efficiently as possible. Because there might be some stress involved, we want a clear, well-defined process to follow. Think about CPR; they have their pithy acronym, ABC. The ABCs of CPR are as follows:
●Airway. Make sure it is clear.
●Breathing. Are they?
●Cardiac. Beating or not beating?
I found the following six-step process in a government publication in 1995. I have been working to refine this model ever since. The six steps are as follows:
●Preparation
●Identification
●Containment
●Eradication
●Recovery
●Lessons learned
This chapter doesn't discuss preparation or identification; after all, most of this book is devoted
to preparation and identification.
Containment
In incident handling, you learn to maintain a reasonable pace; if you hurry, you make mistakes and that can be costly. There is one place to really move out, however, and that is containment. It is better to deal with two affected computers than four and better to deal with one compromised workgroup than a whole Windows domain. Good incident-handling teams can work in parallel. This is really important in cases in which multiple systems might be involved. As soon as the data has come in, I just make a copy, circle the addresses I need a team member to handle, and hand him the paper. Usually, I don't have to say more than my trademark "take good notes people, good notes."
The first thing to do in containment is to start reducing network connectivity.
Freeze the Scene
My first course of action is to pick up the phone and call the person nearest the system console. The language in the following section has been developed over years of hard-knocks experience. You are a technical person; the person you are calling on the telephone might not be. Also, as he realizes there is a problem, he might be under some stress. Of course, you will develop your own scripts and techniques, but I call the individual with a suspected problem and say:
Please take your hands off the keyboard and step away from the computer.
Thank you. Now, in the back of the computer there is a network connection, please find it and remove it from the computer.
My name is Stephen Northcutt, what is your name? Pleased to meet you ______, and where is your office?
Sure, we know where that is. ________, can I get your phone number and any other office
phones that you know?
You have done a fantastic job. We'll be right there; now do you have a fax machine? Great; while the team is on its way, I am going to fax you a set of instructions. _______, we need your help and I would appreciate it if you would start as soon as your receive the incident-handling guide. Can you tell me what operating system the computer is?
These are critically important lines. The trick is to say as few words as possible to get the point across. However the "noise" or non-content words such as please, thank you, and fantastic, are very important; we need to de-stress the situation if possible. Despite the attackers, I keep learning the hard way that our biggest danger is what we do to our evidence and ourselves. I am also working on my voice inflection. I don't have a really commanding, powerful voice, so I try to speak with authority, slower than my normal pace, and try to project kindness and empathy.
Sample Fax Form
Security Office @UR Organization
On Site Computer Incident Response Form Revision 2.1.1
Date: Time: Printed Full Name:
Thank you for notifying the security department of this incident and agreeing to help. Please do not touch the affected computer(s) unless instructed to do so by a member of the Incident-Handling Team. In addition, please remain within sight of the computer until a member of the team gets there and ensures that no one touches the system. Please help us by detailing as much information about the incident as possible. We need a list of anyone who directly witnessed this incident; please list their names below. If you need more space, please continue on a separate sheet of paper:
Witnesses:
1)
2)
3)
What were the indications that you observed that led you to notice the incident. Please be as specific and detailed as possible. Incident indicators:
This next section is very important. Please be as accurate as possible. From the time you noticed the incident to the time you called the Incident-Handling Team, or help desk, please try to list every command you typed and any file that you accessed. Commands typed and files accessed: Signature:______________________________________
On-Site Containment
Whenever possible, we suggest two people be dispatched to the scene. One handles the site survey, and the second team member, the more experienced, should work at containing the computer system.
Site Survey
The survey member should use a portable tape recorder and describe the scene. Record the names of everyone in the vicinity, if possible. Order everyone in the vicinity who was not there when the incident occurred, does not normally work in the area, or isn't the system owner, to leave. While the on-site handler is setting up the backup, interview the individual who phoned in the incident. Determine the indications of the incident. Work with the employees in the area to check the other computer systems to see whether there are indications of compromise on these systems. Be certain to continue to record what you are seeing, or if you can't use a recorder, make sure to take good notes. Every few minutes, shoulder surf the incident handler and make a time-stamped notation of what you observe her doing; two records are better than one.
System Containment
The handler should try to get the normal system administrator for this system to ride shotgun.