Thursday, July 19, 2007

You just got 0wned. Now what?

Imagine that you are arriving at your office and you look through the window. Inside the building you can see someone burglarizing the building. What would you do?

You have a few options, you could (1) call the police; (2) you could ignore the burglary and go get a cafe' latte double mocha espresso and hope that the burglar leaves before anyone sees him; (3) or you could open the door to the office, and shout, "Hey! Get out!", wait for the burglar to leave.

In the real world, people routinely choose the first option. They do not run the burglar out of the house and then lock the door to preserve the scene before the police arrive, but for some reason, when it comes to cyber-crime, almost everyone chooses the third option. The burglar is long gone by the time the investigation starts. Evidence has been walked over, looked over, deleted and operating systems re-installed.

The "information assurance" community does a lousy job of ensuring that intrusions are handled appropriately. In my experience there is a community wide knee jerk reaction to intrusions that starts with looking at logs (rather than preserving them), moves into damage control (patching and re-instllation) and then, as an afterthought, calling in people who are qualified to respond to the incident. Harlan Carvey wrote recently that he had only conducted two live acquisitions for clients, and both of those were after operating systems were reinstalled, so I assume that my experience is not unique.

This is usually a response based on emotion, not logic. I know that I'm largely preaching to the choir here, but hopefully someone will wander in during this sermon - so here's what you need to do if you have been hacked:

1. Don't panic

2. Call someone qualified to investigate the incident.

3. Let the investigators investigate, image, analyze what's happen(ing/ed).

4. Develop a plan that will allow you to mitigate damage, determine the extent of the intrusion, catch the bad guy with your incident responders/law enforcement.

5. Implement the plan.

5 comments:

H. Carvey said...

Given how things tend to happen, some level of training or on-site staff is necessary, for identification and containment purposes. Without this, you could (a) end up spending money to have someone come on-site when you didn't need it, or (b) allow your organization bleed PII data.

Item #4 should be between 0 and 1, and #1 should be immediately followed by #5.

Bill said...
This comment has been removed by the author.
Bill said...

All valid points, but given the general inability of organizations to respond correctly or to even develop a plan before an incident, it's better to call for help before doing anything. In my experience, most people aren't qualified to develop or implement a plan for such an event, and take hours/days to do so, and when they implement their plans, it usually results in the destruction of evidence.

If an organization is hemorrhaging PII data as they respond to an incident (i.e. the data are actively being downloaded) it's much more likely that a person who does this type of stuff for a living is going to recognize and treat the problem well before the people on-site have finished briefing their bosses and doing their communal hand wringing.

On the other hand, I was thinking that step 2 included more consultation and assistance - that's what I get for posting for posting at an airport from my blackberry; it's hard to think when I'm typing with my thumbs.

H. Carvey said...

...most people aren't qualified to develop or implement a plan...

Agreed, but something needs to be done. Generally, in the initial moments of panic, destruction of crucial data ensues. Training in incident identification and containment procedures is paramount...even on-call services sometimes won't get there for 12- to 24-hours or more.

...it's much more likely that a person who does this type of stuff for a living...

My experience has been that such people aren't already on-site, even in large organizations that know that the handle PII data.

Bill said...

Agreed, but something needs to be done. Generally, in the initial moments of panic, destruction of crucial data ensues. Training in incident identification and containment procedures is paramount...even on-call services sometimes won't get there for 12- to 24-hours or more.

My experience has been that such people aren't already on-site, even in large organizations that know that the handle PII data.

I think we are saying the same thing here; if in different ways.

My point is that the response should be guided by responders, not as an afterthought. If you have an intrusion, we can get started on step 2 on the phone, and then move to steps 3-5 while that is going on. . . but if you move steps 4/5 in most cases, the value of an incident response and investigation is muted because evidence is destroyed/overwritten.

I completely agree that training is important, but in my experience, the folks that aren't doing this work every day (regardless of training) just aren't qualified or equipped to do everything that's needed for a through investigation and/or prosecution. I

I've spent a lot of time on the phone with administrators who are in panic mode, walking them through the steps that I need them to take early on b/c I can't respond, but in doing so, I've found that generally I'll get what I need. OTOH, I've never gotten a really successful response once the powers that be at an organization start working on their plan. Those plans rarely consider "forensic necessities."