- : Executing a Policy
- Security Incident Response
- Computer Security Incident Response Teams
- Preparing for Incident Response
- Management of Security by Teams
- Execution of an Incident Response
- Evaluation of a Security Incident
- Containing the Incident
- Eradicating the Incident
- Recovering From an Incident
- Article Series
- About the Author
- Acknowledgements
- References
- Ordering Sun Documents
- Accessing Sun Documentation Online
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Containing the Incident
After the security compromise is discovered and identified as real, the next step is containment. Containment involves limiting the extent of the attack, making key decisions, and executing predetermined (yet customizable) procedures. The goals at this stage could also include identifying the intent of the attack. For example, is this a malicious attack, or is the intruder just browsing to plan for future attacks?
Limiting the Extent of an Attack
Two of the most fundamental objectives are to restore control of the affected systems and to limit the impact and damage to the customer's business. In the worst case, shutting down the systems or disconnecting the systems from the Internet (or from the source of the security problem, if known) could be the only practical solution. The following table contains examples of possible containment tactics.
|
Tactical Action |
Description |
|
Increasing the level of monitoring |
This action involves actively tracking traffic for unusual activity (for example, port scanning) or patterns of an attack stream of bits, bytes, or packets. |
|
Changing the filtering rules of firewalls and routers |
This action excludes traffic from hosts that appear to be the source of an attack. |
|
Disabling known vulnerable services, such as file transfer or calendar services |
This action is effective when newly discovered service vulnerabilities are exploited by attackers. |
|
Setting up traps |
This action involves learning the intruder's identity or modus operandi (MO). The MO is a mechanism by which the perpetrator commits his or her crime. It is a learned behavior and can change over time. An MO can be considered a pattern, allowing for some variance. Examples of traps are honeypots (that is, computers designed to attract attackers in order to record their behavior and to gather evidence, but not meant for legitimate users), automated message systems that track unusual usage of a system or an application, and trojan horse commands (in this context, an intentionally modified command to deceive the intruder who might believe that the command is a normal command). For example, on UNIX systems, you can use the finger(1) command to display information about local and remote users, the rwho(1) command to display who is logged in on local machines, and the nslookup(1M) command to query Internet domain name services interactively. Refer to the UNIX man pages for these commands for more information. |
|
Shutting down systems |
This action might appear drastic, but it is sometimes advisable, usually based on a decision to prevent further loss and/or disruption. This is, of course, a joint decision between the constituent and the VCSIRT responding to the incident, with the geo-based security officer representing the servicing organization involved in the decision. |
|
Disconnecting a system from the network |
Although some disruption is unavoidable, users should still be able to use some local services. Be careful. The network might involve wireless local area networks (WLANs). In these cases, it might be important to disable and/or remove the wireless access points from the internal network. (WLANs are communication networks that use radio frequency technology to transmit network messages through air within a single location, such as an office or a university.) |
|
Retaliating against the attacker |
There might be a temptation to retaliate against the system originating the harmful traffic. However, you should avoid this temptation due to possible legal complications. Consult with management and legal representatives if there is such a desire. For instance, the system used by an attacker could be just a launching pad for the attack and belong to an innocent party. |
Making a Decision
The organization's geo-based customer account manager, in conjunction with the geo-based security officer, should make a decision for containment. Risking temporary, limited damage for determining the root cause is sometimes necessary. Pros and cons should be noted by the security officer's staff for the Lessons Learned documentation.
Schemes exist for selecting the most important incident or for ranking several incidents (if they occur in relatively close intervals of time). The following table contains a list of criteria (this list is not sequential).
|
Criterion |
Description |
|
Resources needed to deal with the incident |
Forensic experts might be needed immediately to analyze a major incident versus simply disconnecting the compromised equipment from the Internet for later analysis. |
|
Impact on constituency |
Customers might be sensitive, based on the intensity level of the intellectual property loss. It could be a violation of privacy legislation versus a serious theft of software property, critically affecting a customer's enterprise-level business. |
|
Type of incident |
Is it just a break-in on the part of the intruder with the intention of performing a reconnaissance mission or a serious denial-of-service attack? |
|
Type or extent of the damage |
This could range from the loss of production for a couple of hours to a total shutdown of a site and exposure to media with a constituent's reputation as a service provider at risk. |
|
Target or source of an attack |
Is the target a large well-known enterprise or a small business? Is the source known from past incidents? |
Expect exceptions to the selected scheme, so flexibility is key to accommodating them in the policy execution.
Executing Predetermined Procedures
Predetermined, detailed procedures should be executed to contain the incident. These procedures are defined and created by the organization's worldwide security team, with the SAG's advice and review, for VCSIRT usage and distributed during formal training to the organization's security personnel by the worldwide security team. Predetermined does not necessarily mean noncustomizable. As per the situation, changes to these procedures should be expected, but a process must be in place to oversee and record those changes, under the supervision of the designated geo-based security officer.