What to Do After the Break-in: Preparing an Incident Report for Law Enforcement

Before internetworking became so prevalent, the job of a system administrator or network engineer revolved almost exclusively around his own user base: the wants, needs, and limitations of those people within the walls of the organization. Along with bringing ease of communication, global catalogues, and a nearly limitless pool of potential customers, the Internet brings along with it the bored and nefarious, washed ashore at your digital doorstep looking to perform malevolent acts.

In the early days of the Internet, you could be assured that attempts on your network security from the outside were performed by a few knowledgeable individuals who actually might not have intended to harm your system at all. Many hackers were content to break in and perhaps leave you a "Kilroy was here" sort of text file. Today, however, the Internet has bred a whole new class of unskilled attackers who download tools and perform brute-force attempts over a large spectrum of IP addresses.

This means that your opponent no longer needs to be skilled—only bored. Rest assured, there are many more of the latter than the former. This means that the number of potential attackers has gone up exponentially. As you might expect, cybercrime has ballooned over the past five years and will no doubt continue to rise over the next five.

As cybercrime becomes more prevalent, the question now becomes how to properly address this legally. If someone throws a brick through the $6,000-plate-glass window of your corporate headquarters and runs about inside setting fire to filing cabinets, the building manager will telephone the police, who will arrive in cars with flashing lights. Everybody will make an attempt to find the culprit and charge him accordingly. But with cybercrime, individuals are throwing bricks through hundreds or thousands of virtual windows, and law enforcement officers are normally left scratching their collective heads.

Following an intrusion into your system, you have several courses of action, depending on the amount of damage done (if any), the inclinations of management (if any), your organization's temperament for justice, and your organization's position on media exposure. The latter might be either "Company X wants to avoid possible adverse press by filing a complaint" or "Company X wants its shareholders to know that we aggressively pursue any threats upon the integrity of our digital information."

One course of action—and, by far, the most popular—is to plug the holes that the hackers got through and then carry on about your business. In this way, some estimated 70 percent of all intrusions go unreported to law enforcement. Many times the intrusion seems minor, involving running IRC "bots" or perhaps setting up a "warez" site, or forwarding a few million pieces of SPAM get-rich-quick schemes. These minor events, however, can often be used by law enforcement to create a large case against a cybercriminal by citing multiple instances of malevolence against different parties over a period of time. The unscrupulous black hat who was trading warez off one of your servers might also have done so in a dozen different places. Being able to catalogue a pattern of electronic crime can greatly help law enforcement successfully prosecute the responsible party.

Right now, the FBI is preparing an enormous report on damages caused by the Anna Kournikova worm. Although no one is going to get damages back from the author of that virus, these figures will be used extensively in planning computer security budgets throughout the world. As an IT professional whose livelihood comes partly from the FUD surrounding cybercrime, it's in your best interests to report it when it happens—not doing so is a disservice to you, your company, and law enforcement.

Make It Easy for Law Enforcement Officers to Do Their Job

If your company is interested in pursuing you're the intruder, you first need to convince law enforcement (either your local police, or, if the responsible party is out of state, the FBI) that your case is worth pursuing. The best way to do this is to present a clear report explaining what happened. This doesn't mean clear to an engineer—this means clear to a jury because that's the way law enforcement is thinking when an officer is reading your incident report: "How will I explain this to a jury?" Your report should include these components:

• Contact information. Tell who you are, what you do, and how to get a hold of you.

• A summary of what occurred. Was data stolen? Was your site defaced? For example, you might say, "A server was broken into on July 22^nd, and 2 gigabytes of pirated software were installed. After making a full backup and archiving copies of the log files to CD-ROM, we restored the system from a previous backup."

• The estimated amount of monetary damage suffered. You might later need to prove this in court, so try to guess as accurately as possible. At least $5,000 in damages is needed to make a federal case. Don't forget to include the time that you spend preparing the report as well.

• Were critical services affected? Include services such as power, banking, transportation, and so on.

• Your network topology. Draw out the location of your affected servers, firewalls, and so on. Physical location of computers can be very important if they are in different jurisdictions. Include the types of systems affected (Windows NT, Linux, and so on).

• Do you suspect anyone? Did you recently fire a system administrator?

Additionally, some key points will make your trip down this path less difficult:

• Have one point of contact. All liaison duties between law enforcement and your company should be through one person. This ensures that both you and the authorities are getting the most current information.

• Maintain a single custodian of evidence. If multiple people have access to your log files and other evidence, a defense attorney can make an argument that any number of people could have altered the data. This custodian of evidence might need to testify how the evidence was gathered. For example:

"On the night of July 16th, 2001, we noticed that there had been an intrusion. I immediately copied the log files to a CD-ROM and stored the backup tape in a safe in my office to which I am the sole possessor of the combination. I then made three copies of the CD-ROM, one of which I gave to our network security officer, Sally Jones. The next day, the second copy I gave to Officer Smith on July 21, 2001, when we met at his office. The third copy of the CD-ROM I kept for myself."

• Go ahead and do your own research. Investigate the crime yourself as much as you feel comfortable doing. In some ways, private citizens can act in ways that law enforcement cannot. Digital trails don't stay hot forever, so when you notice an intrusion, you might want to immediately phone the security officer at the ISP of the point of intrusion, explain what's going on, and ask for a copy of the log files. If the ISP won't give you the log files, ask the person to immediately make a backup copy of them and keep them in a safe place. The law enforcement officer handling your case is probably overworked; the more data you can provide, the better. However, if you think that you've tracked the intrusion to the responsible party, do not contact the suspect; leave that for the authorities.

• Consult management and your legal department. Don't let your boss read in the newspaper that your Web site was hacked. Inform management and legal as quickly as possible, and inform them what actions you are taking.

• Check your clocks. Hopefully, your servers are synchronized with an atomic clock. If this is not the case, you need to note the time discrepancy immediately. Note how far off, in what direction, your clock is from true Greenwich Mean Time (GMT). This can become critical if law enforcement needs to get a search warrant for log files. A defense attorney can successfully argue in seconds.

• Create a timeline. This is important in laying out the case. Your timeline should show the intrusions, when they were noticed, and what actions were taken at what time, including all your contacts with law enforcement. The better records you keep, the more smoothly your case will go.

• Pretend that you're presenting to a jury. The law enforcement officer you'll be talking to will be thinking, "How will I present this to a jury?" You can increase the officer's efficiency by doing much of this work yourself. A timeline can show when each event occurred in relation to everything else, when the intrusion occurred, when it was detected, when steps were taken, when you informed management, when you informed your security officers, what actions they took, and, finally, when you informed law enforcement. Use your log files as appendices to this timeline, not instead of the timeline. If you give a law enforcement officer 50 pages of log files in 8-point type and say, "it's all in there" the officer will lose valuable time and energy distilling it, first for himself, and later for his superiors, and, eventually, for a jury. Make your timeline as simple as possible; reserve complex explanations for footnotes or appendices.

• Use diagrams and labels to help make your case easily understandable. If you make a PowerPoint presentation just to show your boss how many people hit your Web site last month, why wouldn't you go to the same trouble to explain to a state trooper how someone orchestrated an intrusion into that same Web server?

• Your contacts might not be technical people. Keep this in mind, and resist any urge that you might have to talk over someone's head; it won't serve your purpose. Stay simple, be clear, and make sure that the officer you're talking to understands what happened. Don't be afraid to ask if you're making sense. The last thing you need is for them to leave thinking, "Those arrogant jerks deserved that DDOS."