Contact Us
Preparing for the Worst
by Fred Avolio, President and Founder, Avolio Consulting, Inc.
Firewalls are ubiquitous. Host and network intrusion detection systems are commonplace. You may even be using commercial vulnerability scanning and penetration tools, or services. However, sooner or later the worst may happen. You will have a bona fide, "wanna-hide-til-it's-over," network or computer security incident. Don't you wish you had planned for it?
There are many reasons why we avoid planning for security incidents. In particular, we don't think it will happen to us. But it could. We don't think that we are an attractive or interesting a target. However, you may be vulnerable to the random penetration attempts that happen all the time. We don't' think we will ever need a plan. You hope. We believe that all of our employees are happy. Yeah, right. We think that it will be too much work. Not necessarily - read on.
In this short article, I will outline the main steps needed to put together an Incident Response Plan (IRP) and a Computer Security Incident Response Team (CSIRT).
The IRP
The Incident Response Plan is easy to frame out and only slightly more difficult to fill in. It should have some preliminary "boilerplate" information - the name and description of the enterprise, the scope of the Plan (enterprise-wide, division, or location), and a pointer to system-specific back-up and recovery procedures. The IRP should also contain "rules of engagement," some decision-making recommendations, and a description of the CSIRT including membership, duties, and procedures.
The Rules of Engagement
The "rules of engagement" spell how we define an incident or security event. For example, some organizations might consider a simple port scan an incident. Others get scanned every minute. Will you wait for web site defacement, or are there other indicators? These are important questions to answer when creating an IRP.
The CSIRT
The IRP also establishes the Computer Security Incident Response Team (CSIRT). The CSIRT membership should include a designated leader. This person is responsible for calling and planning the meetings. A good candidate is the ISSO, the CSO, or the IS or IT Security Program Manager. They should know something about security and IT. This person should not only have responsibility for information security, but more importantly, must have authority to enact security matters as approved by the rest of the team and senior management. Additional team members should include a liaison to the senior management team and one member from each of IT, security, human resources, public affairs, and legal.
The team's first order of business is to identify additional team members. CSIRT membership is by invitation only, based on organizational need and the particular role and expertise of the individual member. In addition to the list above, the team should add system and application specialists, system and network administrators, and software developers. IT team members control system access and repair damage. They also support evidence gathering. It may be obvious why we need computer and network security experts: they are the skilled practitioners. Under this category would be someone from your Managed Security Service Provider. You should leverage their expertise since they typically have deep experience in dealing with incidents on a daily basis.
At a corporate level, a lawyer on the team is helpful for understanding the laws pertaining to security incidents, and being a first liaison to law enforcement. The team member from HR understands and can protect employee rights, but also knows about the status of terminated, or soon to be terminated, employees. Finally, a specialist in dealing with the public should be the spokesperson to the press. It is important to note that some team members will be transient, and involved only when the incident touches on their areas of expertise.
The duties of the CSIRT - as described in the IRP- include:
- Responding to a notification (and whom to notify, and when)
- Triage: allocating critical resources
- Securing the affected systems and the crime scene
- Ensuring that evidence is properly handled
- Collecting the evidence in concert with the previous bullet
- Documenting everything in a way it can be used in court
- Helping to investigate the incident, which is usually left to the experts - law enforcement and your MSSP
- Closing the incident
- Evaluating how the IRP and the CSIRT worked
Closing Thoughts
While the key issues of the IRP and CSIRT have been touched on, this is merely an overview. The process is more involved than I've described, but not any more complex. However, there are many potentially disastrous pitfalls organizations can fall into. Some organizations deny they need it. Other groups don't look deep enough and only end up patching a surface problem. Many companies throw too many people at incidents, and some too few. That is why planning is so important. The worst time to come up with a plan is during an attack. You need to work on your plans early. You need to form a team and start the process. You can start by speaking with your MSSP. They have a great deal of expertise and handle millions of events each day. After you have a plan in place, and before your next security incident, test the plan. Only then can you be confident that you'll achieve the best result, when the worst happens.
For more information on Incident Handling and Response go to:
www.sans.org www.giac.org www.avolio.com
Intrusion Prevention: Old Concept, New Technology
by Steven Drew, EVP of Client Services, SecureWorks
There has been a considerable amount of attention surrounding Intrusion Prevention technology over the last year. This attention has led to a number of high profile acquisitions. Okena, IntruVert and Entercept were each purchased by large security suite vendors seeking to add this technology to their portfolio. However, the concept of Intrusion Prevention has been around as long as Information Security itself. Preventing intrusions and the damage created by them has always been the ultimate goal of information security professionals. Can Intrusion Prevention technology truly accomplish this goal, or should it simply be considered another valuable component in a layered security environment?
First, let's define the scope of Intrusion Prevention as a technology and as a concept. Typically someone discussing Intrusion Prevention technology is referring to the host and network-based solutions that detect and automatically block malicious traffic. This type of technology is considered to be a new category of security solution that has generated a lot of attention. However, the Intrusion Prevention concept goes beyond technology. True Intrusion Prevention also requires having the appropriate People and Processes for analyzing and responding to security information on an enterprise-wide basis. Only by incorporating Technology, People and Processes will you be able to effectively prevent damage to your critical information assets.
Information security is an overwhelming challenge today. Most networks, applications and other key infrastructure were not designed with security in mind. Fortunately this situation is improving, but there are still a considerable number of gaping holes inside most organizations. Threats are increasing and evolving while security professionals have less time, and fewer resources to deal with them. This has put many information security professionals in a reactive mode, chasing whatever fire is the hottest in the enterprise. This often results in security professionals overlooking their People and Process to focus more attention on new technologies.
As a group, we are very susceptible to looking for new technologies that promise to automate components of information security and protect our enterprises while making our lives a little easier. Over and over we have tried to solve information security through technology without looking at the entire picture and working towards an effective, sustainable security program. So will Intrusion Prevention finally be the technology that painlessly makes our organizations secure? Probably not. However, Intrusion Prevention certainly has its place in a comprehensive security strategy.
Intrusion Prevention certainly has its merits. The closer you can deploy security technology to the critical information assets you are trying to protect, the better. Intrusion Prevention can also automate response measures to common attacks, thankfully relieving us of some workload. The downside to this automation, however, is the possible occurrence of wrongfully blocking critical traffic trying to get through from business partners, customers and other trusted sources. Without having strong people and processes, this technology also stops short of the overall goal of real-time enterprise Incident Handling, leaving your organization vulnerable to incurring damage. Deploying Intrusion Prevention technology without first listening to your existing security infrastructure and developing the appropriate Incident Handling Processes will limit the benefits this technology adds to your organization's overall security posture.
As a result, Intrusion Prevention will never replace the need for well-trained professionals to constantly evaluate your environment for potential security holes and to monitor, analyze and respond to security events throughout the enterprise according to a well-defined Incident Handling Process. Why? Behind every security incident is a human. Sure there are automated attacks and programs that facilitate the work of "script kiddies," but behind the code is a skilled, savvy person finding ways to exploit vulnerable applications, devices and services. Additionally, automated attacks are usually the easiest to stop, which is why a solid layered security approach helps. The truly dangerous attacks are the ones carried out in a premeditated fashion using social engineering, coding expertise and people manually executing on their plan to compromise your systems. These types of attacks will go unnoticed by virtually any security technology, including Intrusion Prevention, and can only be discovered and thwarted if the right People and Incident Handling Processes are developed.
Information Security is, and always will be, about the interaction between People, Process and Technology. The first step to discovering critical security threats is by utilizing technology to aggregate, correlate and analyze individual events from across the enterprise. These event monitoring efforts must include the security infrastructure, as well as the critical servers, applications and databases you are trying to protect so that the incident can be viewed in the appropriate context. Only by listening to the entire enterprise can you truly detect both the known and unknown threats targeting your critical information systems.
The next step is to wrap the appropriate Incident Handling Processes around this monitoring technology to facilitate the rapid identification and response to threats in a repeatable fashion. Finally, and most importantly, you need skilled, focused and trained people to carry out the appropriate analysis and response according to your processes. Only through this combination will you truly gain effective Intrusion Prevention that will mitigate risk in real-time to your critical information assets.
The bottom line is that Intrusion Prevention can be a valuable addition to a well-rounded security strategy. However, like many other technologies before it, we will realize that Intrusion Prevention technology is not a silver bullet that will solve all our information security woes. We must always remember that no matter how many actions a technology can automate, it will only be one third of the effective security equation. Total "Intrusion Prevention" can only be accomplished by monitoring the security infrastructure you have already deployed including, firewalls, IDS, etc, and having the right people and processes in place to enable rapid incident identification and response. At the end of the day, Intrusion Prevention is merely a piece of the puzzle that can increase your chances of stopping the hacker at the other end of the network.
SOC War Story: Stopping an IRC Trojan at a City Government Agency
Custom IRC Trojans have become a favorite weapon for carrying out malicious activity. The beauty of these Trojans is that they exploit well-known vulnerabilities. They can be operated by remote control via IRC and are undetectable by most types of security devices. This enables the creator to launch a variety of attacks such as keystroke logging, downloading proprietary information or implementing back doors at anytime, from anywhere, without ever being seen. This war story discusses one instance of this increasingly familiar incident.
While monitoring a City Government Agency's network, SecureWorks' Security Analysts noticed an internal host repeatedly attempting to access an Internet IRC server. The Intrusion Analysts immediately contacted the client, who informed the Analysts of where the attempts were originating. Acting on this information, the Analysts and the client investigated the host and discovered an IRC Trojan. The Trojan was then immediately removed from the infected computer before any damage occurred to the client's critical information assets.
The only way to detect this Trojan was by monitoring the client's firewall activity. Without monitoring, most companies would only detect this attacker after malicious activity occurred - too little too late. However, SecureWorks' real-time, 24X7 monitoring capabilities enabled the Intrusion Analysts to detect and respond to the threat in less than 15 minutes, thus preventing any damage to the client. SecureWorks' Security Monitoring Strategy and Incident Handling Process were the keys to maintaining a secure environment.
