You’re Hit. What Next?
The hackers have hit; your systems are down; now what? Many firms these days face this scenario. There are lots of issues here, but one of the biggest involves what to do immediately after the attack.
If you think you may want to prosecute the miscreant(s), it is critical to preserve the evidence so it can be used in court.
Your initial impulse is to just get up and running again, and that’s understandable, especially if mission-critical systems are hit. But if you want to press a court case, you need to understand computer crime forensics, the science of reconstructing the cyberattack and establishing a chain of evidence back to the attacker.
There are three places to be concerned about forensics: on the perpetrator’s computer, on the compromised computer and on the network devices in between the two.
A big advantage in unraveling the attack and possibly identifying the perp is access to system logs. Thus, it makes sense to store copies of important system logs on other computers, since crackers can edit logs on compromised systems to remove traces of their actions.
You should also:
- Restrict physical access to the area to preserve fingerprints
- Unplug any phone lines that could dial in to the attacked computer
- Unplug the computer from the network
- Photograph the scene, including connections to any peripherals, for later reference if the machine needs to be disassembled for examination
- If the computer is off, don’t turn it on; if it’s on, don’t reboot it, as this could launch viruses or time bombs. Merely turning on a Windows computer changes timestamps and other important evidence, for example.
- Avoid accessing any files on the compromised machine as that changes access timestamps.
After immediately securing the area and the computer, call in a network forensics specialist. These are high-priced consultants that can advise you further on evidence preservation. Mark Lanterman, CEO of Computer Forensics, said in a recent presentation that many times the best thing you can do is pull the electrical plug on the affected machine. Then a forensics specialist can use special software to make an exact image of the drive, preserving the evidence for later use in court. Killing the power and replacing the hard drive is another option if you need to get up and running right away. After all, restoring the machine is easy, since your organization has up-to-date, comprehensive backups of every critical machine right?
Your next steps depend on whether you want to prosecute, and risk adverse publicity, or keep the incident quiet. Frankly, my advice is to always prosecute. As long as these script kiddies and other bad actors feel there is little chance of getting caught, or, even if caught, little chance of paying for their misdeeds, they’ll keep right on attacking systems. Bringing computer criminals to justice, en masse and in public, will have some deterrent effect. If companies just sweep these problems under the rug, the Internet could become unusable due to the escalation of viruses, worms, and other attacks.
If you decide not to prosecute, it is still in your best interest to catch the crook. Otherwise he (yes, they’re mostly male) may strike again.
If you decide to get law enforcement involved, it may be in your best interest to conduct a thorough investigation first. US Attorney Elizabeth McKibbon said at a recent meeting of the Minneapolis Infragard chapter that private companies have more leeway in conducting investigations. Once the FBI gets involved, various laws concerning privacy and other civil rights issues come into play. This can be especially true if the perpetrator is a current or ex-employee – and up to 80 percent of cybercrime incidents involve insiders.
Obviously, the best course of action is to prevent the intrusion in the first place. Businesses need to take security seriously, establishing and enforcing stringent security practices, and keeping up to date on the latest software releases and security patches. And please, get rid of the passwords posted yellow stickies on monitors!
Regardless of your security, you also need to prepare for the worst by establishing a Security Incident Response Team (SIRT) and putting them through training, including incident simulation, like that offered by Anti-Cyber Crime Team Training Services (ACCTTS).
When the unthinkable happens, it pays to be prepared. Concentrate on prevention, but be ready to act in a coordinated, effective, and evidence-preserving manner when security incidents happen. And believe me, no matter how good you are, they will.
[Note: if you’re getting tired of SNS’ recent emphasis on security, take heart. The next SNS will examine another topic.]
- Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Burn Your Inbox™.
As part of its launch, CTOMentor is offering a two-part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
- Thin is In: From the Great Idea; Too Late Department comes an item regarding efforts to shrink the size of the bulky cathode-ray tube that produces images on most television sets and computer monitors. Two IBM scientists have developed an inch-thick CRT. The technology is pretty amazing: “Basically we banged holes in a magnet and fired electrons through the device,” said co-inventor Dr. Andrew R. Knox. Electrons are produced behind the magnet and focused on the screen by the holes in the magnet. Thus, instead of one electron beam that scurries across the screen, illuminating pixels in turn, the new tube provides one electron beam for each pixel. Pretty cool, but doesn’t IBM know about the current flat screen monitors? Unless this invention is lots cheaper than current technology, it could be consigned to the scrap heap of history along with other great ideas like the Studebaker, the Betamax and the Apple Macintosh (boy, I’ll get mail about that one!).
NY Times (registration required)
- E Ink in PDAs:I don’t know about you, but I have a hard time reading the screen on my Palm PDA. The contrast sucks, and forget about the backlight mode. Well now digital paper vendor E Ink has teamed up with Royal Philips Electronics to incorporate electronic ink displays into mobile devices. The pair aims to replace the current LCDs by mid-2003. E Ink’s electronic ink is made up of millions of microcapsules. Each microcapsule is filled with positively charged white pigment chips and negatively charged black pigment chips and a clear fluid. Applying a negative charge makes the white pigment chips become visible and a positive charge makes the black pigment chips visible. The ink can be printing onto a sheet of plastic film that is laminated to a layer of circuitry.
- More Investment in High Tech Planned: The US House Science Committee voted to increase spending on high-tech research by 10 per cent per year over the next five years. They also want to require government agencies to coordinate their research efforts and agreed to allocate $105.7 million to new cyber-security programs in fiscal year 2003, increasing each year to $229 million in fiscal 2007. The new funds would come on top of the roughly $60 million the federal government currently devotes to network security.
US House of Representatives
- The DOJ is Watching: The Department of Justice (DOJ) is already using new anti-terrorism powers to monitor cable modem users without obtaining a judge’s permission first. The Mom & Apple Pie, er, USA Patriot Act changed federal law that previously said, “a cable operator shall not disclose personally identifiable information concerning any subscriber.” The law now reads, “A cable operator may disclose such information if the disclosure is … to a government entity.” Michael Chertoff, Assistant Attorney General at the DOJ’s criminal division said that the new abilities have let police obtain information in investigations that was previously unavailable. “We would not have been able to do (this) under prior law without a specific court order.” I’m thinking there was a real good reason why you used to need a court order, but that’s just my opinion, and I could be wrong.
- Know Your Enemy: PBS is rerunning their show, Hackers, which has been praised as a good look at the psyche of the typical computer adventurer. I haven’t seen it, but you can go to PBS’ Web site and read some truly fascinating transcripts of interviews with these dangerous youngsters.
- First IPv6 Network: Cisco announced that SURFnet, the national research network organization in the Netherlands, is now delivering native IPv6 Internet service on its broadband network. IPv6 is the next generation network-addressing scheme that removes the limitations imposed by the address space of current IP networks like the Internet. We should never run out of addresses with IPv6, as there are enough of them to assign one to every atom in the universe. IPv6 also promises other advancements like a means to ensure a particular Quality of Service (QoS) for transmissions like audio or video. IPv6 has been a bit of a tough sell due to the expense of converting networks and clients.
- Sterling on Geeks and Spooks: Science fiction author Bruce Sterling has written some stunning books of near-future prophecy and one non-fiction book, The Hacker Crackdown: Law and Disorder on the Electronic Frontier, about hackers. While no expert on hacking, cracking, and cryptography, Sterling recently addressed the “Global Challenges, Trends and Best Practices in Cryptography” conference at the Information System Security and Education Center in Washington, DC. The text of his speech is available on his Web site, and it makes good reading.
- Global Grid Progress: One way to solve huge computing problems is to link computers together in a federation and split the problem up into little pieces that each can work on. Sun and AVAKI, a P2P (peer-to-peer) startup have joined forces to improve the interoperability of Sun’s Grid Engine and AVAKI’s solution. Sun claims that its solution is running more than 118,000 computers today, and that more than 12,000 folks have downloaded its software. The company apparently plans to dominate the distributed computing industry, having previously established partnerships with Open Source efforts the Global Grid Forum and Globus. You can find out more about distributed, or hive, computing in CTOMentor’s first white paper, Peer-to-Peer Computing and Business Networks: More Than Meets the Ear, available online.
- Nokia and DoCoMo Collaborate on 3G Standard: Japan’s NTT DoCoMo and Nokia will cooperate in promoting open mobile architecture for WCDMA-based 3G services in areas such as browsing, messaging and application execution environment. The two companies have agreed on the adoption of the XHTML/CSS as the content description language and they will work towards the adoption of Wireless profiled TCP as a wireless transport layer. What this means is that two of the industry’s heavyweights are planning on joining forces to influence the course of so-called 3G, or Third Generation, wireless networks.