Effective Evidence
Forrester's Koetzle says that despite the temptation to fix a problem, incident response is all about preservation of the moment. To effectively respond, you must leave the damage alone—at least temporarily. "You treat the systems as a crime scene and preserve exactly what happened," she says. "You can't repair the damage. If you do, there's no evidence of what happened."
Exodus's Knesek also advises proceeding with caution. "All systems that can be removed from the network should be, to avoid damage or corruption of the evidence," she says, explaining that the most common mistake when gathering and presenting proof of hack data is accessing the evidence prior to imaging the disk. "An image copy of all hard drives should be made. All investigative activities should be well documented and chain of custody forms maintained for any and all evidentiary data."
Weafer concurs. "You have to be careful. You don't want to destroy evidence or make matters worse," he says. "You may have to disconnect a machine. You may not want to power off because there may be critical data you want to save."
"Many companies attempt to analyze the drives for evidentiary data to identify the attacker, the vulnerability that was exploited, and/or any files left behind," Knesek explains. "When searching drives for the data, many of the commands used will modify directory or file dates and time stamps. This activity is also being logged to the log files and can modify or corrupt valuable evidence.
"If this immediate analysis is necessary to protect additional corporate assets, then a detailed log of all activities performed with date and time stamps should be maintained to explain modifications to the data," she says. When presented to law enforcement and in court, the "best evidence rule" applies. The original is the best, but it's understood that this is not possible in many cases.
"Companies are not able to turn over all of their systems and network devices to law enforcement in support of a case," Knesek says. "Usually, images of all hard drives that may contain evidence are obtained by the company, a third-party vendor, or law enforcement. This evidence is write-protected and stored in a secure location where access is logged and monitored. All analysis of the data should be performed on a copy, and not the original or the imaged drive being used as evidence."
According to SecurityFocus's Russell, it's important to show that the log process, and intrusion detection and tracking are all ongoing, everyday processes. "Something from a victimcould be generated on the fly or fake," Russell says. "It needs to be part of the regular process, and what the evidence looks like as part of the regular business process is key."
Tools of The Trade
Just as the threats from viruses, crackers, and other Internet evils are becoming more numerous and complex, the ability to identify intruders is also improving. A popular tool for analyzing network attacks is an intrusion detection system (IDS), a new breed of security software that's capable of investigating network traffic to recognize suspect, irregular patterns.
Different forms of IDSs include:
- Anomaly detection. This type of IDS picks out traffic, protocols, or packets that appear out of the ordinary.
- Misuse detection systems. These work similarly to anti-virus programs to identify known threats based on signatures.
- Passive systems. These simply identify and log security compromises.
- Reactive systems. These block malicious activity or access, rather than simply recording the incident.
Network-based intrusion detection systems (NIDS) exist as independent entities on the network and analyze every packet individually. The other variety of IDS is host-based, where all traffic to and from an individual machine or host is monitored. IDS security surpasses preventative measures like firewalls because it analyzes an intrusion and attempts to determine its source. Best of all, IDSs are a great value. "You can get a decent IDS firewall for free," says Russell.
Once intruders have been identified, you can trap them using deception software known as a honeypot. However, Forrester's Koetzle warns that it's often difficult to calibrate security software properly, to the right point of sensitivity. "A lot of administrators have trouble discerning the signal from the noise," she says. "IDSs tend to—if installed improperly—send a lot of false positives. You spend the first week going through hours and hours of wild goose chases, and actually, nothing's happening."
SecurityFocus Analyst Ryan Russell says his company's Aris Analyzer (aris.securityfocus.com), an attack registry that lets users upload IDS logs, can help make sense of a recorded attack. "We'll give information on what the attack means," Russell says. "IDSs are not helpful in determining what it is. [Aris] is a way to manage the reporting process and it adds value to IDSs. You can actually interact with the rest of the world and see what they're seeing."
Russell says communication through security mailing lists and programs like Aris, which collected some 100 million IDS logs in nine months, is helping to increase awareness of the dangers that lurk around networks and aid in response by sharing information and experience.
"Regardless of the tool you use, you should find out, Is this a danger to me? What does it mean?'" says McAfee.com Security Architect Sam Curry. McAfee's Visual Trace service, which is based on technology that the company acquired from security tools vendor NeoWorx, is about "collecting as much information as possible so you can share it in a community."
The service, described by McAfee as "caller ID for your computer," maps the trails of various attacks, offering time and place information that security experts say is crucial to pinpointing trouble spots, and then following up with action. Capable of tracking down an attacker's geographical region, IP, and even street address, the service also provides links to law enforcement and ISPs for fighting back.
Team Effort
Forrester's Koetzle points out another resource for information about network attacks—one that many companies often don't consider or even realize is available to them. Consulting firms like AtStake (www.atstake.com) and security monitoring outfits like Counterpane (www.counterpane.com) can provide valuable insight, strategies, and techniques that you may have overlooked if you lack first-hand experience with network attacks.
"There is absolutely no way, short of disconnecting every computer you have and sitting back in an office and not working, that you can make your network secure," Koetzle insists. In many cases, even the most elaborate security measures end up doing little more than lulling administrators into a false sense of security. The best approach is to pool your team's resources and formulate a plan to respond to security breaches when they do occur.
Teams that know exactly what to do with different boxes, and who to contact for the latest Internet affliction on the network have thought-out security policies, Koetzle says. She emphasizes that in addition to applying defensive technologies, network defenders must "do the boring preparatory work" if they want to take on an attacker in the right way. "It's all about keeping up with the universe of threats and keeping updated," she says. "Vulnerabilities are going to happen. It's all in how you respond to them."
Jay is a reporter for a daily tech news service and writes on technology and business for several print and online publications.
