RE: The "unplug the cord" dilemma

From: MARLON BORBA <MBORBA(at)trf3.gov.br>
Date: Mon Mar 31 2003 - 10:44:29 EST

>>> Omar Herrera <oherrera@prodigy.net.mx> 30/03/03 10:47 >>>

[snip!]
"1) Once there are indications of abnormal activity or behavior on a
system, an online investigation should be initiated; at this point there would be still no indication of an intrusion (this is what happens anyway with system administrators or even users in the case of workstations, someone becomes suspicious and only after seeing some indications that the system might be compromised the alarm is sounded). Proceed to step 2."

I would consider the system already compromised as I detect an "abnormal activity", depending on how you define it. Be pretty darn sure you know what is a "normal activity" specially in "mission-critical" systems.

"1b) If security controls (IDS, firewalls) provides evidence that an
intrusion is in progress, consider the system as potentially compromised and proceed to step 3."

Don't rely only on security controls; as I stated before know your system in depth and observe it also, as several attacks don't come from outside your corporation.

"2) If there is evidence or clear indications that the system might be
compromised, recommend that the system be isolated immediately and formal forensic procedures initiated. Proceed"

This depends on the kind of attack and if it is in course or already finished (there are some attacks where you need to run the system until you have sufficient "criminal evidences"). The decision here is: "how much critical is this system and the information it holds? Is the evidence collected until now enough to a "post mortem" investigation?".

"3) After receiving notification of a possible intrusion on the system,
the company (owner of the system) should decide what action to take while taking into account the following order of importance:

1. If possible and if prosecution and investigation is most important or legally required, unplug all power and communication links from the device and initiate formal forensic procedures (recording the state of the environment, initiating chain of custody procedures, etcetera)"

OK but in this case or in item 'b' be sure that a shutdown (clean or not) would not compromise evidences.

" b) If possible and if system integrity is most important but
prosecution and investigation is also required, initiate forma forensic procedures but using a clean shutdown."

" c) If system operation is most important above all and Company
is assuming the risk, continue with online investigation and execute incident isolation procedures while a replacement system is put in place"

If you are not sure where attacks are coming from, you MUST take at last minimal measures to avoid compromise of the 'backup system' also! Don't put fresh water to our bird! :-)

"(isolation might include logical isolation trough vlan from the rest of
systems in the same network segment, hardening firewalls, setting up sniffer and permanent monitoring from personnel)."

If your defenses are exactly the same as they were in the first attack you are under risk of a 'second wave'.   

"Some issues:

 Point 3 should be decided as fast as possible no matter the decision taken (forensic policies and procedures should be in place already). "

Plan and prepare ahead, the good old principle of security. :-)

" If taking decision C, could the company argue that by isolating the
system it is not failing to perform with due diligence?  Two cases for analysis:

• A critical system in an airport that controls air traffic
• The mail server of an ISP where no backup or replacement is available at the time"

No system under attack is performing with due diligence either way :-) Just take the measures to prevent a new 'debâcle' with the 'backup server'.

"Regards,

Omar Herrera"

Regards,

Marlon.

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Apr 1 22:21:48 2003