ITS4350A - Incident Response and Disaster Recovery
Chapter 8, Response Strategies
This lesson is about chapter 8. Objectives important to this
- DoS incidents
- Unauthorized access
- Inappropriate use
chapter begins with a horror story about a student testing a worm program. Read through it
and think about the questions at the end of the chapter. Who is
responsible for the outbreak that has now happened? What should
have been done to prevent it?
This should have been an example of what Albert
Einstein, Hans ěrsted, Ernst Mach, and others, called a Gedankenexperiment.
(Nouns in German are capitalized, even when mixed with English. It
means mind/thought experiment.) A thought experiment is the way
some ideas should be done because the consequences of carrying
them out in the real world may be unacceptable. You could argue
that the student in this case carried out his thought experiment
first, then found that the real world results were not what he
expected. That is the danger in doing thought experiments: you may
not know enough yet to
predict the actual results. Is it really safe to run the
experiment in the real world? It is not enough to be sure:
you need to be right. What might the student
have done to be sure his disaster could not occur?
On pages 215 and 216, the text makes a case for gathering information while you are
investigating a problem, getting everything you can, then analyzing
it to make a plan for containment,
eradication, and recovery.
The analysis and planning stage is where the thought experimenting
takes place. Note that these actions are numbered steps in the
chart on page 216, but there is no explanation of what one is
supposed to do. Thankfully, some thoughts follow the chart.
The text explains that containment
methods vary depending on what is happening.
- Is it spreading from devices on our network? Shut them down,
and pull them off the network.
- Is it coming at us from the Internet? Break the connection to
the Internet, identify the source and add firewall rules if
possible. Can we identify IP addresses that are sending the bad
traffic? Blocking those addresses may help. This is especially
useful for DDoS attacks.
repair of the damage done, and removal of the various viruses,
worms, altered files, and other kinds of mess left by the
attacker. The text reminds us that a particularly nasty attacker
may decide to leave behind software that will cause more damage
after the initial attack has ended. If, on the other hand, the
attacker intends to return, there is more likely to be a new back
door to the system, created by the attacker to make it easy to
re-enter the new favorite data source. Finding new accounts with
elevated rights should make your admins wonder what else has been
changed about the system.
Recovery, as usual, means
restoring the state the system was in before the incident.
However, in the case of an attack, the system should be better
than before by being guarded against that specific attack.
Recovery may mean restoration of data, reinstallation of operating
systems and programs, and may also include changing any
compromised attack surfaces.
This leads to another issue. The text presents a story about a
software and hardware business that was hacked,
resulting in the theft of customer account information including
credit card numbers. The people running the business chose to send
a series of letters to customers, each worse than the last,
describing the loss and how large a segment of the customer
database was compromised. The current law about this sort of thing
is to tell the customers
the truth, not to hold back the bad news. Stolen records are never
recovered, so there was no reason to expect the situation to get
better by waiting to tell the customers their data had been
The text moves on to consider handling an incident. Various texts
we use discuss security incidents in terms of four categories, and
this one introduces a fifth that is a combination of the other
- Denial of Service attack
- Malware attack
- Unauthorized access
- Inappropriate usage
- Hybrid attack, having the characteristics of two or more of
the types above
The text presents a discussion of handling each of the four major
types. The advice here is more informative.
For a DoS attack:
- Coordinate with your ISP.
If you are under a denial of service attack, so is your Internet
- Watch for deviations in your normal network traffic to detect
the attack sooner.
- Use packet filters to drop traffic that makes no sense for
- Filter based on the characteristics of the actual attack once
For a Malware attack:
- Warn your users about malware that has been reported by
protection vendors. If they have seen it recently, you may see
- Filter spam out of email. Remind users not to run programs
attached to email.
- Check for antivirus solutions from your own vendor and others.
- Scan your systems for open ports that you have not opened
yourself. It could indicate a malware program that has opened
the port for its evil purposes.
- Audit processes running on your servers.
For Unauthorized access:
- Note the examples on pages 232 and 233, which give us
behaviors to watch for.
- Require passwords with increased complexity, and with shorter
- Run regular vulnerability scans and take action on the
- Deny all traffic that is not permitted by a valid rule.
- During the attack, disable compromised accounts and ports that
are associated with the attack.
For Inappropriate use:
- This can run from the completely innocent use of company
equipment to the intentional misuse of it for malevolent
purposes. Use restraint in applying discipline: if you never
told them not to do something, employees will find a way to do
- Educate your users about appropriate and inappropriate use for
every kind of new equipment. Remind staff about appropriate use
of old equipment from time to time.
- Collect evidence and take action that is appropriate to the
level of the offense.
The text closes the chapter with a recommendation to use
automated detection and automated response systems. A technical
control that kicks in sooner than a live administrator could act
can save a lot of your assets. It might have helped in the case of
the first worm virus.