The importance of good training cannot be overemphasized. Today, there are numerous classes that provide hands-on hacking and incident response training. These courses are well worth their costs. Some institutions that offer computer incident response training are Foundstone, Carnegie Mellon, and SANS.
●
GO GET IT ON THE WEBFoundstone:http://www.foundstone.com
Carnegie Mellon Software Engineering Institute:http://www.cert.org
Chapter 3: Preparing for Incident Response
71
It is also a good idea for CIRT members to join professional organizations to continue their education and to rub elbows with the individuals they may call for helpone day. Consider that most law enforcement and private companies that respond to a computer security incident on your behalf have access to perhaps all of your vital assets. They will inadvertently gather information that is not within the scope of the original incident. For example, during the course of an investigation, law enforcement agents may find out who is cheating on their spouse, who has a drug habit, and who has a criminal history. You can see how it can helpto get acquainted with the local law enforcement personnel prior to an incident.
A few years ago, we were involved in a response to a computer intrusion in New England. We sent four individuals to work on the alleged break-in. Within a few hours, we had obtained evidence that showed someone had broken into the organi- zation’s network. After conducting interviews and performing forensic duplication of seven machines involved within the scope of the case, we had already spent more than one week on site. What sounds like a little effort can take a long, long time.
As another example, my first child pornography case involved an evidence drive of only 2GB. It was critical to determine:
▼ How many unlawful images were on the system
■ Whether the images were disseminated
■ Who the images were disseminated to
▲ Where the original images originated from
The Assistant U.S. Attorney I was working with stressed the importance of proving the dissemination, because it was an additional threshold for a longer sen- tence for the suspect. How long did the review of the 2GB hard drive take? Just about 20 days, including about 15 days of hitting the Page Down key looking for something!
Incidents get people worked up, and they want answers right away. It is the team leader’s role to maintain a level and realistic view of what can be accom- plished and when.
There are several professional organizations that allow law enforcement officers to mingle with computer security professionals:
▼ InfraGard An FBI program designed to address the need for private and public-sector information sharing, at both the national and local level.
■ High Technology Crime Investigation Association (HTCIA) An association designed to encourage and facilitate the exchange of information relating to computer incident investigations and security.
■ Information Systems Security Association (ISSA) A not-for-profit international organization of information security professionals and practitioners. It provides education forums, publications, and peer- interaction opportunities.
▲ Forum of Incident Response and Security Teams (FIRST) A coalition that brings together incident response teams from government, commercial, and academic organizations.
●
GO GET IT ON THE WEB InfraGard:http://www.infragard.netHigh Technology Crime Investigation Association (HTCIA):http://www.htcia.org
Information Systems Security Association (ISSA):http://www.issa.org
Forum of Incident Response and Security Teams (FIRST):http://www.first.org
A student at a seminar I was teaching asked, “Should I call law enforcement on this?” I responded by asking a number of questions. “Did you do the proper liaison with the local law enforcement? Do they have the technical competence to pick up where you left off? Did you properly document the incident so it is easily under- stood and promotes a good argument for law enforcement to take the case?” The bottom line is that knowing the law enforcement staff beforehand makes it much easier to call than when you need help with an incident.
SO WHAT?
To paraphrase an old saying, “Proper prior preparation prevents poor performance.” In the case of incident response, preparation is key. Preparation for investigators ensures swift, appropriate response and minimizes the chance of errors. Preparation for system administrators involves configuring hosts and networks in a manner that reduces the risk of incidents and eases the task of resolving incidents.
However, we realize that in the real world, pre-incident preparation is extremely dif- ficult, both technically and ideologically. Many universities and organizations staunchly defend First Amendment rights (that’s freedom of speech) and consequently have few controls in place to monitor user activities. Also, many networks are such a hodgepodge of different entry points and configuration nightmares that there is no easy way to pos- ture a sound network defense. Therefore, the response steps outlined in the rest of this book do not assume that all the steps outlined in this chapter have been taken.
QUESTIONS
1. What three factors are used to determine risk?
2. What are the advantages of cryptographic checksums? 3. How does network topology affect incident response?
4. Your boss asks you to monitor a co-worker’s email. What factors influence your answer?