recovering from an attack version 0.1 march, 2003 bill woodcock packet clearing house
TRANSCRIPT
Recovering from an Attack
Version 0.1
March, 2003
Bill Woodcock
Packet Clearing House
If you’ve been listening at all…
You’ll have understood by now that the best time to clean up…
If you’ve been listening at all…
You’ll have understood by now that the best time to clean up…
…is BEFORE an attack.
Points to ConsiderIs the attack ongoing?If so, should you stop it, or do you need
to allow it to continue, in order to backtrack it to its source, or allow law enforcement to do so?
If it must be allowed to continue, can critical information be safeguarded without alerting the attacker?
Points to Consider Is the attack destroying resources, or is there a
significant risk that it will do so? Is the attack exposing confidential information? Is the attack exposing you to liability for
facilitating further attacks against others? Is the attack preventing your company from
performing its core business? Is the attack harming employee morale or
public relations?
If the attack is a PERSON: Have you removed access? Changed locks
and passwords, and informed security guards?
Do you need to retrieve company property such as a laptop computer?
Do you need to inform any third parties, like cancelling a company credit card, or informing customers that the person no longer represents your company?
If the attack is a DoS: Can you characterize the Denial of Service
traffic load in some way which distinguishes it from your normal operational traffic?
If so, convey that information to your up-stream ISPs, and ask them to propagate it to their up-stream ISPs, while coordinating with law enforcement if feasible.
Think about what statement or incident or action or person might have incited the attack, and how to avoid doing so again.
If the attack is a VIRUS or WORM: Find out how to identify infected machines. Find out how to stop propagation or
reinfection from the outside or from pockets within your organization.
Determine to what degree hosts need to be sterilized.
Download and install a fixed version of the vulnerable software.
Evaluate whether a more secure piece of software might be in order.
If the attack is a TROJAN HORSE
Educate your staff immediately. Let them know what it looks like, that they should be actively looking for it, and that the consequences of spreading it are very serious.
Identify affected machines.Determine the method of sterilization.
If the attack is against SUPPORT INFRASTRUCTURE
Identify the affected resource (power, communications, cooling, transportation)
Minimize draw by shutting down less-needed equipment (lights, non-critical processes and machines, gradually increase temperature to ambient)
Identify backup hardware and bring it into effect.
If the attack is against a HOST Identify the scope of the attack; has the
attacker gained root? Do they have access to the entire file-system?
Are there special privileges accorded this host by others, which might be made more vulnerable thereby?
Can the system be isolated, or must it remain on-line?
What method is the attacker using to communicate with the host?
All of these problems can be responded to more quickly and effectively if you’ve…
All of these problems can be responded to more quickly and effectively if you’ve…
Considered them and made a contingency plan, and…
All of these problems can be responded to more quickly and effectively if you’ve…
Considered them and made a contingency plan, and…
Prepared any resources like data backups or spare equipment which you’ll need.
