Understanding Incident Handling
When an intrusion on your network occurs, the mantra you must chant is, “Do not panic!” Panicking is the worst thing you can do because if you rush and don't take time to think things through, you could miss or affect essential forensics information that security professionals, network-intrusion specialists, and even the authorities may need. Hopefully, if you have an effective IDS solution in place, you will actually be aware of the incident while it is happening and you may be able to keep them on the line. Or, at minimum, you might be able to gather some information on the intruder.
A few pieces of information can be critical when trying to catch or stop a hacker during or after an incident. This information definitely includes the intruder's IP address (although keep in mind this may not be their real address), where the hacker has managed to hack in, and what, if any, data has been touched.
IN THE FIELD: INCIDENT INFORMATION GATHERINGThe first thing that hackers typically go for is the system's event logs. It can be imperative to secure these or have copies of the information handy for later analysis. A very good idea is to spend a little time securing your event logs and if your operating system or IDS software allows, move them to a different location (preferably a different system or central server) from the default because most hackers know the default location on most major operating systems. You can even consider backing up the logs to CD-ROM media. This solution is cheap and can be easily secured because the data cannot be deleted or overwritten by an intruder. |
Another important thing to determine is whether the hacker has opened a back door into your network or system. They can accomplish this by creating another security vulnerability (creating a fake user account, and so on) or by placing some type of Trojan horse utility on your server. If they perform the latter, any kind of antivirus software installed on the network or that server should catch most currently available Trojans with little effort, so it may be a good idea to do an antivirus scan after an incident has occurred to ensure this hasn't happened.
Most importantly, you should have some kind of disaster plan in place. Such a plan must address what exactly needs to be done in a situation like this—especially if whoever takes care of security isn't available or has left the company. If you have a plan, then anyone can perform the necessary steps to retain information and contact the necessary people.