Handling Specific Incidents
The principles outlined in the previous section provide an excellent framework for handling all computer-security incidents. In this section, we examine specific steps that should be taken in response to certain types of incidents.
Web Server Attacks
Web server attacks usually take one of two forms: denial-of-service attacks or site defacement. Denial-of-service attacks aim to prevent Web users from accessing a site. Response teams can often blunt these attacks by having rapid response “hot sites” and DNS modification kits available to redirect Web traffic. When hackers launch site-defacement attacks, they replace legitimate Web content with content of their own choosing (often denigrating the target organization or containing obscene information). To assist with resolving defacement attacks, CIRT teams should always have full backups of Web content available. Furthermore, tools such as Tripwire (http://www.tripwire.com) can be used to monitor a server for unauthorized file modifications.
Virus Attacks
Virus attacks (and attacks by other forms of malicious code) are among the most difficult to rectify. They spread quickly and infect a large number of systems, often performing very malicious actions. CIRT teams should ensure that an effective virus-detection package is in place on the network and that administrators update the package frequently. When a virus attack occurs, the CIRT should mandate a complete virus scan of the network to ensure total eradication.
Firewall or IDS Alerts
Firewalls and intrusion detection systems (IDS) provide valuable alerting tools to detect possible malicious activity. Front-line personnel should investigate all alerts, but not every alert is cause for declaration of a computer security incident and activation of the CIRT. As discussed in Chapter 4, these alerts are often false positive reports triggered by legitimate or spurious activity.
Unauthorized Modification of Files
Unauthorized file modification incidents should be handled in a similar manner to Web server attacks. The main concern during recovery is to identify modified files and restore the original copies. This requires a strong backup policy and effective recovery mechanisms. A tool such as Tripwire (described in the “Web Server Attacks” section) is useful in detecting this type of attack.
Unauthorized Application Execution
If unauthorized application execution takes place, incident responders should determine whether the application itself was authorized. If the application itself was unauthorized, eradication may simply involve uninstalling the application and removing the security hole that allowed it to be installed. If the incident involved an unauthorized user executing an otherwise legitimate application, additional steps should be taken to ensure that sensitive data was not obtained or modified during the incident.