MCITP MCSE Boot Camp

The Reactive Approach

Today, many information technology (IT) professionals feel tremendous pressure to complete their tasks quickly with as little inconvenience to users as possible. When a security event occurs, many IT professionals feel like the only things they have time to do are to contain the situation, figure out what happened, and fix the affected systems as quickly as possible. Some may try to identify the root cause, but even that might seem like a luxury for those under extreme resource constraints. While a reactive approach can be an effective tactical response to security risks that have been exploited and turned into security incidents, imposing a small degree of rigor to the reactive approach can help organizations of all types to better use their resources.

Recent security incidents may help an organization to predict and prepare for future problems. This means that an organization that takes time to respond to security incidents in a calm and rational manner while determining the underlying reasons that allowed the incident to transpire will be better able to both protect itself from similar problems in the future and respond more quickly to other issues that may arise.

A deep examination into incident response is beyond the scope of this guide, but following six steps when you respond to security incidents can help you manage them quickly and efficiently:

1. Protect human life and people's safety. This should always be your first priority. For example, if affected computers include life support systems, shutting them off may not be an option; perhaps you could logically isolate the systems on the network by reconfiguring routers and switches without disrupting their ability to help patients.
2. Contain the damage. Containing the harm that the attack caused helps to limit additional damage. Protect important data, software, and hardware quickly. Minimizing disruption of computing resources is an important consideration, but keeping systems up during an attack may result in greater and more widespread problems in the long run. For example, if you contract a worm in your environment, you could try to limit the damage by disconnecting servers from the network. However, sometimes disconnecting servers can cause more harm than good. Use your best judgment and your knowledge of your own network and systems to make this determination. If you determine that there will be no adverse effects, or that they would be outweighed by the positive benefits of activity, containment should begin as quickly as possible during a security incident by disconnecting from the network the systems known to be affected. If you cannot contain the damage by isolating the servers, ensure that you actively monitor the attacker's actions in order to be able to remedy the damage as soon as possible. And in any event, ensure that all log files are saved before shutting off any server, in order to preserve the information contained in those files as evidence if you (or your lawyers) need it later.
3. Assess the damage. Immediately make a duplicate of the hard disks in any servers that were attacked and put those aside for forensic use later. Then assess the damage. You should begin to determine the extent of the damage that the attack caused as soon as possible, right after you contain the situation and duplicate the hard disks. This is important so that you can restore the organization's operations as soon as possible while preserving a copy of the hard disks for investigative purposes. If it is not possible to assess the damage in a timely manner, you should implement a contingency plan so that normal business operations and productivity can continue. It is at this point that organizations may want to engage law enforcement regarding the incident; however, you should establish and maintain working relationships with law enforcement agencies that have jurisdiction over your organization's business before an incident occurs so that when a serious problem arises you know whom to contact and how to work with them. You should also advise your company's legal department immediately, so that they can determine whether a civil lawsuit can be brought against anyone as a result of the damage.
4. Determine the cause of the damage. In order to ascertain the origin of the assault, it is necessary to understand the resources at which the attack was aimed and what vulnerabilities were exploited to gain access or disrupt services. Review the system configuration, patch level, system logs, audit logs, and audit trails on both the systems that were directly affected as well as network devices that route traffic to them. These reviews often help you to discover where the attack originated in the system and what other resources were affected. You should conduct this activity on the computer systems in place and not on the backed up drives created in step 3. Those drives must be preserved intact for forensic purposes so that law enforcement or your lawyers can use them to trace the perpetrators of the attack and bring them to justice. If you need to create a backup for testing purposes to determine the cause of the damage, create a second backup from your original system and leave the drives created in step 3 unused.
5. Repair the damage. In most cases, it is very important that the damage be repaired as quickly as possible to restore normal business operations and recover data lost during the attack. The organization's business continuity plans and procedures should cover the restoration strategy. The incident response team should also be available to handle the restore and recovery process or to provide guidance on the process to the responsible team. During recovery, contingency procedures are executed to limit the spread of the damage and isolate it. Before returning repaired systems to service be careful that they are not reinfected immediately by ensuring that you have mitigated whatever vulnerabilities were exploited during the incident.
6. Review response and update policies. After the documentation and recovery phases are complete, you should review the process thoroughly. Determine with your team the steps that were executed successfully and what mistakes were made. In almost all cases, you will find that your processes need to be modified to allow you to handle incidents better in the future. You will inevitably find weaknesses in your incident response plan. This is the point of this after-the-fact exercise — you are looking for opportunities for improvement. Any flaws should prompt another round of the incident-response planning process so that you can handle future incidents more smoothly.