Reducing the Damage Caused by Network Security Threats and Identifying Attackers
written by: Tom Olzak, CISSP•edited by: Ronda Bowen•updated: 7/4/2011
In the previous articles in this series, we looked at preparing for incidents and how to detect and analyze them when they happen. In this article, we examine how to contain a network security threat agent, minimizing the impact to a business.
slide 1 of 2
Minimizing Data Security Threats
Once you understand the nature of the security threat on your enterprise, you’re ready to minimize its effects. The primary objectives during containment activities are to:
Mitigate personal risk to employees and customers
Mitigate risk to your business
Secondary objectives include:
Collection of evidence
Identification of attacker
Note that the most important objective is the protection of people from injury or death. Protection of data processing systems, crime scenes, or the capture and punishment of an attacker are all far less important.
There are various ways to contain a threat to data or network infrastructure. The containment strategy selected depends on:
The type of threat
The objectives of the attack
Potential damage to or theft of resources
The need for preservation of evidence
The importance of restoring one or more affected systems
The opportunity costs associated with a specific strategy – if a single containment activity takes most of your available resources, what additional damage may be caused because you were unable to deal with other effects of the threat
Strategies you might consider include:
Shutting down target systems (i.e., servers, workstations, routers, switches, backups, etc.) – Care should be taken when considering system shut downs. This often destroys evidence. However, it may be necessary to prevent significant loss of data or to quickly contain a rapidly spreading network attack.
Disconnect target systems from the network.
Disable certain services on one or more systems
In the case of human intrusions,
Ensure the safety of personnel in your facility.
If you have company security officers on site, take steps to delay the intruder.
Notify local law enforcement.
Containing a network security threat is essential if you want to have any chance of eradicating it; otherwise you’re trying to hit a moving target.
slide 2 of 2
Identifying Network Attackers with Forensics
Forensics is a scientific approach to determining the who, what, when, where, how, and why of a crime. For our purposes, it specifically deals with investigating the causes and timeline of a network security incident. Applying forensic processes during containment may not be practical. As discussed earlier, there are often more important considerations. However, this is a good place in the process to begin thinking about how to balance damage control with collecting the information necessary to prevent or deter future network attacks.
It’s outside the scope of this article to go into detail on investigative techniques. There are several good books available that address forensics in general and computer forensics specifically. But reviewing the following considerations provides a rough foundation.
Retain your objectivity – Collect data and evidence, conduct interviews, and leave your conclusions until you have enough information to clearly see what actually happened. Jumping to conclusions early in the process usually results in the investigator ignoring anything that seems irrelevant, because it doesn’t fit with his mental picture of what happened.
Ensure the proper collection and handling of evidence – Much of the evidence you collect may be volatile and difficult to preserve. Be sure to have at least one person on each IRT trained in proper evidence collection, tagging, and storage. Some types of evidence to consider include:
When collecting evidence from personal areas, be sure to maintain compliance with corporate privacy policies.
From the time evidence is collected to the time it’s no longer needed to support criminal or civil action, it must be properly handled. Proper handling begins with collection. As a piece of evidence is initially collected, the following information should be recorded in a chain of custody form (sample):
Any other distinguishing characteristics
Name, phone number, title, and signature of the person collecting the information and of each subsequent individual who takes possession of the evidence. This entry should also include the time and date of taking possession as well as the location where the evidence was securely stored.
If a computer is seized as evidence, image the hard disk as soon as possible. Never run computer forensics software on any original storage media. This diminishes the value of the evidence.
The image should be created with a “bit level" copy. This ensures that every piece of information is extracted from storage, even data intentionally hidden.
Now that you have the threat under control, it’s time to eliminate it from your environment and recover lost data.
in this series, I provide an overview and recommendations related to responding to a security incident. Effective incident management is critical when attempting to mitigate damage from a breach, system failure, data leakage, etc.