The Nature of an Incident Response

or
What to Do When You Don’t Know What To Do

A customer of mine once said “I don’t know what I don’t know” and if I don’t know then how could I know what questions to ask (regarding security). This second in the series of Blogs addresses one of those “I don’t know” issues; that of a computer or network based (forensic) incident and what to do when a business owner thinks one has occurred.

After spending many years in, around, and working with computers, the rules governing what to do when something or someone goes wrong (an incident) have changed numerous times. In the early days we were taught that when a computer system was suspected of having been tampered with or containing damaging information there was only one option; pull the plug and call the local authorities. What to do after that depended on how much money you had and whether or not law enforcement was involved. Once the box was disconnected from power the authorities were contacted and events unfolded. Computer forensics was in its infancy and specialists were few and far between or employed only by top government agencies such as the FBI, NSA, etc. The small business owner really had nowhere to turn for help. And by the time they usually figured what to do or who to turn to any evidence was damaged to the point of being useless in a court of law.

In the late 90’s we started practicing leaving power applied to the systems but disconnecting them from the network; the idea being that once disconnected from the network any malicious behavior would be halted and the system could be analyzed by the local admin or simply gracefully shutdown. However, computer forensics while having begun to advance was still outside the reach of most small businesses leaving them still on their own. Security itself only started becoming a more important with the disruption caused by some of the worms and DOS outages of the time (Melissa, Slammer, Code Red, etc.).

In the last decade things have gone from bad to worse with regard to the dangers faced daily on the internet. We are no longer worried so much about outages caused by things like Melissa or Code Red but by malicious C2C (crime to crime) vendors who steal our identities and trade them openly over the internet like discounted Amazon.com books. Root Kits, once the exclusive purview of Unix distros are now a constant threat for any desktop or NOS. More and more sophisticated malware is being released with the ability to hide in memory, stay hidden on the hard drive, and disappear when the machine is either powered off or simply disconnected from the network.

As a result of the changing nature of these threats we have developed yet another set of standards for handling “incidents”; those nefarious things that leave us all searching for answers when they occur. The business of incidents has started to mature so that we are not so helpless when responding to events as they unfold. We have more tools at our disposal. The big question is will we utilize them effectively? What follows are some generally accepted industry standards and guidelines and are designed only in part to help you put together an incident response policy of your own. It is neither authoritative nor complete. It is intended to get you thinking about what you would do if there were an “incident” in your company and whether you are prepared to your satisfaction.

  1. The site MUST be secured! This means that any suspect device(s) must be confined and contained such that nothing can be touched or contaminated until a decision is made as to how to proceed. This would mean things like securing not only the device(s) but the room(s) in which they reside complete with uninterrupted guard of some kind. Any person or employee suspected should be sequestered only with permission and based on your HR policy regarding suspicious employee behavior, or by law enforcement. You or your company own the computer equipment, software, etc. but not the employee.
  2. The device or devices in question as well as the surrounding area should not be touched in anyway. This means don’t even touch the keyboard to log off a user. Anything you do could taint what could later be considered a crime scene.
  3. Contact legal counsel immediately. This is where most business owners go wrong. They usually think that the first thing they should do is to contact the authorities. Since you are not trained in law or law enforcement you should not jump to conclusions until you touch base with someone with more training in the area. And since your lawyer is your legal consultant they should be your first point of contact.
    1. Once counsel has been informed they will usually agree that it is time to call in a forensic specialist. Computer and network forensics is a VERY specialized field and requires very specific training and experience. Look for certifications such as CSA, CISSP, etc. Make sure the individual has experience working with local law enforcement. Be sure and check their credentials and recommendations.
  4. If legal counsel feels it is necessary then contact local law enforcement. They will need all the information you can give them so be sure to document who, what, where, when, etc. in detail. This will make everyone’s work much easier in the long run.
  5. You should already have in place an “internet and computer usage” policy in place and should be able to produce it. If you do not have one get one in place right away. If you have one, it should be reviewed with your HR and legal counsel at least once a year.

These are some of the reasons I stress to both small and large businesses to be sure they have a solid usage policy in place and review it annually for necessary changes based on the industry to which you belong. Health Care will have different needs than manufacturing and/or financials. So be sure you are meeting all of your regulatory requirements. But most importantly find a trusted reliable security resource you can call on BEFORE an incident occurs. Let them review your policies and consider doing a security audit just as you would for accounting.

Tech Defenders, Inc. has been specializing in security for over 10 years and is the area’s leading security specialists. Whether it is computer, network, or physical security we can provide you with cost effective solutions that will prepare you for unforeseen events that can disrupt business.

For a free incident response policy consultation or a complete audit of your security systems I can be reached at btohara@outlook.com . Until next time…

Stay Secure!