Home » Data Protection » Network Security

Basics

Incident Detection, Response, and Forensics: The Basics

Richard Bejtlich on how to build an effective cyber incident detection and response mechanism in your organization.

By Richard Bejtlich

Page 3

Level 3. The Computer Incident Response Team (CIRT) is discovering incidents in concert with the parties listed at levels 1 and 2. Additional data sources augment those aggregated at level 2. The CIRT develops some degree of formal capability to detect and respond to intrusions.

Level 4. The CIRT is the primary means for detecting incidents. All or nearly all of the data sources one could hope to use for detection, response, and forensics are available. The CIRT exercises regularly and maintains dedicated personnel, tools, and resources for its mission.

Level 5. The CIRT is so advanced in its mission that it helps prevent incidents by identifying trends in the adversary community. The CIRT recommends defensive measures before the enterprise widely encounters the latest attacks. The CIRT operates a dedicated security intelligence operation to stay in tandem or even ahead of many threat agents.

Incident detection natually leads to incident response, where actions are taken to contain, eradicate, and recover from intrusions.

Incident Response and Forensics

Twenty years ago incident responders were taught to locate a potentially compromised computer and literally, physically, "pull the plug." The idea was to eliminate the possibility that an intruder occupying a compromised system could notice a normal shutdown and implement techniques to evade detection. Incident responders also worried that intruders might have planted rogue code that started cleanup routines upon initiation of a shutdown command.

Following the abrupt removal of the power cord, incident responders would duplicate the hard drive (usually 40MB -- if it had a hard drive at all in 1988!) and scrutinize the duplicate for evidence of malfeasance. Despite the small hard drive size, this process took time, physical locality (to acquire the hard drive), and expertise.

In 2008, and really for the last decade, the situation has been vastly different. Pulling the plug has been a discredited strategy for years. The major problem with abruptly removing power is the removal (heroic freezing efforts to the contrary) of volatile evidence from system RAM. System RAM is the place where computers store much of the data that incident responders care about, like running processes, active network connections, and so on. Most of that sort of high-value information is not stored on the hard drive, so it perishes when power disappears.

For example, do you remember the Slammer worm mentioned previously? Slammer was completely memory-resident. Remove the power and Slammer disappears. Unless an intruder takes steps to entrench himself on a system (in the reinforcement stage), sometimes a simple reboot is enough to remove him (at least temporarily). If the original vulnerability persists, re-exploitation may quickly follow. For a certain category of stealth-minded intruders, reliance on re-exploitation is the preferred means to maintain a low-profile network presence.