Incident Detection, Response, and Forensics: The Basics
Richard Bejtlich on how to build an effective cyber incident detection and response mechanism in your organization.
By Richard Bejtlich
April 02, 2008 — CSO —
2008 is a special year for the digital security community. Twenty years have passed since the Morris Worm brought computer security to the attention of the wider public, followed by the formation of the Computer Emergency Team/Coordination Center (CERT/CC) to help organizations detect, prevent and respond to security incidents. Ten years have passed since members of the L0pht security research group told Congress they could disable the Internet in 30 minutes. Five years have passed since the SQL Slammer worm, which was the high point of automated, mindless malware. The Internet, and digital security, have certainly changed during this period.
The only constant, however, is exploitation. For the last twenty years intruders have made unauthorized access to corporate, educational, government, and military systems a routine occurrence. During the last ten years structured threats have shifted their focus from targets of opportunity (any exposed and/or vulnerable asset) to targets of interest (specific high-value assets). The last five years have shown that no one is safe, with attackers exploiting client-side vulnerabilities to construct massive botnets while pillaging servers via business logic flaws.
Despite twenty years of practical experience trying to prevent compromise, intruders continue to exploit enterprises at will. While they may not be successful attacking any specific asset (unless inordinate resources are applied), in aggregate intruders will always find at least one viable avenue for exploitation. The maxim that "prevention eventually fails" holds for any enterprise of sufficient size, complexity, and asset value to attract an intruder's attention. The threshold has fallen to the point where a single home PC is now considered "worthy" of the same sorts of attacks levied against multibillion-dollar conglomerates.
In a world where the adversary eventually breaches some aspect of a target's protective measures, what's an enterprise security manager to do? The answer is simple:
1) detect compromise as efficiently as possible;
2) respond to incidents as quickly as possible; and
3) investigate using digital forensics as effectively as possible.
This article will provide several ways to think about this issue and implement computer incident detection, response, and forensics capabilities to support your enterprise.
Incident detection has suffered from a variety of misconceptions and miscommunications during its history. One of these has been the narrow way in which most operators view the detection process. I recommend thinking of incident detection in terms of three "orders."
First order incident detection is the traditional way to apply methods to identify intrusions. First order detection concentrates on discovering attacks during the reconnaissance (if any) and exploitation phases of compromise. Reconnaissance is the process by which an intruder learns enough about the target to effect intrusion. Exploitation is the process of abusing, subverting, or breaching a target, thereby imposing the intruder's will upon the asset. Almost all security products that seek to detect and/or "prevent" attacks monitor activity during these stages of the compromise lifecycle.