Wednesday, March 7, 2012

Response Now as Important as Prevention

The National Institute of Standards and Technology (NIST) has updated its Computer Security Incident Handling Guide to take into account the increasingly dire state of cyber security. As anyone who has followed the rush of high-profile incursions over the past year knows, it’s looking less and less possible to prevent the inevitable attack, no matter how many security controls and technologies you put in place. Instead, thanks to the increase in stealthy persistent threats, early, rapid, effective detection and response is now as important or possibly even more important than prevention, according to the guide. The guide also emphasizes the importance of reporting attacks to law enforcement, service providers, and developers of vulnerable hardware and software so that future attacks can be prevented and additional victims spared.

What about prevention? The guide emphasizes that prevention strategies and technologies are still critical for reducing the number of attacks, since prevention is much less expensive than mitigation and organizations can quickly become overwhelmed as the number of attacks increases.

The guide is full of valuable, detailed advice and information, recommending that organizations carefully document their incident response handling roles, responsibilities, policies, and procedures and do an extensive analysis of lessons learned after each attack and response to continually improve their response capabilities. It even covers handling the inevitable media response to a high profile attack.

As for the response itself, it should be implemented by carefully chosen and trained incident response teams. The guide outlines the following guidelines, with much more detail than you’ll see here:

1. Document everything, including every action taken, every piece of evidence, and every conversation with users, system owners, and others.

2. Recruit coworkers to provide assistance. Even the smallest company or incident will need at least one person to perform actions while the other documents them.

3. Analyze the evidence to confirm an incident has occurred. You may need to do additional research and reach out to technical professionals within your organization to help you better understand the evidence.

4. Notify the appropriate people within the organization immediately, including the CIO, head of information security, and the local security manager. Tell only those who need to know, and make sure you use secure communications to do so.

5. Notify US-CERT and/or other external organizations for assistance in dealing with the incident.

6. Stop the incident if it is still in progress either by disconnecting affected systems from the network or modifying firewall and router configurations in the case of a DOS attack.

7. Preserve evidence using backups of affected systems and log files containing incident information.

8. Wipe out all effects of the incident by eradicating malware infections and Trojan files, reversing all changes made to systems, rebuilding the systems from scratch, or restoring them from a backup.

9. Identify and mitigate all exploited vulnerabilities to prevent the incident from happening again.

10. Confirm that operations have been restored to normal including data, applications, and all affected services.

11. Create a final report detailing what happened and how it was responded to. At some point the report should also include a “lessons learned” section based on an in-depth discussion and analysis after the incident has passed.

The NIST is accepting comments on the guide draft until March 16th. 

By Leon Erlanger