Chapter 11. Incident Response and Forensics

Go to a bookstore and take a look at the information security section. There will likely be shelves of books on how to hack, hacking techniques, tips on thinking like a hacker, and the glory of hacking into a system you own. Our industry has dedicated enormous resources on training security administrators and engineers to think like an attacker in an effort to make networks more secure. Although these types of books may indeed assist us in configuring and deploying more secure systems, they tend not to help us with the actual operation of these systems.

In the same bookstore, you're likely to only find a few books on incident response and forensics. Responding to incidents and performing forensic analysis are activities that are performed in the face of a compromised system or active attack. As much as we'd like to think we deploy unbreakable and totally secure hosts, this is simply not the case. Even after our best attempts, a security incident is inevitable. As a security professional, you need to be prepared for the worst and deal with incidents as they happen.

This dichotomy between building and deploying secure systems versus operating and maintaining secure systems is also evident in the BSD ports tree. In the ports/security directory, most of the tools are either vulnerability assessment tools or cryptographic libraries. There are a few HIDS tools designed assist in determining whether a compromise has occurred and there are a few tools designed for forensic analysis, but they are certainly not a majority.

So, the question becomes "why should I care about incident response and forensic analysis?" In short, one day you will be staring at a compromised system and unless you have prepared, you'll likely be at a loss for what to do.