What to Do If You re Under Attack

Imagine that your pager goes off at 3 A.M. and you find out that your home page has been defaced. Here are some simple steps you should consider. Note, however, that speed without haste is paramount. Don't panic.

• Find out what happened. What type of attack was it—DoS, disclosure, or integrity? Has the attacker broken into one of your systems? Is the attack still in progress? What changed? Take note of any dates and times and the impact of the attack.
• Consider pulling the power or the network connection. You might want to take the server(s) off line and replace them with a server displaying a "We will be back on line shortly" message. It's very important that you take the affected servers off line so you have clean evidence.
• Consider making a complete snapshot of the system. This is worth the effort if you think you might be pressing charges. You can work on the duplicate system without disrupting the original.
• Gather evidence. This includes data in all log files, including Windows 2000 logs, SQL Server logs, IIS logs, firewall logs, and intrusion detection tool logs. Take special note of any suspect IP addresses. Use tools such as Sam Spade (www.samspade.org/t/) to gather more information about the attacker. The Sam Spade site also has an excellent Internet Explorer 5 package that adds useful analysis tools to the browser. While you gather evidence, document who does what to what and when. It's important that you don't change file dates. Windows NT and Windows 2000 change the "last read" time and date if you read the files. NTObjectives (www.ntobjectives.com) has an excellent set of "forensics" tools that do not disrupt the file times. Have any new user accounts been added? An attacker might have added a special user account so he could come back later.
• Check with vendors. Talk to your vendors to see if they can provide information, especially if the vulnerability that led to the attack is already known to the vendor.
• Why did it happen? This is often a difficult question to answer. Unfortunately, many attacks occur because of administrative oversight. Perhaps the administrator did not install one or more of the intrusion detection tools mentioned earlier or was not paying attention to the security logs.
• Bring the system back on line. Use a trusted backup to restore the system to a healthy state. You might need to go to original media such as installation disks and CDs. Bringing the system to a healthy state might mean a new box with fresh software installation, including the operating system. A hacked computer cannot be trusted. It might have trojans or backdoors installed.
• Change passwords. Make sure you change all passwords for all accounts that were accessible from the penetrated system, especially privileged accounts such as administrators and backup operators.
• Try to make sure it doesn't happen again. This can be a somewhat difficult step to figure out. Some common remedies include

• Improving education
• Monitoring security newsgroups
• Taking security more seriously
• Monitoring logs actively
• Using intrusion detection tools

• Document and learn. Write up what happened. Make sure the lessons learned are spread around the organization. Documenting the attack might also be important if you decide to take legal action.