Rule of Immediate and Proper Response | Inside the Security Mind: Making the Tough Decisions

Every organization will eventually be attacked. This includes my organization, their organization, and most likely, your organization as well. The steps we take after an attack has occurred are just as important as the steps we took to prevent the attack. Whether an attack was a success or failure, there should be an organized response to investigate the details, analyze pending risks, and plan future steps.

This section is not going to cover how to develop an incident response plan, since incident response is a whole subject of its own and there are several good books available (you will find a list of recommended books in Appendix D: Recommended Reading). We will, however, discuss the Rule of Immediate and Proper Response as it is related to IT security. Many organizations get themselves into trouble when they are caught with an intruder and have no idea how to react. Reacting poorly to an intrusion can potentially do more harm than the hacker did in the first place. It is thus important to consider the Rule of Immediate and Proper Response long before a response is needed.

Reacting Quickly

Incident response is a very time-sensitive task requiring good, proactive planning. Preparations must be made ahead of time so as to have the right tools, skills, and processes in place for conducting a proper response. Every organization should have some form of written incident response plan detailing how to react during an attack situation. Small or large, this plan should provide a clear and repeatable process, void of the panic and confusion that is likely to be experienced during an incident.

graphics/04fig01.gif

Reacting Properly

After spending several consecutive weeks applying patches and reviewing uneventful security logs, we have a tendency to jump at anything that looks remotely interesting in our logs. A small ripple can seem like a tidal wave if the pool of water has been sitting still for long enough. Things have a tendency to get out of hand almost instantaneously when the right series of alarms are triggered. Key phrases to remember and share with your organization are:

"Don't panic or get excited."
"Be discrete."
"Follow the process."

Keeping a suspected attack confidential at the beginning of an investigation is crucial. Even the slightest mention of a potential attack overheard by staff members can seem interesting enough to share with friends and co-workers. In a few cases, I have witnessed small system glitches publicized as major security breaches when someone overheard a security professional saying, "Well, it could be an attack."

Attacks have the tendency to get security professionals quite excited as well; after all, this is what we are there for. With spines tingling, it is very easy to overreact before the full details are known. Sometimes, we are even tempted to take steps that are far worse than the attack, or take steps that destroy valuable evidence. We don't want to pull the plug on a critical system if we simply "think" there was an attack. In such cases, it is easy to become our organization's worst enemy! This again emphasizes the importance of following a written, methodical response process.

To react properly to an incident, follow the predefined incident response plan, which was written during a calmer state of mind. Normally, this plan will dictate which managers and security staff members need to be informed of potential incidents. It is then up to the supervisor in charge to pass the information along. This plan will outline what steps should and should not be taken, and what can and cannot be done without first getting authorization from a higher source.

Documentation

For every incident and response that occurs, there should be documentation detailing the reaction and results, plus what the organization learned. Even small incidents should at least have a three-line write-up for the weekly meeting that later gets stored with other historical records. This document will help enhance security awareness, improve on responses, and assist in recognizing patterns of attacks against the organization. Additionally, if there ever is a need to go to court, it can assist in creating a chain of evidence.

Turning an Attack to Your Advantage

Earlier in this book, I discussed the difficulties involved with security brought on by the fact that security is intangible, invisible, and if done correctly, not even noticeable. This can make it difficult to gain funding and approval on many security projects. However, when an attack is successfully detected and/or prevented, the information can be an invaluable incentive for increased attention and funding.

There are many instances of organizations having to squeeze out every nickel for the security budget. But then, after a security engineer successfully detects a worm, virus, or an active hacker crawling around inside the organization's network, future funding begins to pour in. Even though it is still invisible, events such as these can become tangible when we draw simple relations to the real world: "This hacker had penetrated System X, from where he/she could have gained access to read, modify, or destroy our financial records. But, we successfully detected the attack and rid ourselves of this risk."

Of course, these issues can be extremely sensitive and require tact in the delivery, so use discretion on a case-by-case basis. Take advantage of any opportunity to gain from a security violation.

Practicing This Rule

Incident response is a very big topic and I suggest buying a good book on the matter or taking a good training course. As far as the Rule of Immediate and Proper Response is concerned, here are a few steps to follow:

Develop a good incident response plan This does not have to be long or filled with painstaking details, but it must remain constant in its processes. There are a few good books on incident response outlined in Appendix D.
Have a very clear and widely known chain of command in such issues Anyone thinking they see a security issue should report it to X. X then must report to Y, Y to Z, and so on.
React quickly Immediate action should be taken with any incident when there is reasonable evidence that there truly is an incident.
Make sure everyone sticks to the plan During the response, an incident response plan should be followed to avoid making mistakes or panicking.
Follow up on the incident At the end of the response, the actions taken should be documented and discussed with appropriate members of the organization.