Chapter 1. An Introduction to Incident Response

The proliferation of computing technology is one of the most pronounced trends in the second half of the twentieth century and the beginning of the twenty-first century. Not much more than novelty when first introduced, computers now are not only commonplace but also essential in much of this world. No one knows how many computers, let alone computer users, there currently are.

Computers in and of themselves have limited value. As standalone entities, they enable people to prepare reports , keep track of tax records, and so on. The power of computing lies in the capability of computers to interconnect. Interconnection allows for not only computer-to-computer but also user-to- user communications. Any mention of interconnection immediately brings to mind the Internet, which ties together regional and service-provider networks over the entire globe. Again, no one knows exactly how many Internet users there are, but at the time this book was being written, many estimates were that this number exceeds 300 million users.

During the early era of computing, little thought was given to the security of computers and data that resided on them.Very often, the only way someone could misuse them was to gain physical access ‚ a difficult task in many settings. The need to remotely connect to computing systems grew rapidly , however. Modems were invented, and dial-in access started to become prevalent . The result was more access to authorized users but, unfortunately , increased opportunity for unauthorized persons to connect to the same systems. Dial-in connections too often tended to be slow, while advances in networking occurred at a rapid pace. Local networking evolved, followed by wide area networking. The Internet is, in many respects, the ultimate type of wide area networking.

At the same time, the Internet has proven to be a two-edged sword. On one hand, it has supported unparalleled network connectivity to the point that it is a major enabler of untold commercial enterprises , agencies, and academic institutions today. On the other hand, it has opened up opportunities for unscrupulous and misguided people who attack and disrupt systems. The Internet Preamble contains a statement saying that the Internet does not provide security. If you want security, you need to build it in. Period.

Many years of software development have taught us that if a particular feature or property is not built into the initial software requirements, it is generally more difficult and costly to retrofit a system to include that feature or property. This principle certainly applies to the Internet. The lack of inherent security is, in many respects, its biggest downfall. Many individuals and organizations understandably have examined the cost of achieving suitable security and backed away from it because security mechanisms are often too cumbersome, disruptive, and costly. Unfortunately, lack of adequate security has led to a multitude of security breaches that have resulted in financial loss, disruption, embarrassment, and distrust of and loss of confidence in technology.

Several things happened in the 1980s that radically increased people's awareness of the kinds of things that could happen when Internet security is not adequate. One of the most noteworthy episodes was the set of computer break-ins described in Cliff Stoll's now classic book, The Cuckoo's Egg . While working as a system administrator at Lawrence Berkeley Laboratory, Stoll investigated a small discrepancy between the amount of system usage calculated by the system's accounting program as compared to a custom accounting program developed at Lawrence Berkeley Laboratory. His investigation led to identification of a massive set of break-ins aimed at obtaining information from U.S. government and government-contractor computers. Stoll alleges that the attackers were supported by the KGB in the Soviet Union.

The break-ins described in Stoll's book were not limited to Lawrence Berkeley Laboratory. They also involved Lawrence Livermore National Laboratory (LLNL), U.S. nuclear weapons laboratories, MITRE Corporation, universities, and many U.S. military sites, to name a few. Few people had realized the potential for perpetrating espionage via what was then called the ARPAnet.

The U.S. Department of Energy (DOE) was particularly concerned . Meetings at various locations around the U.S. were held to discuss what had occurred and what course of action could be taken in response to it. Rick Carr, the head of unclassified security for the DOE at the time, was the first to recognize that conventional security and computer-protection programs would not be enough to stave off the kind of attacks that had ravaged Lawrence Berkeley Laboratory, LLNL, and other sites. Carr called for the formation of an incident response capability to assist sites under attack. The seminal idea of having an incident response capability was thus born. He worked in cooperation with individuals within the DOE headquarters and LLNL to obtain funding for a team that would later be known as the Computer Incident Advisory Capability (CIAC).

Meanwhile, individuals at Carnegie-Mellon's Software Engineering Institute (SEI) got wind of Carr's idea and applied for funding for what they called the Computer Emergency Response Team Coordination Center (CERT/CC), designed to serve the entire Internet community. Receiving funding from the Defense Advanced Research Projects Agency (DARPA) a little earlier than CIAC did, they announced themselves as the central coordination center for incident response efforts. Since that time, virtually hundreds of incident response teams within the commercial sector, academia, and the government arena have been formed . Incident response is now a well-entrenched capability.