What Is Incident Response?

This book covers a broad range of considerations associated with responding to security- related incidents in computing systems and networks. Before we can define "incident response," however, it is necessary to first define what "incidents" are.

Definition of Incidents

By incidents, we mean adverse events that threaten security in computing systems and networks. Events include any observable thing that happens in a computer and/or network. Events include connecting to another system via a network, accessing files, system shutdowns, and so on. Adverse events include system crashes, packet flooding within a network, unauthorized use of another user 's account, unauthorized use of system privileges, defacement of one or more web pages, and execution of malicious code that destroys data. Other adverse events include floods, fires, electrical outages, and excessive heat that causes system crashes. Incidents such as natural disasters and power-related disruptions are not, however, within the scope of this guidebook. This book focuses exclusively on security-related incidents.

Types of Security-Related Incidents

What kinds of adverse events are there when security-related incidents occur? The number might surprise you. The next part of this chapter discusses types of security-related incidents.

CIA-Related Incidents

Traditionally, computer and information security efforts have focused on CIA: confidentiality (of information that needs to be protected), integrity (of information, systems, services, and so on), and availability (of information, applications, services, systems, networking, and so on). Many incidents that have occurred in the past have fit the CIA model well. Consider, for example, the many break-ins into Pentagon systems from Argentina in the late 1990s. These attacks were designed to obtain U.S. military information or, in other words, to compromise the confidentiality of this information. Concerns regarding integrity have been triggered by incidents in which attackers have planted remote-control programs such as Netbus, SubSeven, and BackOrifice2K into Windows systems.

In a well-publicized incident in 2000, a Microsoft employee's laptop system was compromised in this manner while the laptop was away from Microsoft premises; after the laptop was connected directly to the internal network, perpetrators then used it to gain access to resources within this network and send copies to systems outside the network. Integrity had been compromised. Finally, a good example of the need for availability is the series of distributed denial-of-service (DDoS) attacks against e-business companies in 2000 that crashed many hundreds of systems, causing huge financial losses.

Other Types of Incidents

An increasing proportion of professionals in the computer and information security arena is starting to realize that confidentiality, integrity, and availability in and of themselves provide an unduly narrow perspective. Additionally, new kinds of incidents have surfaced within the last 10 years or so; these incidents are often of a fundamentally different nature than older, more "traditional" incidents. Consider the following types of incidents in the subsections that follow.

Reconnaissance Attacks

Reconnaissance, in the context of security-related incidents, means discovering information that is useful in attacking whatever target a perpetrator has chosen . Although not a very strong form of attack, reconnaissance is usually a precursor to follow-up activity in which security-related defenses are actively breached. Port scanning, running a program that remotely finds ports that are open and closed on a remote system, represents one of the most common types of reconnaissance attacks, especially to cable modem and DSL users. Because cable modem and DSL connections are always "on," attackers have more time to conduct reconnaissance attacks. Vulnerability scans go beyond port scans by finding how services respond to connections, thereby indicating whether a particular vulnerability is (or vulnerabilities are) present.

Repudiation

Repudiation is one of the best examples of a type of incident that does not involve any of the traditional CIA. Repudiation means that a person or program acting on behalf of a person takes some action (which, in particular, indicates some kind of commitment) and then denies doing so later. Someone might, for example, use electronic means to order merchandise and then deny ordering the merchandise after it arrives. Repudiation presents a particular problem for the world of e-business because it can translate into major financial loss if not adequately controlled.

Harassment

Harassment means bothering, threatening , embarrassing, or intimidating someone else. Harassment occurs in everyday settings, and it is starting to occur in the cyberworld more, too. The perpetrator can, for example, use e-mail to send a series of obnoxious messages to a victim, use a chat room to do the same, use a messaging or remote screenwrite service, and so on. Extreme forms of harassment include cyberstalking , in which the stalker uses electronic means to follow and intimidate a victim, and cyber-predators' use of chat rooms and other avenues to make sexual advances.

Extortion

Extortion means attempting to get a victim to pay money or deliver something else of worth because of a threat the perpetrator has made. Extortion attempts are starting to become more prevalent in the cyberworld. Consider, for example, a real-life case study in which an employee used electronic means to attempt to receive money from his employer. He had the only copies of encryption keys that could decrypt files containing the company's original engineering research. The company decided to turn to law enforcement instead. In another case, two attackers broke into a corporation's network and then attempted to get this corporation to pay them a large sum of money in return for their secrecy about the break-in. The extortion attempt failed when the corporation made a public announcement about the break-in and turned the case over to law enforcement, which arrested the alleged perpetrators.

Pornography Trafficking

Computers and networks are also increasingly used to store and transport pornography. Although the definition of "pornography" might differ from one region, state, province , or country to another, it is not necessary to look very hard before finding some kind of electronic pornography-related activity that breaks the law somewhere. A particularly distressing trend is the use of computers and networks for the purpose of sending, receiving, and storing child pornography.

Dealing with suspected cases of pornography has become more difficult because of techniques offenders can use to hide pornographic images within other graphics images. This makes obtaining a copy of pornographic images by anyone but the offender extremely difficult. The most well known of these methods , steganography, is discussed in Chapter 9,"Forensics II."

Organized Crime Activity

Another category of incident that does not fit the traditional CIA mold is organized crime activity via electronic means. Organized crime can, for example, use computer technology in performing criminal acts such as drug trafficking and running prostitution rings.

Subversion

Subversion is used here to describe a type of incident in which an intended function or access appears to work as expected but does not. This might superficially seem to be simply an attack in which the integrity of a system, network, or application is violated, but it is in reality something more. Examples include putting a bogus financial server on a network to discover credit card numbers and illegal indexing of web pages. In the latter, a perpetrator modifies web links so that when anyone connects to a particular web page, the connection is actually to another, completely different, web page.

Hoaxes

Hoaxes are incidents caused by dissemination (either deliberately or unintentionally) of false information. Even though hoaxes are based on false information, they can have a huge negative impact, sometimes including damage to systems (caused by panicked users) and a significant waste of time and resources. A recent example is the hoax concerning the Virtual Card for You virus. Several organizations (particularly vendor organizations) distributed urgent bulletins warning recipients that this virus was the worst to ever surface in the wild. The virus allegedly first distributed itself to a user's mail distribution list, then froze the infected system, forcing the user to reboot the system, and then erased sector zero of the hard drive, rendering the hard drive useless. As things turned out, there was no Virtual Card for You virus, forcing many of the organizations that spread so much panic to make red-faced retractions of their previous bulletins about this virus.

Caveat

The kinds of incidents discussed in this section are by no means mutually exclusive. Reconnaissance, for example, is likely to be followed by attempts to gain unauthorized access to data or to bring systems down. Remember, too, the case in which young perpetrators broke into a corporation's network and then attempted to extort money from the corporation. One of the troubling aspects of cybercrime trends, in fact, is the increased complexity of incidents over the years.

What Incident Response Involves

Incident response means actions taken to deal with an incident that occurs. These actions normally represent some form of intervention to negate or minimize the impact of the incident. Actions can be initiated by either humans or computer systems. In fact, one of the new trends discussed in Chapter 13,"Future Directions," is the use of automated incident response mechanisms.

Although Chapter 3,"A Methodology for Incident Response," covers the logic and flow of incident response in detail, suffice it to say at this point that incident response involves a potentially very large range of activities. Although many of these activities are direct reactions to the adverse event that occurs, many are not. Many of the facets of incident response involve preparing to handle incidents, enabling those involved in incident response efforts to work more efficiently . Many other facets involve managing the large amount of data likely to be accumulated as incidents occur.

It is also tempting to view incident response as something that is done only by technical personnel. Although it is true that technical personnel are likely to be some of the main players involved when incidents occur, incident response very frequently requires much more than application of technical knowledge. It also involves management, legal knowledge, human relations training, technical writing skills, and even knowledge of psychology (especially when it comes to dealing with insider attacks), as Chapter 11 of this book,"The Human Side of Incident Response," will detail. In short, successful incident response efforts are usually multidisciplinary efforts that involve a range of participants with a variety of skills. Effective incident response goes far beyond simply making a technical diagnosis and applying technical skills to fix the problem.

Relationship to the Goals of Information and Computer Security

Virtually every discussion of information and computer security defines three goals: confidentiality, integrity, and availability (CIA). As previously mentioned, confidentiality means protecting the contents of files, network transmissions, the contents of a computer's memory, and so on from unauthorized disclosure. Integrity means keeping systems and data from unauthorized alteration. Availability means ensuring that access to systems, network services and components , and data is continuous and without interruption. But as Donn Parker pointed out in his book Fighting Computer Crime , computer and information security efforts that focus exclusively on the CIA objectives are doomed to fail.

CIA in and of itself excludes other important goals and considerations. Consider, for example, an electronic business transaction in which someone orders a large number of goods and then denies ordering them shortly afterward. Preventing repudiation or "nonrepudiation" of transactions is thus another critical goal of information and computer security. Additionally, establishing accountability of users ‚ ensuring that user actions on systems and networks are properly recorded so that irresponsible, hostile , and other acts come to light ‚ is yet another important goal.

Incident response is directly linked to the goals of computer and information security. If the controls (for example, access control permissions, firewalls, encryption) that are deployed ever should be defeated or bypassed (as will almost certainly happen in one or more circumstances), incident response can be used to restore confidentiality, integrity, or availability. In fact, as you will see shortly, effective incident response is in tune with an organization's security objectives so that the infrastructure established for incident response and the particular procedures put in place reflect the relative importance of each of the security goals for that organization.

Incident Response and the Computer/Information Security Life Cycle

In a competent computer and information security practice, incident response is an essential component of the information security life cycle. The three major parts of this cycle are countermeasures, detection, and response (see Figure 1.1).

Countermeasures

Countermeasures are defenses that counter threats such as break-ins, denial-of-service attacks, repudiation, and others. Countermeasures are usually chosen and deployed as a result of conducting a risk analysis, although other approaches (such as adoption of measures deemed to be in accordance with due care standards or even "best practices") are being used increasingly as an alternative to traditional risk-based approaches. No countermeasure is foolproof, however; even if it were, resources for adopting all the countermeasures necessary to counter all identified sources of risk would undoubtedly be insufficient.

Detection

Detection of security incidents essential means providing an indication that security has been breached. Because the topic of detection is covered in detail in Chapter 3, it suffices at this point to say that effective detection provides feedback concerning the adequacy of the countermeasures that have been deployed. If a particular type of incident (for example, break-ins to Windows-based systems) occurs repeatedly and is noticed by an intrusion-detection capability, there is increased impetus to deploy countermeasures (or sometimes to increase or change the countermeasures already in place) to protect against this type of incident.

Incident Response

The next and final part of the computer/information security life cycle is incident response; after an incident has been noticed, incident response is the next logical step. Note that assessing the type, severity, location, and/or frequency of attacks during incident response activity can prompt the deployment of new or different types of intrusion-detection methods.