Integrating Traps and Deceptive Measures into Incident Response

‚  < ‚  Free Open Study ‚  > ‚  

What relationship do traps and deceptive measures have to incident response? We've already provided a few answers to this question (for example, that traps and deceptive measures provide more time to develop an optimal incident response strategy after an incident has been detected ). This final section of the chapter addresses this question in terms of stages of the PDCERF incident response methodology.

Detection

By now, the value of traps and deceptive measures as detection measures should be obvious. The actions of attackers who stumble onto honeypots can provide a valuable indication that an attack on one or more networks (and the systems therein) is underway. Although they do not directly indicate attacks on bona fide systems, deceptive measures can prompt security and other professionals to look more closely at what is occurring within systems and networks.

Preparation

Preparation involves getting ready for incident response efforts. Traps and deceptive measures can greatly help in this stage because well-designed measures of this nature can provide early indications of new attacks and threats. Incident response staff can brace for such new attacks and threats by obtaining appropriate tools, ensuring that incident response procedures are updated, and so on.

Containment

As we said in Chapter 3, deciding what to do after detecting a security- related incident is critical. One option is to allow the attack on victim hosts to continue; another option is to shut the attack off by shutting down the victim system(s) or disconnecting from the network. Traps and deceptive measures fit nicely with the first option.

Traps and deceptive measures have often been deployed as part of a delaying strategy during an ongoing attack. Their function is to distract the attackers to allow for more time to trace their connections and to close the vulnerabilities that have been exploited on other potential victim systems. If an attack occurs, for example, a honeypot with elaborate monitoring capabilities can be implemented to record all of the attacker's keystrokes and perhaps even to gather any attack tools while the attacker engages in all kinds of futile actions.

Another potentially valuable role of traps and deceptive measures during incident response is the capability to better protect one or more critical servers during an attack. If attackers have targeted a critical server such as finance.corp.com, you can take this host offline or rename it and move it to another part of your network. Next you can bring up a honeypot named finance.corp.com in the victim host's place. Any attacks on finance.corp.com will now be directed at the honeypot, not the critical system. This swap-out strategy can help minimize loss and disruption (and worry) when security-related incidents occur. Similarly, if someone is trying to break into a UNIX system that has no valuable resources or services, it might be prudent to create a jail environment on that system for the attacker to log in to.

Follow-Up

Traps and deceptive measures are also potentially useful in the follow-up stage of incident response. Suppose, for example, that an internal honeypot attracts a huge number of connections from your organization's employees. Furthermore, suppose you discover that the employees ' activity is not unauthorized; rather, they are scanning the network looking for underutilized hosts so they can run resource- intensive programs on these hosts. Perhaps your organization's computer-usage policy should be changed as a result of the usage patterns that the honeypot has detected. Similarly, suppose a host that supports a jail environment is repeatedly attacked by someone who, by all appearances , is an expert attacker. If the attacker breaks the host's defenses and then launches attacks against other systems from the compromised host, it would be wise to revise the procedures for jail environment operations afterward. It might be better to shut down a host that supports a jail environment earlier, as soon as indications that the host is the target of a sophisticated attack surface.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net