18.5 Contact Appropriate Parties | The Practice of Network Security: Deployment Strategies for Production Environments

While the problem is being removed from the network, forensics are being performed, and the system is being cleaned, appropriate parties should be contacted. The information about who is contacted should be logged, as well as whether that contact is made via e-mail or phone conversation.

The first organization contacted should be any organization adversely affected by the attack. If administrators are able to determine that the attacker used the compromised server to launch an attack against another server, that organization should be contacted to make them aware they may have a security breach.

Attacks are usually launched against one or more IP addresses. The IP addresses attacked can be used to track down the owners of the network block by querying the appropriate database (ARIN, RIPE, or APNIC). For example if the attacker used a server within the netblock to launch an attack against the IP address 12.25.233.110, a query of the ARIN database provides the following contact information:

 [allan@ns1]$ whois -h whois.arin.net 12.25.233.110  [whois.arin.net]   AT&T ITS (NET-ATT) ATT12.0.0.0 - 12.255.255.255  Inflow (NETBLK-ATT137321616-232) ATT137321616-232 12.25.232.0 - 12.25.239.255  Rackmy.com (NETBLK-INFLOW-RACKMY-1) INFLOW-RACKMY-1  12.25.233.96 - 12.25.233.127

The search can be narrowed down to a query of the netblock that is of specific interest:

 [allan@ns1]$ whois -h whois.arin.net NETBLK-INFLOW-RACKMY-1  [whois.arin.net]  Rackmy.com (NETBLK-INFLOW-RACKMY-1)   710 N Tucker   St. Louis, MO 63101   US   Netname: INFLOW-RACKMY-1   Netblock: 12.25.233.96 - 12.25.233.127   Coordinator:     buller, patrick (ZZ1934-ARIN) pbuller@inflow.com     314-754-0400   Record last updated on 04-Apr-2001.   Database last updated on 20-May-2002 20:01:13 EDT.

This information should be used to call the administrative contact for the netblock ”in this case Patrick Buller ”so the company can begin the investigation process. In addition to calling, it is a good idea to follow up with e-mail so the information is in writing.

In addition the administrators of the netblock from which the attack originated should be contacted. Most likely, the administrative contacts of this netblock are unaware that their servers have been compromised or used for an attack. It is best to approach them judiciously, rather than in an attacking manner, and explain what was discovered during the investigation process. The details of the attack do not need to be relayed, simply that the attack originated from their netblock; they should be provided with the source and destination IP addresses so they can start their own investigation.

If the source of an attack cannot be isolated, either the origin of an attack or the method used to gain access to the compromised device, then the information should be escalated to either CERT/CC or the Computer Incident Advisory Capability (CIAC). ^[2] Because these groups will require extensive server and network information in order to properly diagnose the attack, the decision to escalate this information to that level should be made by the CSO, or whoever serves in a similar capacity within an organization.

^[2] You can even escalate it to both.

Finally, if a determination is made that the attacker used a security hole in an application or operating system that is not currently published, information about the attack should be communicated to the software vendor, CERT/CC, and CIAC. Again, this may involve providing third parties sensitive network information, the coordination should be handled by the CSO.