Fermi Computer Incident Response Team

1
Fermi Computer Incident Response Team

• Computer Security Awareness Day
• March 8, 2005
• Michael Diesburg

2
What Is FCIRT?

• FCIRT
• Fermi Computer Incident Response Team
• Group of computing experts who investigate
  compromised systems and guide cleanup
• On call 24x7
• FCIRT does not make policy. Their concern is
  with understanding how a compromise occurred and
  what actions are necessary to restore the system
  to production
• Think of it as a volunteer fire department

3
When Should You Contact FCIRT?

• Any time you suspect a system has been hacked or
  infected with a virus.
• For any issues of unauthorized usage.
• Anytime you suspect a machines usage is not in
  accordance with the rules of acceptable usage.
• If in doubt, contact us

4
How To Contact FCIRT

• Normal contact is via e-mail
• computer_security_at_fnal.gov
• Mail list is monitored on regular basis during
  normal working hours. Some delay in response
  after hours or on weekends
• You may also contact Helpdesk
• For urgent issues call
• 630-840-2345

5
How FCIRT Operates

• FCIRT actions have several goals
• Contain any damage
• Determine how compromise occurred
• Oversee the cleanup of compromised systems and
  certify cleaned systems to be returned to normal
  use
• Assess how compromise could have been avoided

6
How FCIRT Operates

• Upon alert, FCIRT personnel first triage the
  suspected incident
• No incident
• SMOKE - Further investigation required. Minor
  incident to be handled by local system managers
  under oversight of FCIRT
• FIRE Major incident. FCIRT assumes full
  administrative control of the systems involved.

7
How FCIRT Operates

• SMOKE
• A SMOKE is declared if there is evidence that
  some compromise may have occurred and further
  investigation is required
• If investigation shows problem is confined to
  single system with limited impact on users, then
  cleanup is usually delegated to system managers
• Incidents which may have widespread impact may be
  elevated to FIREs

8
How FCIRT Operates

• SMOKE
• Covers things like well common viruses whose
  infection vector is well known.
• Normal procedure
• Use AV cleaning tools
• Or re-install form known good media.
• Make sure all patches are up to date
• Scan all files with latest AV signatures
• Make sure node and all NICs are registered
• Return to service

9
How FCIRT Operates

• FIRE
• A FIRE is declared when incident involves major
  servers, impacts many users, or in any way
  adversely effects the mission of the lab.
• FCIRT takes complete control of systems in these
  cases
• May involve removal form network, or in some
  cases even confiscation of equipment

10
How FCIRT Operates

• FIRE
• First action is to contain the damage. Either
  via network block or by physically removing the
  system from network.
• State of the system is then examined to determine
  how the compromise occurred
• Weak passwords
• Known vulnerabilities
• Pilot error

11
How FCIRT Operates

• FIRE
• Network records are examined to determine what
  other systems may have been involved
• Determination is made as to what must be done to
  protect the system from compromise
• Copies of disks may be made at the request of
  government authorities
• System is cleaned and returned to service

12
How FCIRT Operates

• Reporting
• Any computing incident also triggers several
  reporting streams
• In case of a FIRE, the relevant system managers,
  division heads, and CSExec are notified
• In some instances appropriate government agencies
  will be informed
• Daily reports are made to the above until the
  incident is closed