Recovering from an Attack

1
Recovering from an Attack

• Version 0.1
• March, 2003
• Bill Woodcock
• Packet Clearing House

2
If youve been listening at all

• Youll have understood by now that the best time
  to clean up

3
If youve been listening at all

• Youll have understood by now that the best time
  to clean up
• is BEFORE an attack.

4
Points to Consider

• Is the attack ongoing?
• If so, should you stop it, or do you need to
  allow it to continue, in order to backtrack it to
  its source, or allow law enforcement to do so?
• If it must be allowed to continue, can critical
  information be safeguarded without alerting the
  attacker?

5
Points to Consider

• Is the attack destroying resources, or is there a
  significant risk that it will do so?
• Is the attack exposing confidential information?
• Is the attack exposing you to liability for
  facilitating further attacks against others?
• Is the attack preventing your company from
  performing its core business?
• Is the attack harming employee morale or public
  relations?

6
If the attack is a PERSON

• Have you removed access? Changed locks and
  passwords, and informed security guards?
• Do you need to retrieve company property such as
  a laptop computer?
• Do you need to inform any third parties, like
  cancelling a company credit card, or informing
  customers that the person no longer represents
  your company?

7
If the attack is a DoS

• Can you characterize the Denial of Service
  traffic load in some way which distinguishes it
  from your normal operational traffic?
• If so, convey that information to your up-stream
  ISPs, and ask them to propagate it to their
  up-stream ISPs, while coordinating with law
  enforcement if feasible.
• Think about what statement or incident or action
  or person might have incited the attack, and how
  to avoid doing so again.

8
If the attack is a VIRUS or WORM

• Find out how to identify infected machines.
• Find out how to stop propagation or reinfection
  from the outside or from pockets within your
  organization.
• Determine to what degree hosts need to be
  sterilized.
• Download and install a fixed version of the
  vulnerable software.
• Evaluate whether a more secure piece of software
  might be in order.

9
If the attack is a TROJAN HORSE

• Educate your staff immediately. Let them know
  what it looks like, that they should be actively
  looking for it, and that the consequences of
  spreading it are very serious.
• Identify affected machines.
• Determine the method of sterilization.

10
If the attack is against SUPPORT INFRASTRUCTURE

• Identify the affected resource (power,
  communications, cooling, transportation)
• Minimize draw by shutting down less-needed
  equipment (lights, non-critical processes and
  machines, gradually increase temperature to
  ambient)
• Identify backup hardware and bring it into effect.

11
If the attack is against a HOST

• Identify the scope of the attack has the
  attacker gained root? Do they have access to the
  entire file-system?
• Are there special privileges accorded this host
  by others, which might be made more vulnerable
  thereby?
• Can the system be isolated, or must it remain
  on-line?
• What method is the attacker using to communicate
  with the host?

12

• All of these problems can be responded to more
  quickly and effectively if youve

13

• All of these problems can be responded to more
  quickly and effectively if youve
• Considered them and made a contingency plan, and

14

• All of these problems can be responded to more
  quickly and effectively if youve
• Considered them and made a contingency plan,
  and
• Prepared any resources like data backups or
  spare equipment which youll need.

15

• Bill Woodcock
• woody_at_pch.net