The document outlines a response framework for handling compromised systems, focusing on isolation, restoration, and increased security measures. It emphasizes the importance of documentation, preserving evidence, and modifying policies based on lessons learned from the incident. Additionally, it highlights the necessity of legal notifications and external monitoring to prevent future attacks.

1. Phil Huggins
February 2004

2.  Description
 Isolation & Mitigation
 Letter of Preservation
 Additional Monitoring
 External Notifications
 Restoring the Systems
 Securing the Systems
 Summary Meeting

3.  The goal of this phase is to respond to the
data and conclusions drawn in the
assessment phase
 This includes:
 Isolating compromised systems
 Acquisition of systems
 Increased logging and monitoring
 Restoring systems
 Increasing security

4.  This phase restores the system/s to a known
and trusted state
 The secondary goal of this phase is securing
similar hosts to prevent additional attacks or
at least increase monitoring to identify future
attacks
 The lessons learned will be shared so that
future incidents are more successful

5.  The goal of acquisition is to save the state of
the system
 Document everything (even mistakes)
 Trust nothing on the suspect system
 Suspect systems should be modified as little
as possible
 Chain of Custody must be kept for all
potential court evidence

6.  Systems that have been identified as compromised
must be isolated to prevent damage to other
systems and further damage to it
 When possible, unplug from the network and plug
into an empty hub or switch (to prevent network
unreachable errors)
 If it must be kept online, restrict access to and from
it using ACLs on routers and switches
 Apply network monitoring to those systems that are
not removed from the network

7.  When external systems are identified, a Letter of
Preservation should be issued
 Carries legal weight in the US
 It requests that logs and other data be preserved and not
deleted
 Additional legal procedures are typically required before the
data is actually transferred
 The letter must specify a given host or person to save data
about
 An example can be found in the EnCase Legal Journal

8.  Additional network monitoring devices may need to
be deployed to:
 Detect and observe future attacks
 Collect additional evidence of an ongoing attack
 Provide data to help identify the incident scope
 These devices can be built during the Readiness
Phase
 Logging levels on firewalls, IDS, and servers may
need to be increased
 Some monitoring may not be allowed depending on
User Privacy Policies

9.  Snort (http://www.snort.org)
 Ethereal (http://www.ethereal.com)
 tcpdump (http://tcpdump.org)
 snoop (Included in Solaris)
 NetWitness
(http://www.forensicexplorers.com)

10.  Windump (http://windump.polito.it)
 Snort (http://www.snort.org)
 Etherpeek (http://www.wildpackets.com)
 Ethereal (http://www.ethereal)
 Net X-Ray (http://www.netxray.co.uk)
 SnifferTechnologies
(http://www.networkassociates.com/us/products/sn
iffer/home.asp)
 eEye Iris
(http://www.eeye.com/html/Products/Iris/index.htm
l)

11.  Niksun
(http://www.axial.co.uk/niksun/niksun_produ
cts.asp)
DigitalGuardian (http://www.verdasys.com)

12.  FBI
 Local Police Force
 FIRST (www.first.org)
 incidents.org (SANS)
 incidents@securityfocus.com
 Any public postings must be from a generic
email account (watch out for X-headers with
free HTML-email)

13.  It is important to not restore data that has
trojans or backdoors
 If a backup is known to not be compromised,
it can be used
 Otherwise, start with a new install
 Ensure that the system has all patches
installed

14.  If the method of attack is known, secure the
compromised host from it first
 After, secure hosts with the same vulnerability
 If the exact method is not known yet, ensure that
monitoring is in place to detect future attacks
 After a forensic analysis is performed, secure any
vulnerabilities that were found
 Additional filters may be applied to the recovered
host to detect future attempts

15.  Each person involved with the incident should
attend a summary meeting
 This will cover what worked and what did not
work
 Policies and procedures should be modified
appropriately
 Any ‘tricks’ that were discovered should be
documented to help future responders

16.  This phase performs actions based on data
found in the Assessment Phase
 Additional monitoring and logging can be
used to collect more data and ensure that
new attacks are detected
 External organizations may provide support
or assistance
 Ensure security holes are plugged and risks
mitigated