On Mon, January 25, 2016 19:12, Benjamin Smith wrote:
>
> Which I'd consider "best practices" and we do them.
> They are specifically asking about what to do *after* a
> breach. Despite all the best practices in
> place, there's *still* some risk.
>
If someone wants in to your network then they will get in. There is
no point in deluding yourself or your clients on that point.
The first thing that you must do after a breach is detected, or even
suspected, is to notify all affected parties. There is an
institutional bias against revelation of security incidents because of
the fear of embarrassment. This is often couched in terms using the
word 'premature'. Failure to disclose at the earliest opportunity is
unethical and ultimately self-defeating. You will never regain trust
thereafter.
The second thing to do, concurrently with the first, is to isolate the
affected systems from the rest of your network. If that means
physically pulling wires and putting the things on their own switch
and LAN segment blocked from the rest of your networks then do it. If
it means shutting down the affected hosts then do it. If if means
disconnecting from the network at your gateway then do it. They are in
and they are looking for ways to expand their foothold. Delaying
containment is pointless.
The third thing to do is to involve the authorities. Unauthorised
computer access is an indictable offence in Canada and the UK. It is
a federal felony in the U.S.A. If you have an incident then report
it. That means you should have computer emergency response contact
information and reporting protocols already in place.
Now, with your clients and the authorities notified and the suspect
systems isolated, you begin to map out your recovery strategy. The
basic bones of which you have already written down and implemented in
your backup and disaster recovery plan. A security breach is a
disaster. You need to start with that point clearly in mind and
proceed on that basis.
Once corporate and client services are restored on clean hosts and
reconnected to the Internet then begin your investigation. Use your
AIDE and syslog records to determine the point of entry, the length of
compromise and the extent of penetration. If possible identify the
nature of the attackers and their target. Where possible keep the
compromised hosts' disk drives unaltered for further technical
analysis. Where warranted bring in forensic investigators to examine
them.
It will likely prove impossible to positively identify them but you
should be able to glean some inkling if this was a targeted breach or
an opportunistic one. If the former then they will be back and you
will need to consider how to deal with the next assault.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3