WHAT WILL INCIDENT RESPONSE BRING TO YOUR BUSINESS

The massive and growing use of Information Technology in Business makes absolutely necessary for companies to improve the level of trust that they have in their information systems, and then to consider the security of these information systems as a very important issue. The protection of the systems, the detection of incidents, and the adequate response to these incidents form the triptych of information systems security.The need for protection and detection has been felt and there is obviously a market for commercial products in these areas. Unfortunately, computer security Incident Response, which should be an important and dedicated activity, is generally not considered as an area to spend money for… at least until an incident occurs.

Introduction

Hackers, web defacement, root compromise, virus, denial of service. These disconcerting and frightening words can be read everyday in newspapers. They are disconcerting because one hardly knows what they are referring to, and they are frightening because one usually wouldn't know how to react when confronted with an internet attack. These are not only words, though. These are real threats faced by information systems of organizations world-wide.

It is very difficult to determine the full consequences of computer security incidents. However, it is agreed that they can have a huge impact in terms of time, money and goodwill. In spite of the growing threats and the potential of damage, no company would imagine today doing business or communicating with its partners without the Internet.

For the last two decades, IT systems have always been more complex and applications developed have been getting more and more important. For instance, Microsoft DOS 3.0 released in August 1984 was written with 40.000 lines of source code, whereas the last XP version counts more than 30 millions lines of code. All editors follow the same tendency : the first Linux version 0.0.2 was written in 10.000 lines of code, but today's Linux kernels count almost 1.000.000 lines of code, and the sole KDE[3], 800.000 lines.

This expansion of the size of source code and the multiplication of applications is mostly due to the wish of editors to offer more powerful services and more pleasant GUIs[4]. As hardware also becomes more powerful, it is not a problem in itself. However, according to Wietse Venema[5], even highly skilled and experienced programmers write about one bug every thousand lines of code. In addition, added to a time to market always shorter, the rush in coding also leads to a growing number of vulnerabilities in the applications. They come from unchecked buffers, badly parsed user input, poor default configurations... Thus, it is no suprise that mailing lists such as Bugtraq[6] reports an average 15 or 20 new vulnerabilities every day.

All those vulnerabilities create potential holes, which can be used by hacker to take control of the systems. Furthermore, hackers do not work on their own anymore, and use as everyone else Internet-based technologies to share their knowledge and experience : web sites, mailing lists or chats for instance. Tools to exploit vulnerabilities and the way to use them are widely spread all through the Internet and make systems break-ins easy to achieve. Hacking a system today is not reserved to a technical elite any more, and a script-kiddie can quickly find ready-to-use tools to break in vulnerable servers.

Facing this rising threat, system and network administrators can take preventive counter-measures : filtering in- and outbound traffic, following security alerts, applying patches to vulnerable servers as soon as possible, shutdown unnecessary services or teach users to have a strong password policy. But unfortunately, all these measures can not prevent all aggressions and a hacker can always achieve to break into a private network. As military strategist affirm that there is no unpregnable fortress, computer security experts agree that every connected computer might be vulnerable. All one can do is to enhance security protections to make the compromission of the system as difficult and costly as possible.

Then, if an absolutely guaranteed protection is unreachable, the detection of incidents, and the appropriate response to every incident are definitely essential to the security and dependability of the services offered by the information systems of a company. If most IT managers in large and medium companies have understood the importance of the detection part (Intrusion Detection Tools, etc…), the need for an efficient Incident Response Capability has not been felt necessary by a lot of them.

Why Incident Response is important ?

As a result it is essential that, inside each organization, the security policy defines clear measures in case of an security incident. When such an incident takes place, administrators or staff in charge of the information system must react promptly. If a clear plan exists, the incident will be quickly handled, but if it is not the case, solving even a minor security problem will turn in a long, expensive and tricky experience.

True Story. Monday morning. A system and network administrator comes to his workstation, checks the weekend activity and finds some unusual traffic. He checks the server configuration files and analyses the network event logs. Unfortunately, he is not well trained for this kind of research, and there is no one to ask for help.

· in the best case, he may be unable to decide whether they have been dealing with a real security incident or not.

· in a medium case, he will be confused by all the information and gives up the investigation in order to get back to daily work.

· in the worst case, he will act in a totally inappropriate manner and, for instance, delete evidence without noticing it.

Meanwhile, a hacker takes control of one of the servers, installs a rootkit to hide his presence, and launches lots of attacks from this computer. The company will be legally responsible for any of those attacks and will be in trouble without even knowing it !

If a system administrator, who is not well trained to security incident response, detects an intrusion, it is highly probable that he will not take the appropriate measures. For instance, he may identify the vulnerability used by the hacker and patch it, he may discover the hacker's tools and deletes them, but he may not notice the backdoor left by the miscreant, who will be able to come back silently on the system as many times as he wishes. An experienced incident response staff knows well what kind of tools are used in the underground Internet and can detect them on compromised server. In addition, he knows what to do with a compromised machine and how to make sure that it become safe and inoffensive for the organization again.

But the technical excellence is not the only point in an incident response. There is always an operational aspect which can be decisive. When a system undergoes an attack, detecting the source of this attack is not always that easy. And even in the case where the source is clearly identified, an unexperienced administrator seldom knows whom he shall first contact in the attacking organization.

Eventually, when the contact is identified, he may consider the unauthorized traffic as a direct attack, forgetting for instance that hackers usually use compromised machines as rebounds to launch further attacks on other systems. So, the attacking machine will probably be owned and administrated by a pacific organization which did not even notice that its system was compromised.

This misunderstanding of the security mechanism could lead to unadapted reactions, which, beyond the sole victim company, impact other organizations and partners. So, it is essential to have a coherent response towards third entity implied in a incident, to be sure that all problems will be quickly solved.

On the other hand, a well identified and publicly seen incident response team will facilitate the work for the other organizations to contact your company in case of an incident. There will be a clear contact that is able to handle security incident inside its community and he will be informed from the outside as soon as a problem occurs. It is from far the best way to solve a growing problem, before facing a complex situation.

Furthermore, as the Internet is a world-wide network, an incident often has to be dealt with on an international basis. At this level, an incident response team will be able to find the suitable contact, thanks to the cooperation between Computer Security Incident Response Teams (aka CSIRTs), as we will see in the last part of the article.

The clear benefits from an Incident Response Capability

Of course, an incident response team is not cost-free for an enterprise. To recruit experienced engineers, to train them and manage the team is indeed an important investment. In addition there are costs related to equipment, infrastructure and incident handling tools. If the costs are easy to estimate, executives often hesitate to create incident response teams, as the results are not obvious for them. The cost of such a project is easy to calculate, but the return of investment cannot be clear, because it is all about preventing damages. However, the company will actually widely benefit from this effort and investment.

The first direct consequence will be an improvement of the security level of the information system. Each incident will be quickly and properly handled, and so, will not spread beyond its first perimeter. For instance, if a server has been hacked in a company, not to take adequate measures will enable the hacker to continue his forfeit. If the server has not been disconnected from the network, it can relay attacks on the whole network. And it will be even more easier as attacking from the inside will disable most traffic protections. In addition, if the passwords used on the compromised computer are also used on another application, the hacker will have a trivial access to other systems. But, if the proper measures are immediately taken, the incident will quickly be surrounded, and the induced cost will finally be far lower.

The second consequence will be an improved image from the company. If the incident is handled in a suitable way, the right person will be contacted, and the problem will be solved in a cooperative way. We saw that in most cases, a hacker will not directly attack a specific target from his home computer, but will used a compromised box as a rebound. The final victim should not directly accuse the organization relaying the attack, but should work jointly with it to solve the problem.

This would widely benefit to the company as it will show a good understanding of the actual security problems on the Internet, and will allow further exchanges and cooperations in that field with the other Internet users.

On the other way round, if a company's server is used for attack other networks, the incidence response team will be first contacted, usually before the victim starts legal resolution of the incident.

Elaborating an incident response strategy in an organization will also provide a benefic return on experience. The sole fact to enable incident collection and disseminate information about incident response will create an enriching interaction between all teams related to the information system. In addition, beyond the technical teams in charge of the information system, every employees will be concerned by at least few incident response measures, and then, each member of the organization could be sensitized to security incident in this way.

At last, having developed incident response skills will provide a valuable independance for a company in terms of computer security. Indeed, in this case, a company will not only rely on rumors, announcers or external sources for the security of the information system, but will have an internal capacity to evaluate a risk in regards the news or a special event concerning information technology security.

What companies should do about Incident Response ?

All the benefits linked to a strong Incident Response capability can only be drawn if clear resources are planned. Giving the adequate response to a computer security incident is not something you want to improvise. Dedicated and profesional Computer Security Incident Response Teams will help system and network administrators in a company to adopt the best solution for handling the incident.

In order to create a CSIRT, the support from the management is essential. Four major questions have to be asked and answered :

The answer to the first question depends on the need of the company and the resources dedicated to the CSIRT. Being the point of contact fo incident handling is the mandatory task of a CSIRT, but most teams have other duties, such as technological watch, vulnerability analysis, risk analysis, post-mortem analysis, security audits, tools development, training, etc… However, from all these activities, incident handling should be the most important and all the other activities should be designed for a better efficiency in incident handling.

The second question is also very important. The CSIRT is a point of contact, but a point of contact for whom ? Who will be allowed to report an incident to the team ? The constituency of the CSIRT should be clearly defined and the process clearly established.

For an internal CSIRT, in a company, the third question and the issue of the authority of the team inside the company and over its constituency will be a major one. If the Incident Response Team of a company releases information about an imminent threat but nobody cares in the company, that may lead to a serious incident which may have been avoided.

As far as the fourth and last question is concerned, the CSIRT has to have Trust relationships with partners. Those partners are first people from its constituency, but also the other CSIRTs in the world (see next section) and the authorities regarding information security within the country of the area. For instance, a CSIRT may not exchange information about incidents with law enforcement, but it is better if they know each other and each other’s procedures.

One shall not think that such incident response teams are only dedicated to large companies. Even SMEs[7] can establish performant incident response. Firstly, they can define coherent plans and measures to take in case of an incident. This necessary action is not related with the size of the company nor with the size of its information system. Secondly, they can gather ressources with partners to form a incident response team, if they do not have the sufficient fund to create a dedicated team inside their own organization.

The International cooperation of Incident Response Teams

Of course, a hacker can be anywhere in the world. He can use a couple of other computers, as relays, in as many countries. The Internet is a global network and the threats may come from anywhere. Therefore, Incident Response on the Internet has to be tackled on a global level. Only cooperation between Incident Response Teams (IRT) can lead to efficiency in the battle against Internet insecurity.

This is the reason why the first IRTs created in 1990 an organization called FIRST (Forum of Incident Response and Security Teams).

FIRST is now the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents by providing access to best practices, tools, and trusted communication between member teams. FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs.

· FIRST members develop and share technical information, tools, methodologies, processes and best practices

· FIRST encourages and promotes the development of quality security products, policies and services

· FIRST promotes the creation and expansion of Incident Response teams and membership from National, Corporate and Educational bodies around the world

· FIRST members use their combined knowledge, skills and experience to promote a safer and more secure global electronic environment.

As a matter of fact, beyond the clear objectives of FIRST, the most important is that FIRST provides a room for experts in Incident Response to exchange high quality and reliable information, by the means of trusted ways of communication. Indeed, the history of FIRST makes it clear how it has turned from a bunch of security experts into a well-balanced global organization. Above all the assets of FIRST, objectivity and neutrality are today the ones which guarantee the best the quality of the information.

The first Computer Emergency Response Team (now known as CERT/CC) was created back in 1988, after the so-called "Morris Worm" broke down a significant part of the Internet (around 60.000 computers at the time, mostly in universities). Several security experts combined their knowledge and expertise, and solved the problem quickly. It was thus decided that a permanent team of experts should be dedicated to the analysis of similar future events, and to the coordination of their solutions.

Then, in 1990, eleven IRTs created an organization, the FIRST, as a forum they would use to exchange knowledge and expertise. During the 90's, the size of the organization grew dramatically, and FIRST took advantage of a true diversity:

· in terms of geographical distribution of its members (North-America, Europe, Asia-Pacific, Latin America...)

· in terms of types of constituencies of its members (Academic, Internet Service Provider, Government, Hardware and Software Vendors, Service or Industry Company, etc...)

This diversity within FIRST is the basis of its neutrality and the quality of its information.

Some similar organizations exist on a regional or specific interest basis. For instance in Europe, the TF-CSIRT (Task Force - Computer Security Incident Response Team) gathers 72 Incident Response Teams from 28 different european countries. Their goals are very close from the FIRST ones: to share experience and discuss technical and organisational points of view.

Being a member of one of these organizations will help your Computer Security Incident Response Team to improve the expertise, knowledge and awareness of its staff, and to increase the human network it needs in order to better do its operational daily job.

Conclusion

This article shows that incident handling is essential in a company. As a perfect protection is clearly impossible with systems connected to the Internet, every structure has to be ready to face computer security incidents. It is important to react before minor incidents turn into complex problems, so clear measures have to be planned and skilled staff have to be trained to solve those incidents. In addition, a CSIRT will not only assist the company's IT administrators to handle incidents, but will also be the right contact in case of an external incident involving the company.

Creating a CSIRT is a valuable return on investment as it largely reduces the cost of security incidents and globally increases the security level of the information system in regards with a moderate cost. Furthermore, structures such as the FIRST exist nowadays to help companies to develop CSIRT and facilitate information exchange and experience sharing, to ensure the technical and operational excellence of its members.