Purpose of a CIRT Plan
The purpose of a CIRT plan is to help organizations identify and prepare for computer incidents. Security personnel can then identify the best responses to reduce the potential damage.
The purpose of the CIRT plan is similar to the purpose of a disaster recovery plan (DRP). By taking the time to create a plan, critical thinking can be applied to potential problems, the advice of experts can be sought, and the best types of responses can be researched.
However, if a plan is not in place, these benefits are not available to responders when the incident occurs, which leaves them no choice but to use trial-and-error techniques. These impromptu techniques may succeed, but, on the other hand, they may allow the attacker to continue and cause significantly more damage to the organization.
A CIRT plan outlines the purpose of the response effort, which is, in general, to identify the incident as fully as possible and then contain it. Answering the five Ws is a good starting point. They are what, where, who, when, and why. For good measure, how it occurred can be added.
The what identifies what type of attack occurred. It could be a DoS attack, a malware attack, unauthorized access, or inappropriate usage. Understanding what happened helps to determine the impact and prioritize the response. CIRT plans often include tools to determine the impact and the priority of the attack.
Next, the where identifies where the attack occurred. Symptoms will be noticeable on at least one system that raised the alarm. However, other systems should also be checked to see whether they were affected. If more than one system was affected, the impact and priority may need to be reassessed.
NOTE
The Incident Handling Procedures section that appears later in this chapter shows examples of tools used to determine the impact and priority of incidents. Table 15-1 shows an example of effect rating definitions, Table 15-2 shows an example of criticality rating definitions, and Table 15-3 shows an example of incident impact ratings.
If possible, who launched the attack should be identified. One useful means of determining who launched the attack is checking logs. Audit logs for systems and firewall and router logs can be checked. If the user authenticated, the logs will identify the user account used for the attack. If the attack was from an external source, the logs will identify an external Internet Protocol (IP) address, which can be blocked to stop the attack.
Technical TIP
Attackers often hijack other systems to launch attacks. For example, attackers controlling botnets send commands to zombies, which then launch attacks, or an attacker can simply drive around until an open wireless network is located, which the attacker can then use to launch the attack. Attacks traced back to this wireless network won’t identify the actual attacker but will identify the wireless network. By the time the attack is traced back to the IP address, the actual attacker will be long gone.
Identifying when an attack occurred is much more than just identifying when the symptoms were discovered. Attackers often perform reconnaissance before an attack, and log entries may show that the reconnaissance attacks occurred several times over the past week from the same source.
Answering why attackers attack helps to understand their motive. Attackers in the past often attacked out of boredom; they just did it for the same reason George Mallory wanted to climb Mount Everest—“because it’s there.” However, attackers today are often motivated by greed so they steal data they can convert into money.
The Growth of Incidents
In November 1988, a computer being attacked on the Internet made the news when the Morris worm hit. CERT was created at CMU to respond, and it began counting incidents.
FIGURE 15-1 shows the growth of incidents over the years. In 1988, eight incidents occurred; in 1998, 3,734; and in 2003, 137,529. The last year that CERT at CMU reported the number of incidents was in 2003. If the number of incidents were still being tracked and reported today, they would be off the chart. Unless a computer is never turned on or is kept completely isolated, it will be attacked.
FIGURE 15-1 History of incidents tracked by CERT.
The names of these incidents have morphed over the years. The terms cyberattack and cyberterrorism are commonly used, and both incidents are significant threats on the Internet today.
As an example, one famous set of attackers regularly stole credit card data, which they used to create fake credit cards. Then, they hired women to shop at malls using these cards. These women bought as much as they could in a lavish shopping spree, spending tens of thousands of dollars, after which they took the goods out to a truck in the mall’s parking lot, where a fence bought the goods at reduced prices and then promptly sold them elsewhere.
Attackers may also be motivated by espionage. Both corporate espionage and international espionage are vigorously alive on the Internet today. Spies regularly try to gather as much data about competing organizations or other countries as possible.
Last, how the attack occurred must be identified, which in turn helps to identify the vulnerabilities that exist in the system that was attacked. Once the determination has been made of how the attack succeeded, how to prevent it in the future can be identified. In other words, identifying how the attack succeeded helps with identifying controls or countermeasures to prevent future attacks.