Incident Response

The UniMS-CERT supports IT security oﬃcers (IV-SB) and system administrators in dealing with technical and organizational aspects of incidents. In particular, it provides support or advice on the following basic steps of incident handling (as per DFN-CERT [de]):

1. Preparation

For preparation organizational units have to compile contact lists with contact persons, documentation on supervised systems and ideally create emergency plans for diﬀerent scenarios. More detailed information can be found in section Proactive Activities.

2. Incident Discovery

The discovery of a security incident is the ﬁrst step in its treatment. Often it is not easy to decide if an incident exists or not. To decide this, one should proceed systematically and be guided by incident checklists (see DFN-CERT Linux checklist [de] and Windows checklist [de]).

3. Incident Analysis

The analysis deals with the clariﬁcation of the circumstances of the security incident as well as with the coordination of further proceedings with all involved parties. In addition to colleagues, this also includes supervisors, customers as well as administators and users of the aﬀected systems and applications. Other stakeholders may include their lawyer or investigative authorities (speciﬁcally, when legal action is required or reported), the press oﬃce, ISPs, manufacturers (e.g., for patches), and possibly other CSIRTs.

To clarify the extent of the incident, the following questions should be discussed:

When and where did the incident happen?
What exactly happened?
Who is involved and who is the attacker?
How was the attack executed? Which vulnerability has been exploited?
What damage has been done so far? What further damage can be expected?

4. Containment

Containment is about protecting the system from further damage from the incident and eliminating the vulnerability. Often a ﬁnal solution to the problem is not immediately possible. For example, patches are not allowed during service (Service Level Agreements) or you do not want to cancel running jobs / experiments. Nevertheless, it is important to prevent further damage (for example, through worms, Spam, DDoS attacks, etc.), especially for third parties. Sometimes containment is even the only option left because there is no "ﬁnal" solution, e.g. during a DDoS attack. Containment measures need to considered very carefully so as to not cause more damage by those measures (for example by shutting down services) than the attacker would (potentially) cause. Some actions are taken only for a short time until system maintenance is possible.

5. Regain Control

Regaining control means in many cases: reinstalling. Unfortunately, this step is unavoidable, especially in the case of infestation by viruses / worms or in case of direct unauthorized system access. The containment described in the previous section has the disadvantage that the cause of the problem is not removed. The removal of backdoors or worms removes e.g. not the weak point that made it possible to break into the system in the ﬁrst place. Also, you can never be sure (especially with kernel rootkits) that all the remnants of the attacker have been removed from the system.

In addition to the actual reinstallation, the hardening of the system should not be forgotten. This includes not only the installation of all security patches, but also the secure conﬁguration of the services. Software from third-party manufacturers and self-developed software must not be forgotten. Most importantly, all passwords should be changed, both locally and within the domain if the attacker had access to the password database (LDAP server, KDC, domain controller). If weak passwords were the possible cause, the password policy should be adjusted accordingly. Also vulnerable are keys for signature or encryption, so X.509, PGP and SSH keys. If they are not changed, the attacker still could have access to VPNs, e-mail, web applications, or GRID systems.

6. Follow-Up

When emergency plans are applied, rarely everything works as planned. Therefore, after the incident, the participants should gather for a follow-up of the incident and discuss:

What (which measures) worked?
What did not work?
What could have been better?
Which (sub)plans have to be changed?
Which parts of the documentation are incomplete? Which possible incident types were forgotten?

The result of the follow-up are updated emergency plans and documentation, so hopefully the next time you are better prepared. In addition, the UniMS-CERT collects statistics on security incidents occurring within or involving Münster University. The members of Münster University are notiﬁed when the circumstances of the security incident require it. To request the support of the UniMS-CERT when handling a security incident, the contact can be established by e-mail. It should be noted that the level of support may vary.