Incident response teams are too often set up only after an incident or intrusion occurs. However, sound security administration requires that such teams should already be set up to monitor and maintain network security.
Incident response teams do the following:
1. Verify the incident.
2. Determine the magnitude of the incident (hosts affected and how many).
3. Assess the damage (for example, determine if public servers have been modified).
4. Gather and protect the evidence.
5. Inspect systems to determine damage.
6. Remove hostile or destructive code.
7. Reload necessary operating system software.
8. Restore configurations.
9. Restore and test operations.
10. Patch the system to reduce vulnerability.
11. Inspect applications to determine damage.
12. Reload software if necessary.
13. Test functionality.
14. Inspect files to determine damage.
15. Restore files from backup if necessary.
16. Replicate damaged files if no backup is available.
After this data has been collected in relation to the incident discovered by the security administrators, the incident response team determines whether there is enough trace data to track the intruders. The actual data you discover might be only a small part of the entire puzzle. For example, initially, you might have only a log file or notice that a log file size increased or decreased during the incident.
The data should be sent to upper management, to the operations groups within an organization, to all affected sites, and to organizations such as CERT/CC. Organizations such as Cisco or Microsoft typically do not release a statement to the press detailing any attacks, the recent IOS code thefts are an excellent example.
After the information flows to all parts of an organization, the incident response team restores programs and data from the vendor-supplied media and backup device storage media. The data restored needs to be securely configured (such as routers; see the example in "Protecting Cisco IOS from Intrusion," later in this chapter), which includes installing all relevant patches for all application-based programs.
Finally, the incident response team prepares a report and provides it to the law enforcement organization if prosecution is required. More details on Cisco incident response teams can be viewed at
Was this article helpful?