Thursday, April 27, 2006

You're Hit! What Next? . . . A Slight Return

Four years ago, SNS ran an issue about what to do after a hacker attack called You’re Hit! What Next? It focused on what to do immediately after you’ve been attacked.

A recent unfortunate attack by a disgruntled former employee of one of my clients brought this article back to mind and encouraged me to revisit the topic for two reasons: to update Alert SNS Readers on the state of computer forensics, and to remind everyone what to do and not to do if you suffer an intrusion.

First, I’ll quote a bit of the previous SNS article:

If you think you may want to prosecute the miscreant(s), it is critical to preserve the evidence so it can be used in court.

Your initial impulse is to just get up and running again, and that’s understandable, especially if mission-critical systems are hit. But if you want to press a court case, you need to understand computer crime forensics, the science of reconstructing the cyberattack and establishing a chain of evidence back to the attacker.

There are three places to be concerned about forensics: on the perpetrator's computer, on the compromised computer and on the network devices in between the two.

You should:

  • Restrict physical access to the area to preserve fingerprints

  • Unplug any phone lines that could dial in to the attacked computer

  • Unplug the computer from the network

  • Photograph the scene, including connections to any peripherals, for later reference if the machine needs to be disassembled for examination

  • If the computer is off, don't turn it on; if it’s on, don’t reboot it, as this could launch viruses or time bombs. Merely turning on a Windows computer changes timestamps and other important evidence, for example.

  • Avoid accessing any files on the compromised machine as that changes access timestamps.

  • After immediately securing the area and the computer, call in a network forensics specialist.

So now that I’ve quoted myself, I’d like to quote Michael Ellsworth, a distant relation who is a detective in the Mansfield, MA police department in charge of computer forensics.

Incidentally, the way Mike and I got connected up is a testament to the power of the Internet and the need to preserve the ability of random people to contact each other via email. You may be aware of various anti-spam efforts that have the effect of rejecting email from anyone not in your email address book. It would be a shame if this sort of thing became the rule.

Mike was googling himself and came upon my personal site (, put up in 1996 and not much modified since – the shoemaker’s children shall have no shoes, eh?). He dropped me a line and as we corresponded we realized we have common ancestors, in Prince Edward Island, Canada.

We also realized we share an interest in computer forensics. So after that digression, here’s Mike’s take on what I said four years ago:

All of the things that were written four years ago certainly apply today! I guess my main advice is, Don't Panic! In the computer forensics end of things, I'm not overly concerned or focused on what they are doing at the moment. My main focus is with what they've done.

The trail that they have already left is where I'm more apt to find my evidence. Here is a snippet of something that I had written recently for a talk:

In most cases, the discovered compromise is ongoing and has been occurring for a period of time. This being the case, there's no need to pull the plug/s and terminate the problem if it's not mission critical.

If you don't know what to do contact someone who does! The money spent on expert consultation will be far less expensive than having to rebuild your entire system after some ill-planned and knee jerk reaction! You need to know where the compromise occurred in order to deal with it; experts can quickly guide you in finding the source and preserving any evidence for criminal or civil litigation or even employee dismissals.

Oftentimes people go into panic mode and do things that exacerbate the problem, i.e. launch a virus or additional malicious software or alert the criminal that he or she has been detected. I'm willing to bet that the attacker has a plan of action to cover his or her tracks should that occur. That plan can also include an even more spiteful and malicious response such as crippling your entire network before they make their exit.

How can you avoid these pitfalls? Have the same strategy the attacker does: pre-planning! Have guidelines and action plans in place to deal with threats. Know your action plans and practice them. Repetition is the mother of all learning! If you are ready for a disaster, then deployment and containment is a snap! Have relationships established with law enforcement and/or private computer forensics consultants. A consultant can better serve you if he or she is already familiar with your network.

Don't be afraid of law enforcement. Federal, state and local police agencies throughout the country have established computer crime units that are staffed with experts in both computers and the law, and they’re a free resource! Reach out to them before your disaster strikes. They will be more than willing to come in and talk about what they can and cannot do for you. Times have changed and so have the cops! Law enforcement experts are very much aware of and concerned with a company's need for your privacy. They understand how negative publicity can be as damaging, or even more so, than the actual intrusion that prompted their response. Don't wait for disaster to hit, forge those relationships and write those policies now!

I had a case like the one you spoke of... where the former employee was killing the company. Fortunately we have some legislation now that allows us to tag old laws with new computer crime problems. In your case I'd charge the guy with a litany of stuff from Malicious Destruction to trade secrets acts, Unauthorized Access, Criminal Harassment and a few others. We're a lot more sensitive to the needs of the private sector now too and are generally willing to assist in cases where an employer needs support in order to fire an individual as opposed to wanting to prosecute. We try to keep the dissemination to the press at a minimum. We find that we're getting a good rep in these parts in dealing with the private sector. In fact, I used to speak at some conferences on that very subject. Forging Law Enforcement and Corporate Relationships.

Also, make sure you ask the right questions as in: "If I come to you with XX crime, do you have to take action, or can you assist me in a non-criminal resolution?" Child Pornography is generally the key issue there. Nobody wants to have it publicized that they have kiddie porn on their servers.

Law Enforcement is in possession of great programs now, for example, Encase, that allows for network acquisitions without the need of bringing down servers, and seizing a bunch of equipment. So a lot of the times it's pretty easy to do what we have to do quietly. Good computer crime units are willing to work with companies no matter the case. So the best thing to do is to find out what local, state or federal task forces are like and make some contacts.

From what Det. Ellsworth says, the landscape has changed a bit from four years ago. Back then, it was unlikely that local law enforcement had resources like him to bring to bear on computer crime. At that time, I heard a lot about police blunders that compromise evidence. I’m betting that’s a lot less common these days.

So if you’re hit, Don’t Panic, call the cops and follow their advice on handling the situation.