What do you do if you're hacked?
This is a slightly different kind of tip, but an important one. What do you do if you are the target of cyber crime? It will depend on what your company wants to do: indicate it's aggressively pursuing the miscreants, or avoid adverse publicity. If the latter, all you can do is plug the holes and carry on. But if it's the former, you have to have your ducks in a row when reporting the crime. This tip, by Kyle Cassidy, shows some of the things you should have available to report. Cassidy is the co-author, with Joseph F Dries, III, of
The Concise Guide to Enterprise Internetworking and Security. This tip is excerpted from InformIT.
If your company is interested in pursuing the intruder, you first need to convince law enforcement (either your local police, or, if the responsible party is out of state, the FBI) that your case is worth pursuing. The best way to do this is to present a clear report explaining what happened. This doesn't mean clear to an engineer--this means clear to a jury because that's the way law enforcement is thinking when an officer is reading your incident report: "How will I explain this to a jury?" Your report should include these components:
- Contact information.
- A summary of what occurred. Was data stolen? Was your site defaced?
- The estimated amount of monetary damage suffered. You might later need to prove this in court, so try to guess as accurately as possible.
- Were critical services affected? Include services such as power, banking, transportation, and so on.
- Your network topology. Draw out the location of your affected servers, firewalls, and so on. Physical location of computers can be very important if they are in different jurisdictions. Include the types of systems affected (Windows NT, Linux, and so on).
- Do you suspect anyone? Did you recently fire a system administrator?
Additionally, some key points will make your trip down this path less difficult:
- Have one point of contact. All liaison duties between law enforcement and your company should be through one person.
- Maintain a single custodian of evidence. If multiple people have access to your log files and other evidence, a defense attorney can make an argument that any number of people could have altered the data. This custodian of evidence might need to testify how the evidence was gathered.
- Do your own research. Investigate the crime yourself as much as you feel comfortable doing. When you notice an intrusion, you might want to immediately phone the security officer at the ISP of the point of intrusion, explain what's going on, and ask for a copy of the log files. If the ISP won't give you the log files, ask the person to immediately make a backup copy of them and keep them in a safe place. The law enforcement officer handling your case is probably overworked; the more data you can provide, the better. However, if you think that you've tracked the intrusion to the responsible party, do not contact the suspect; leave that for the authorities.
- Consult management and your legal department. Inform management and legal as quickly as possible, and inform them what actions you are taking.
- Check your clocks. Hopefully, your servers are synchronized with an atomic clock. If this is not the case, you need to note the time discrepancy immediately. A defense attorney can successfully argue in seconds.
- Create a timeline. This is important in laying out the case. Your timeline should show the intrusions, when they were noticed, and what actions were taken at what time, including all your contacts with law enforcement.
- Pretend that you're presenting to a jury. The law enforcement officer you'll be talking to will be thinking, "How will I present this to a jury?" You can increase the officer's efficiency by doing much of this work yourself. A timeline can show when each event occurred in relation to everything else, when the intrusion occurred, when it was detected, when steps were taken, when you informed management, when you informed your security officers, what actions they took, and, finally, when you informed law enforcement. Use your log files as appendices to this timeline, not instead of the timeline.
- Use diagrams and labels to help make your case easily understandable.
- Your contacts might not be technical people. Keep this in mind, and resist any urge that you might have to talk over someone's head; it won't serve your purpose. Stay simple, be clear, and make sure that the officer you're talking to understands what happened. Don't be afraid to ask if you're making sense. The last thing you need is for them to leave thinking, "Those arrogant jerks deserved that DDOS."
To read this entire tip, click over to InformIT. You have to register there, but it's free.
Did you like this tip? Why not let us know. Email to sound off.
This was first published in June 2001