Sunday, April 06, 2008

Bejtlich on IR, Forensics

Richard Bejtlich, of TaoSecurity fame, recently blogged about an article he'd written for CSO Magazine, entitled Computer Incident Detection, Response, and Forensics: the Basics. It's a very interesting article, and supports a great deal of what I've seen from various sources over the past year, as well as some of my own practical experience as an incident responder.

The biggest thing I picked up on is that here is Richard talking about how "pulling the plug" is not necessarily the immediate-action-of-choice these days...this is very true. For example, a system gets compromised and network logs indicate that there is a significant amount of traffic leaving that system (albeit the fact that the network logs do not contain content...). The first thing that most IT admins tend to do is take the system off-line (off the network), and in some cases even shut down or simply reboot the system. Then the big, $64,000 question that needs to be answered...for the CIO or for an external regulatory body...is, what was going out? Was it some sort of homing beacon, or was it actual data (ie, sensitive data, as defined by CA's SB1386 or AB1298)?

In pulling the plug, other questions are also difficult to answer...was this system as stepping stone to other systems, or was itself attacked from another system? If so, what/where are those systems? Ooops...no more network connection information...now I have query every system in the infrastructure, and because I shut this system down, I don't have a recognizable footprint to look for. =(

Had the first responders had the right tools and training available, they could have captured necessary data prior to taking those immediate actions.

One aspect of the article I don't agree with is the statement that prevention eventually fails. Ever since I was in the military, I had a problem with folks saying that something was failure when it was never proper implemented in the first place. While it's true that defenders have to protect all avenues of ingress and an attacker only needs to find one way in, incident analysts have seen enough intrusion incidents over the past couple of years to know that a great many infrastructures (small and large) have enough poorly configured systems (not rogue or unknown...all of these systems are known, and quite simply not properly configured) as to not have much in the way of defenses. I do agree that detection needs to be properly implemented alongside prevention, but I'd like to see prevention properly implemented before we simply rule it a failure.

Overall, the article is a very good read...and like many articles that make predictions that this is the Year of Whatever, we'll have to wait and see.