tailieunhanh - Incident Response

Your router has been hacked. Now what? This chapter covers the basics of emergency response when dealing with a router compromise. Ideally, you should have an incident response plan that is tailored to your organization. If you are reading this chapter because you have just been hacked and don’t know what to do, first promise that as soon as this incident is over, you will develop a complete incident response plan. Then keep reading for help on responding to incidents involving router compromises | Page 143 Friday February 15 2002 2 52 PM APPENDIX C Incident Response Your router has been hacked. Now what This chapter covers the basics of emergency response when dealing with a router compromise. Ideally you should have an incident response plan that is tailored to your organization. If you are reading this chapter because you have just been hacked and don t know what to do first promise that as soon as this incident is over you will develop a complete incident response plan. Then keep reading for help on responding to incidents involving router compromises. The goals of incident response are to Determine if the incident is an attack or an accident Discover what happened and the scope of the incident Preserve all the evidence Recover from the incident Take the steps necessary to prevent this incident from happening again Warning If you do not have a detailed incident response plan in place and you have been hacked it is best to do nothing yourself and to call law enforcement. They are trained to preserve the evidence and investigate the incident and can track down attackers through means you don t have access to. Therefore the first recommendation is to do nothing and call law enforcement. However many attacks may look like accidental outages and vice versa . The following information is provided for those who are still trying to determine if an incident is due to a hacker or an accident or for those who must get the compromised router operational as soon as possible. So please read this entire chapter especially the section on preserving evidence to collect enough evidence to provide law enforcement with leads if necessary. When you reconfigure or reboot the router you 143 Page 144 Friday February 15 2002 2 52 PM destroy the original evidence so how you make copies of this evidence is extremely important to having any chance of holding up in a court of law. Keys to Investigating Your mission while investigating an incident is to 1. .