Action plan outline for businesses who suspect an online attack

The world now encourages an environment where computer crime is over-whelmed with opportunities. Martin Baldock argues that companies should be aware of how to defend themselves and produce a series of practical steps in preparation for a cyber attack.

Businesses cannot only suffer damage to their reputation if their computers are compromised, but there are issues of data protection, industrial espionage, malicious damage or embezzlement. Yet most leave their security policy limited to a free anti-virus application.

There has always been something unnerving about discovering that someone has trespassed on your property but such 'invasions' are no longer restricted to land and homes, they now extend to our laptops, desk computers and even mobile IT devices.

It's easy to assume that invasion of a PC either directly by an online hacker or by a malicious software tool only ever happens to someone else, and is the result of someone visiting 'dodgy' websites. Increasingly this is not the case.

Young people are highly IT literate. It is commonplace now for pre-teen children to use computer networks at school, for homework timetables to be loaded onto mobile phones and for work to be submitted via email. Criminal organisations have become aware of what computers can do and what information they can store and have been encouraged to turn to 'cybercrime' as a softer option than more traditional forms of wrongdoing.

The use of easily available hacking tools and the wide growth of covert intrusion groups have made life easier for cyber criminals, encouraging attacks on weak organisations.

Computer crime has its own attraction

Remote access for unauthorised activity to another computer system has several attractions such as:

there is no need to be local to the PC or network, anonymity is far easier to achieve and allows anyone to hide their identity while committing crimes

email spoofing, creating fake profiles and committing computer-user identity theft are common occurrences; there is very little to stop it and this makes investigation difficult

with cyber crime, there is no collateral or forensic evidence, such as eye witnesses, fingerprints, or DNA, making these crimes much harder to prosecute. Often they rely solely on expert opinion from a computer forensic examiner.

Continued on next page

Continued

While it ought to be considered as poor practice if the company is the victim of hacking and remedial efforts must be brutal, handling the cyber attack correctly at the time of the incident is even more crucial.

In its simplest form a cyber attack can have one of two guises, differentiated by how the attack takes place, either an insider attack which involves a breach of trust from employees, or an external attack which involves hackers hired by an insider or external entity whose aim is to harm the owner or organisation in some way.

The steps to take in a forensic investigation into cybercrime are, as follows:

1. Call the legal department for advice. If there is no legal department then seek external legal advice.

a. It is all too easy to start an investigation without considering the implications of what may or may not have been happening.

b. Consider reputational damage and how this could be mitigated

c. Identify appropriate investigation skills and staff

d. What legal actions could be taken to prosecute and/or recover assets

e. Jurisdictional issues

2. Action your First Response of Procedures (FRP)

a. Identify trusted internal IT resource

b. Engage specialist forensic resource either internal or external depending on the situation

c. Understand your IT infrastructure

d. Decide whether to monitor the situation or act immediately, then

e. Seize the compromised equipment at the scene and preserve it using computer forensic techniques and tools

f. Instigate a quick investigation to clarify the extent of the intrusion. Use this information to scope out next actions.

3. Investigate

a. Secure other compromised machines

b. Scan network for hidden Trojan or other malware

c. Secure all network and firewall logs

d. Check anti-virus definitions and update procedures

e. Change critical passwords and review password policy

f. Review HR and computer usage policies

g. Interview computer users who have been compromised

h. Consider the use of network monitoring tools if the intrusion is beyond a single device

Continued on next page

Continued

Any company should be prepared by having defensive and detecting applications ready for action. For example, network information-gathering tools are pieces of software used to obtain network data for forensic analysis. These tools generally fall into two types but the latest products offer some functionality in both areas. The two types of device are a 'sniffer' or an intrusion detection system.

All equipment on a network is attached by some form of network card. This network card will reject any network traffic not meant for its host's usage. Sniffers are programs that work by placing the host system's network card into what is called 'promiscuous mode'. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it. Sniffers capture everything on the network cable and record it for later review. This type of review can be extremely useful during the investigation as it allows the analyst to reconstruct all network items regardless of their origin or destination. Typical capture of this type will be aimed at internet chat and any internet activity such as internet mail (Hotmail, Yahoo, gmail etc.).

Catching unauthorised access

Intrusion detection systems (IDS) play a second critical role in the protection of the IT infrastructure. Intrusion detection involves monitoring network traffic, in a similar way to the sniffer products but with the aim of detecting any unauthorised attempts to gain access to a system or resource. The IDS is usually set up with rules and logic to detect any unusual activity. Once detected, the IDS can automatically notify the appropriate individuals so that counter measures can be taken.

The IDS system is focused on the network but there are four types of logs that would be of interest during a forensic investigation - authentication, application, operating system, and the network. All may need to be secured depending on the type of attack.

Authentication issues reveal simple things such as users who may have forgotten their password, failed to request a new one but have written it down or changed it to something easy to remember (and therefore guess). Second, and more importantly, you may be able to detect potential hacking attempts against your network servers by analysing the results and noting an increase in failed logon attempts.

Application issues are often in the form of a brute force attack. Here the attacker will try to force the application to open by bombarding it with password combinations in quick succession in the hope of hitting the correct combination or by causing an overflow in the password handling system which causes the application to open.

Professional help good practice

The key to successful investigation of cybercrime is to use knowledgeable individuals; it is unlikely that a single person will hold all the technical knowledge to combat an organised attack as there are so many component parts ranging from the social engineering of users to obtain passwords, through technical access points such as firewalls, routers and switches, onto the network itself and application servers, ending in the user device. The user device is often where the entry point resides and as such requires the greatest scrutiny.

However should your system be attacked, to ensure you do not lose valuable company data and have a chance of catching the culprit, it is best to call in the professionals. In some cases even just switching on a computer can start a process that can wipe everything from the systems.

Martin Baldock is the general manager of Data Genetics International (DGI) [1]. It is one of the UK's leading independent specialist computer forensics and mobile phone forensics investigation company.