RE: When an incident has really happened.

["Tariq Naik" <Tariq_Naik () symantec com>]

Hi,

I am a Symantec Consultant. While I'm not writing on behalf the company in any official capacity, I wanted to add a few 
cents to this discussion.

I agree with you that a bot infection needs to be treated like an Incident. Would informing the Management be advisable 
for every Incident? Well there are two things you might need to consider.


Risk to Business: Consider a scenario where a user desktop crashed due to an infection. Now consider another scenario 
where only a single file was deleted on a Internet Banking Server by a virus before it was cleaned. From a pure IT 
perspective, the first incident is a more severe incident but from a business perspective the second one is critical. 
You can have different types of escalation for different severities of incidents. Incident Severity needs to take Risk 
Ratings into consideration. So while Highest Severity Incident might need to be informed to a certain high level 
management within a span of say an hour through a phone call, a lowest severity ones might go through a weekly report.


Frequency: It is possible that all the processes and security infrastructure in place have reached a maturity level 
that you hardly get any incidents. In such a scenario there is no harm in informing about every incident. However still 
low severity incidents might not really be needed to be brought into the notice of senior management through say a 
phone call. Maybe a mail would do in such a case. The incident management practice as well as the overall security 
operations in any organization will evolve and mature over time and incidents that occur will keep reducing. To start 
with malware incident might be so high that you might need it to be handled by a separate team with one or two person 
from Information Security Team, rather than a routine work of the Information Security Team till some order achieved.

Coming to the specific topic of malware, you can again treat a single infected desktop and say 5 desktops infected with 
the same malware within a span of say 4 hours as different severity.

Regards,
Tariq Naik
Consultant
Symantec Services Group- Consulting Services
Symantec Corporation
www.symantec.com
__________________________________________________________ 
Office: (D)+91 22 3067 1416; (B)+91 22 3067 1400
Mobile: +91 98 1947 0825
Fax: +91 22 6675 0398
Fingerprint: 4F03 3899 4249 B4A9 6038 FDA3 461C 88C4 88CF FF5F
________________________________________________________ 
     
This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a 
facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Aarón Mizrachi
Sent: Tuesday, May 19, 2009 11:39 PM
To: security-basics () securityfocus com
Cc: Curt Shaffer
Subject: Re: When an incident has really happened.

On Martes 19 Mayo 2009 07:31:18 Curt Shaffer escribió:
> I just wanted to post this as a question to those on this list. I had 
> a discussion with a security admin the other day. They wanted me to 
> take a look at their incident handling document. This document 
> outlined the steps that they would take in the case of an incident. 
> Now don't get me wrong, the document was spot on I believe. It was 
> well written and you can tell a proper balance of technical and 
> informational data was put together. What this did bring up in my mind 
> is; When has an incident, specifically a compromise, happened that a process like this needs to be put into action?
>
> I realize there is a balance that needs to happen because if we did 
> this same routine for every system infected with a virus, management 
> would probably start to not trust things are going well (little boy crying wolf).
> What about a bot though? Long story short, as we all know, bots are 
> used to control systems. The problem that I see is that a lot of 
> companies downplay the significance of a bot, even some IPS systems I 
> have put in place call them low threats! Just because at this time 
> that bot is only popping up ads on your PC doesn't mean the attacker 
> has any less than full control of your system. In my mind, a party 
> outside of your network, often unknown to you, has full control of one 
> of your systems. That sounds like a compromise or incident to me. It 
> only takes one update from the bot's command and control center to turn it into something much more horrifying.

I completly agree with you.

In malware terms, a program who are designed to show you popups are called adware. But, is on familiy of malware, could 
also have some "uploader" engine who magnify their behavior to spyware, or even a controled trojan.

> Now there are controls in place like IDS and IPS systems which can often
> block and alert of the existence of such a software. This is a good thing.
> The question is though, should this be treated like an incident of
> compromise or should it be quietly removed and cleaned up because it was
> caught so early? I guess a third option would be to have a non management
> alerted incident handling process in place as well. Not that we want to
> cover these tracks, but for the security admin to keep track of but
> possibly release at some quarterly meeting saying "we had x many major
> incidents and y many minor incidents". It's an interesting thought to find
> that balance. I would love to hear some opinions.
well, you are also right with the third option, but.

i think every threat must be followed and reported in a detailed document, 
sometimes, the bad hacker will cover up their traces using programs like 
this... who are meant to be a "low level malware". 

But what if this program are a part of a big picture? I think that should be 
followed and reported. Probably is not necessary track this incident with the 
same effort of a major incident, but, what to do?

The document should have their threat level scale. Having this, all threats 
must be followed and traced, and the next to do is have a scope level by 
threat level.

Threat level could have more scales than "major and minor", remember the big 
picture.

Scenario:

Suppose that today you receive an scanning, then, a hacker known that you are 
using something like "cisco vpn etc...", the hacker try to get access, but, 
today are he didnt get access.  A few months later, an attacker found a new 
exploit for this "cisco vpn", then, if you missed the past event, you wont be 
prepared for this.

A low threat level could be a prelude for a big event, and if you are good 
enough to identify preludes, you are prepared to handle and stop comming up 
big events.

Conclusion: all events must be reported, you need to have an threat scale on 
documents, and... get infected with a malware or a virus are also matter of 
security administration, if you get infected, you have some security leak that 
must also be exploited by some hacker. Not only adwares.... 

We are commonly scaling the threat by their impact... missing the vuln used by 
this malware to get inside you. If we focus on cover vulns also, we can 
protect ourselves for future more malicious attacks.

Remember that an IDS or IPS or AV detect this threat because this malware have 
a signature. When not, you wont be able to handle it with the ids, ips or 
antivirus. But if you protect the vulns, you will be more secure.


> Curt
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> Instructor-Led and Online formats is the most concentrated exam prep
> available. Comprehensive course materials and an expert instructor means
> you pass the exam. Gain a laser like insight into what is covered on the
> exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------