Editor’s note: Ed Crockett writes regularly on trends in technology for Local Tech Wire. During and immediately after a network compromise, appropriate actions are crucial to recovery and prevention of future attacks.

This article … part four of a multi-part report on wired network security … lists some recommended responses to a network attack.

The actions necessary to recover from a network attack vary according to local policy and the degree of preparedness that is in place at the time of the attack. Policy and preparations notwithstanding, the following actions can be viewed as general guidelines:

1. Contain the attack:

Containment serves to stop the progress of an attack and limit the extent of damages perpetrated by the intrusive device(s). Specifically, containment actions include the following:

  • Selectively disable system services
  • Shut down any and all compromised computers
  • Disconnect compromised computers from the network
  • Disable file sharing in the compromised computer
  • Change passwords
  • Disable accounts
  • Monitor network activity
  • Verify that redundant data is not compromised

2. Characterize the intrusion

Sound network procedures embed powerful monitoring tools into the network infrastructure to provide vital information about the attack. Information thus obtained is invaluable in identifying both the type and extend of the intrusion.

Intrusion characterization includes but is not limited to the following actions:

  • Examine logs generated by firewalls, network monitors, and routers.
  • Identify attack type and vehicle (see previous article: http://www.localtechwire.com/articles.cfm?c=525 ).
  • Identify the scope of the attack by inventorying all actions performed as part of the intrusion.

3. Maintain intrusion-related information in a log

To facilitate future actions and investigations, keep a log that is dedicated to tracking events relating to a single intrusion. The log, if electronic, should be capable of handling digital photographs in the event that photos come into play. Include the following fields in the log:

  • Name of system
  • Date and time of entry
  • Actions taken
  • Notes of conversations
  • Notifications
  • Who had access
  • Data collected
  • Data dissemination tracking

As with all activity surrounding illegal intrusion, work diligently to preserve evidence and carefully document the handling of that evidence.

4. Communicate on need-to-know basis

Typically, various people hold a variety of responsibilities relating to a network intrusion. Good communication dissemination about the incident is essential. The following is a checklist of activities relating to the release of information:

  • Refer to local procedures to learn with whom to communicate about the incident.
  • Note any needed procedural changes that surface as a result of this experience.
  • Track all communications in a log.
  • If deemed prudent, use secure communications.

5. Review and adjust security policy and procedures

It is highly unlikely that any set of security practices over 30 days old is perfect. After all, what worked last month may be less effective this month. Take advantage of lessons learned and make appropriate changes that will help in the event of future incidents.

6. Harden defenses

Review network defenses with particular attention given to the point of access and mode of entry of the intrusion.

7. Return to normal operation

While the network is still in isolation from the Internet … the presumed source of the incursion … perform the following to keep network restoration as simple as possible:

  • Develop a detailed list of each step in the restoration process.
  • Estimate the time required to carry out the list of steps and schedule accordingly.
  • Restore user data from trusted backups.
  • Enable system and application services.
  • Enable file sharing.
  • Enable accounts.
  • Reconnect file systems.
  • Validate the restored system.
  • Watch for additional signs of continued interest in attacking your network.

Once a network is compromised it is known throughout the hacker community and is likely targeted again. Finally, after network validation and no observed signs of continued signs of intrusion attempts, reconnect to the Internet and validate the network and services once again.

Previously published parts of the series on network security:

Part 1: Taking a Look at Treats and Attack Vehicles, www.localtechwire.com/articles.cfm?c=525

Part 2: An Intrusion Detection System Could Be the Solution, www.localtechwire.com/articles.cfm?c=598

Part 3: To Be Fully Prepared for an Attack, Document Corporate Procedures and Responses, www.localtechwire.com/articles.cfm?c=665

Feedback? Send email to ecrockett@nc.rr.com