Case Study: Hacker Attack!

SCENARIO

Richard is the overnight system administrator for Needmore Security, Inc. At approximately 8 p.m., he began to receive alarms from Needmore's intrusion-detection system indicating a high level of IP sweep and port-scanning activity. Following proper procedures, Richard made note of this activity in the security log and increased his level of vigilance.

At 9:45 p.m., Richard received a telephone call from one of Needmore's executives traveling overseas. He said that he was having difficulty locating some of his files and wanted to know whether someone had deleted them.

At 11 p.m., Richard received an angry call from Needmore's president informing him that there was obscene material posted on Needmore's corporate Web site. He demanded that Richard remove the offensive content immediately and provide an explanation. At this point, Richard declared a computer-security incident and notified Needmore's CIRT.

ANALYSIS

As the system administrator on duty, Richard should consider each one of the three events as a potential computer-security incident worthy of further analysis.

Under most incident policies, the port scanning and IP sweeps that occurred at 8 p.m. probably do not constitute an incident on their own. However, this type of activity often precedes an attack and Richard was correct when he increased his level of vigilance and made a note of the activity.

After receiving the 9:45 p.m. phone call about missing files, Richard probably began to get a little more suspicious of the activity. However, it was quite probable that the executive or a member of his team had accidentally deleted the files. At this point, Richard probably had a hard time deciding whether the circumstances warranted an incident declaration. Either decision would be justifiable.

After he was notified of the Web site defacement, Richard performed the correct action by immediately declaring an incident and activating the company's CIRT. This clearly malicious activity was most certainly the result of a security breach.

This activation resulted in a late-night call to all CIRT team members requesting an immediate meeting. The CIRT team leader gave Richard preliminary instructions to contain the incident by temporarily detaching Needmore's network from the Internet until the CIRT could assess the level of damage and direct an appropriate response.