November 12, 2006 at 2:42 pm #870morpheus063Participant
Can we have a discussion on the procedures / steps to be followed once you realize that your web site is defaced or hacked?
My queries are : Can we contact the ISP for any help?
How to handle a situation like this:
I am from Country A, the web site is hosted at country B, and the attack originated from country C? Whom should I contact/complain in this case?
Please feel free to discuss your experiences and related issues?
November 12, 2006 at 5:46 pm #10675AnonymousParticipant
I think most peoples response depends on the nature of the attack. If it was just a small defacement where someone just wanted to “plant a flag”, most people will just fix the vulnerability and go on with their lives. If the hack was really good, you won’t be able to trace them. If it was as you say, I am from Country A, the web site is hosted at country B, and the attack originated from country C, you are really at a big disadvantage! Unless their was a major monetary loss like Amazon.com being taken down, I would say there isn’t much you can do as far as perusing the culprit, especially if country C where the attack originated was someplace like Nigeria.
The first thing to do is contact the hosting company and sees if they have any security logs. As far as contacting the ISP, I would say that is a waste of time. If you contact them with really strong log records of the person that hacked your site, they might send their customer a nasty email warning them to stop such activity. ISPs seem to only take action with court issued warrants. The thing to realize is most ISPs are being contacted by many people all day writing that they think they are being hacked by someone. There are a lot of paranoid people on the net that over react. So an ISP will only respond if they are being pushed to do so with very strong evidence and possibly a court order. Even with that, the most you will get is for them to reveal the customers personal information and cutting their internet access. If it turns out the source was some innocent persons unprotected wifi being exploited, well you have spent a lot of time on a dead end. So again, I would say in most cases just fix the problem and go on. It was a learning lesson.
If it was really a serious breach, then you need to contact the FBI or similar agency in whatever country you are in.
November 13, 2006 at 4:42 pm #10676mn_kthompsonParticipant
This seems like a good time to reiterate that Information Security is essentially risk management. It also seems like a good time to remind everyone that the first step in responding to any incident is to plan for it ahead of time. I know, everyone hates planning, but since that makes up the bulk of my job I’m going to beat that drum a lot.
From a risk management perspective, your company needs to decide how much damage is done when an attacker defaces your website. You may find that it is best for you to host your own web site, or get a virtual server from an ISP in the U.S. There is nothing wrong with using an ISP overseas, as long as you understand and accept the risks involved.
How are you going to know when you get defaced? Is it acceptable for your company to wait until someone finds it and points it out to you, or are you going to run software that looks for changes in your webpages and alerts your administrators?
What is going to be your first order of business when you’re defaced? Probably putting the web site back the way it was. That means you’re going to need to do regular backups. Make sure you’re getting the log files in those backups too. I know some of this may seem obvious, but you need to document your processes before you get attacked. Since I’m only taking five minutes to type this up I’m sure that I’m missing some things. You’ll have to take some time to ask yourselves these kind of questions ahead of time and figure out what your answer is going to be.
Once you’ve got the planning down, how do you respond to the attack? You need to gather evidence, but the managers are going to want the web page put back to normal right away. Have a script written up BEFORE you get attacked that will copy the web site and all of the access and error logs to a seperate folder. That way you can quickly get the evidence and start restoring your website.
Take a look at your folder full of defaced web pages and log files. What I like to do is create a second copy of it and then zip all of the originals into a file and encrypt that file. That way you’re only examining the copied files. The same principle used when examining a hard drive that may have been used in an incident. Comb throught the logs and find out what exactly happened and how you can prevent it from happening again. Is there a misconfiguration that allowed the attack? Is there an OS vulnerability that didn’t get patched? Make sure you get these things fixed on all of your servers, not just the one that was defaced.
Now that you know what happened, you’ve set things right, and you’ve hardened against future attacks you can start looking at legal action. Honestly, your company probably wont want to pursue this course of action. It costs a lot of money and they aren’t likely to get much of it back in the form of punative damamges. If you’re being repeatedly attacked by the same source the company may look at legal action as a way to combat future attacks. Also you could take the approach that you’re going to take legal action for every attack and try to gain a reputation as a company that will bite back. These are questions for upper management to decide. As far as contacting ISPs or law enforcement officials this is all work that needs to be done by your lawyers.
Let me say something about documentation. First of all during the whole incident you need to be keeping meticulous records of what you’ve done and how you’ve collected information. This will help you to improve your processes in the future, and if you take legal action it will help your case. My standard is that I keep detailed notes and copies of all supporting documentation such that an outside auditor could completely reproduce my work without any additional input from me.
The other thing you need to document is your process. All this information that I’ve talked about in this email needs to be documented. How often are you going to backup your files? Document it. Where are you going to copy the defaced files to? Document it. Document the script that is going to copy the files. Document the exact position of your buttocks in the chair that you sit in. After the incident you’ll want to have a post incident review where you examine what went right and what went wrong. Use the information from the post incident review to improve your process.
I hope all of this helps.
- You must be logged in to reply to this topic.