.

Steps to be taken during an outbreak

<<

crossover

Newbie
Newbie

Posts: 21

Joined: Thu Apr 01, 2010 1:39 pm

Post Sat Jun 05, 2010 2:52 pm

Steps to be taken during an outbreak

Hello  Members!!

I would like to know what steps to be taken during virus attack or security breach more like defined steps to be taken internally during an outbreak.

And How do you go about remediating ( steps ) them..

Please Share your Experiences.
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Sat Jun 05, 2010 6:56 pm

Re: Steps to be taken during an outbreak

Hello Crossover,


That's a bit of a generic question to answer fully, do you have a specific incident in mind?

A great overview of the steps I've used to deal with a number of issues is from SANS
http://www.giac.org/resources/whitepaper/network/17.php
This covers dealing with incidents from start to finish.


They've also go some excellent examples of IR in their reading room too.
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Sat Jun 05, 2010 7:40 pm

Re: Steps to be taken during an outbreak

I remember when the ILOVEYOU virus hit us.  The admin *RAN* into the server room and pulled the plug on the exchange server.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Sat Jun 05, 2010 9:24 pm

Re: Steps to be taken during an outbreak

This is a very broad question, but for responses to these situations, any good security professional would have an incident response plan.

In addition to What90's reply, check NIST Special Publication 800-61, Computer Security Incident Handling Guide.
CISSP, Security+, CEH, OPP, et alii
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sun Jun 06, 2010 7:11 pm

Re: Steps to be taken during an outbreak

First: olways disconnect the machine from internet and begin to work with that and if the whole companyI would protect the servers first and later the users.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

crossover

Newbie
Newbie

Posts: 21

Joined: Thu Apr 01, 2010 1:39 pm

Post Mon Jun 07, 2010 9:35 pm

Re: Steps to be taken during an outbreak

Thank you for responses. I have to check 800-61 publications yet  and i liked What90's link ( and that is what i was looking for). I found article so i thought sharing as well.

http://articles.techrepublic.com.com/51 ... 34814.html

That's a bit of a generic question to answer fully, do you have a specific incident in mind? well let's say conflicker virus ( I basically want to understand the procedures and the remediation steps it may or may be not conflicker )
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Tue Jun 08, 2010 6:55 am

Re: Steps to be taken during an outbreak

Read the SANS link and break up your response in to steps in order to deal with the problem in a calm and rational way.

One possible way of dealing with a Conficker outbreak in a Windows active directory (AD) domain follow the SANS steps.

Step Two—Identification
You (as the security person) have been alerted of that there's a problem.
In Conficker's case, AD user accounts have started locking out large numbers.

First thing to do is find a machine causing the problem and examine it.
Looking in Domain Controllers event logs will show which machine(s) is causing the accounts to be locked out. 

Once you've examined the machine and determined the problem, Conficker in this case, you need to work out what Conficker does and how it works in order to stop it. Then the why, who and how the machine got infected.
For example: Was it patched? Did it have a working AV did the attack come from USB or another machine.

Step Three—Containment
You need to make the call on how to deal with the problem and get management involved. Do you go in hard and locking down the network and blocking internet access or do you quietly clean up the mess in the background? Conficker is well written, so infected machines aren't crashing and the AD locks can be scripted to be unlocked to minimise the down time effects on the staff.

Lets say you got a number of machines without out patches and no antivirus across the network and Conficker infected one of those machine from a USB drive. Scanning for infected or machines open to infection would give you a list of machines to fix and let you know how many machines are possible problems.

Quick fixes could be using group policy to turn on Xp's firewall and block port TCP 445, or force out the patches, AV and reboot machines. Searching for machines with AT1.job file and deleting that file will also slow up Conficker.
If you have a network with modern switches, drop all the infected machines on to a special VLAN that has no access to the rest of the network and fix them as and when you have time.

Someone needs to talk to the staff and tell them in non-geek terms what the problem is and how not to make it worst (e.g. ban use of USB sticks while clean up the network)

Step Four—Eradication
Clean up all the infected systems and ensure all the other computers in the network are protected from possible infection. Find any infected USB drives and clean/remove them.

Step Five—Recovery
Check everything is okay and staff can work normally again.

Step Six—Lessons Learned
Write up what happened and put it in to a time line of events and actions. Work out what you could have done better and how this could have been avoided. You may suggest regular patching is a good idea, as is restricting the use of USB drives by certain staff.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Jun 15, 2010 6:11 am

Re: Steps to be taken during an outbreak

what90 posted some excellent comments so I will chime in here. Your first goal above all (before an incident) is to have an incident response plan in place. This keeps you from running around like a chicken with its head cut off.

Borrowing from Redhat so I don't have to reinvent wheels I will chime in afterward:

The incident response plan itself can be separated into four sections:

* Immediate action
* Investigation
* Restoration of resources
* Reporting the incident to proper channels

An incident response must be decisive and executed quickly. There is little room for error in most cases. By staging practice emergencies and measuring response times, it is possible to develop a methodology that fosters speed and accuracy. Reacting quickly may minimize the impact of resource unavailability and the potential damage caused by system compromise.


In a business - any business - the order of the day is to make money. In a mission critical environment, you can't just "yank the machine offline" as others have suggested. If you plan ahead, you can remediate the situation. For example, because VMWare is cheap, you could have an exact image on standby to throw in place while you sanitize an infected machine.

There are plenty of things to do prior to an incident so I suggest you focus on pre-emptive tasks because after all - if an incident has struck you - no matter what plans are in place, you are dealing with it no? Setting up a checklist keeps a focus and a plan which in the long run save you time and your business money.

http://www.comptechdoc.org/independent/ ... ample.html
<<

DannyAcs

Newbie
Newbie

Posts: 3

Joined: Fri Jun 18, 2010 8:07 am

Post Tue Jun 22, 2010 4:09 am

Re: Steps to be taken during an outbreak

I have to echo the previous comments and say that an incident response plan is crucial.  It is worth noting that in some organisations this may be incorporated into a broader Business Continuity Plan.
<<

Bane

Post Wed Jun 23, 2010 12:02 am

Re: Steps to be taken during an outbreak

impelse wrote:First: olways disconnect the machine from internet and begin to work with that and if the whole companyI would protect the servers first and later the users.


This response could be jumping the gun a bit. Certain types of malware will go inactive or even delete itself if the network connection is pulled. A better step is to move the system to an isolated VLAN where further analysis can be performed. Part of properly responding to an incident is understanding what you have been attacked with.
<<

sync

User avatar

Newbie
Newbie

Posts: 8

Joined: Sat Dec 19, 2009 10:26 pm

Location: Atlanta, Georgia, USA

Post Wed Sep 22, 2010 10:42 am

Re: Steps to be taken during an outbreak

I agree with what has been said.  Have an IR plan written up before hand so that when something happens you aren't running around screaming yanking out cables.  Containment is important, have a way set up to where if something happens, you can contain it to one machine.  If the machine is not mission critical, you can disconnect it from the network. 
Have regular backups made, and validate them.  Check them periodically to make sure they work correctly.  I've heard of too many companies that go to back up their systems, only to find that all the backups they have are corrupted because they weren't created properly and checked.
It's the journey, not the destination, that matters.
<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Mon Nov 08, 2010 1:54 am

Re: Steps to be taken during an outbreak

Whatever you do, don't act too quickly. There may be an APT in your organization.  A blog post on Mandiant's website explains it better: http://blog.mandiant.com/archives/1525
Its not the fixing that's the hard part, its knowing what needs fixing.

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software