Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:46 PM
John H. Sawyer
John H. Sawyer

Incident Response Prep Extends Beyond Tools, Training

Whenever you read information on how to perform forensics and incident response, there is a preparation phase that comes before anything else. Preparation steps cover how to prepare for dealing with an incident in your environment -- but what about making sure your environment is ready for an incident?

Whenever you read information on how to perform forensics and incident response, there is a preparation phase that comes before anything else. Preparation steps cover how to prepare for dealing with an incident in your environment -- but what about making sure your environment is ready for an incident?I've seen many incidents in which the team responsible for its handling had the standard forensic and IR tools in place. Their jump bag was ready to go with hard drives, forensic imaging equipment, laptops, etc., but when they approached the system in question, it was a proprietary or legacy system that wasn't supported by the typical cadre of forensic software available.

While legacy systems and proprietary systems may be absolutely necessary in some situations, more often I've seen them left hanging around because it's easier (and cheaper) to let them do what they do than to upgrade them to a more modern OS that's less esoteric and easier for IR staff to handle. This is a situation where "if it ain't broke, don't fix it" can seriously throw a monkey wrench into an investigation.

Legacy systems, however, are not the source of so many other problems I've come across. The number one core issue is changes made by system administrators and help desk staff during the course of managing systems and during troubleshooting that don't take into consideration what impact it will have if one of those systems is compromised and must be analyzed.

The best example is an issue that resulted from cached pages in an ERP Web portal. The users were experiencing odd behavior with stale pages and values in forms. Troubleshooting the issue led to a "fix," by having the cache and history cleared upon exit, or not record at all. Shortly after the "fix" was put in place, two incidents occurred that were complicated by it. One dealt with inappropriate Web surfing and the other was malware contracted through Web browsing.

I've seen several others, including turning off firewalls to troubleshoot a problem and never turning it back on, logging disabled not to be re-enabled, and other oversights. Some of the problems are from simple forgetfulness after solving a problem and not having any sort of auditing to confirm that settings were what they should be. The Web caching and history problem, though, was a workaround that no one ever considered the ramifications on other areas, such as IR and forensics.

There's no simple solution to preparing your environment to be ready for an incident. Knowing what's there and making sure you have the necessary tools to handle them is key, but so is having clearly defined policies that get regularly reviewed and updated to address changes in the environment. Security needs to be plugged into all the IT processes in an organization and not just be something that one group is responsible for.

This is one of those problems that I'm sure permeates organizations no matter what industry you're in. Leave a comment or send me an e-mail if you've run into the same problem and how you solved it (if you were able to).

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...