To Catch a Thief

Effective incident response against network intruders

by Jay Lyman

May 2002

Your firewall is in place. Your antivirus software is updated regularly, and you check daily to make sure you have all of the latest OS and server patches. The only way in is through your virtual private network (VPN). By all accounts, you should be able to sleep easy, but you know better.

Intelligence and information gathering have progressed to the point that most computer attacks are quickly reported. However, there are still many vulnerabilities, unreported bugs, and complex worms out there. In addition, the double threat posed by Trojan horse worms that leave systems vulnerable to later attack by intruders is growing. It may just be a matter of time before everybody is hit. No matter what preventative measures administrators take, intruders on the company network, Web defacements, and virus outbreaks are often inevitable.

Forrester Research Analyst Laura Koetzle stresses that a comprehensive security policy is the most important item to start with when defending a computer network and its data—whether the threat is the latest mass-mailing virus, an exploit that is making the rounds among hackers, or an internal compromise. "Having a coherent policy—what to do, who to call, what to shut down, the first-fix things—is important," she says.

Vincent Weafer, director of Symantec Security Response, agrees. "First and foremost is having a security policy in the first place," he says. "People forget about that and focus on the products and techniques. When they then get into an incident response, they may destroy evidence or not know what to do."

Log and Load

Knowing just what to do in an incident response situation can often be difficult, given the lack of public discourse on the subject.