Incident Reporting Post 9/11

By Phil Callihan, MSCE/MCT, MIS Director for NCMS

Ref: http://www.nipc.gov/incident/incident.htm

One of the functions of the National Infrastructure Protection Center (NIPC) is to provide organizations a method to report potential intrusions to the proper law enforcement authorities. As organizations have become increasingly dependent on the public Internet for everyday business operations, they have opened themselves to increased electronic attacks from a variety of sources. Sources of potential trouble may take the form as simple 'knob turning' neophytes all the way to organized professionals whose goal is to intrude and disrupt business operations. In the post 9/11 world another potential risk has appeared to American interests – the cyber terrorist.

For this discussion, the cyber terrorist will be someone motivated by politics, religions, or ideology. This new threat is not motivated by the desire to cause mischief or steal industrial secrets but rather to gather intelligence that could be used against critical national resources. Once gained this intelligence to could be used to plan and coordinate an electronic attack at a desired time and place. 

Incident Reporting is Part of an Overall Plan

What first steps can manufacturers take to help defend against these kinds of attacks? Of course, every organization should have a comprehensive plan on dealing with network security. This plan should be a blend of hardware, software, and employee training. An additional important step should be the reporting of possible electronic attacks to the proper authorities. Companies have been reluctant to do this in the past, but as the possibility of coordinated attacks increases, responsible incident reporting becomes an essential element of our national security.

If companies refuse to report potential electronic intrusions, it is difficult for law enforcement authorities to accurately gauge the scale of the problem. Is one company being attacked or hundreds? Thousands? Are certain industries being targeted? Incident reporting allows authorities to get a 'big picture' view of what is occurring.

Organizations will need to define a baseline for what incidents to report. This threshold should be a part of a comprehensive network security plan. For example: it may not be practical to report ever time someone on the public Internet tries to scan the ports on the external facing interface of your firewall. These types of 'knob twisting' scans can occur hundreds of times a week. It is often the first step that a potential intruder will take- to look for well known vulnerability. Most security solutions will prevent these low level attacks and force the potential intruder to look for easier prey.

This decision to report an incident may be triggered by certain level of damage caused, level of system penetration, or the compromise of certain proprietary information. Whatever the threshold company sets it is important to have the capability to recognize when such attacks have occurred.

Prime Indicators

Things to look for are repeated attacks from the same range of Internet protocol (IP) addresses or a sustained spike in attack activity during a period of time. A spike in internal bandwidth usage may indicate that your systems have been penetrated. Server and firewall logs should be monitored for suspicious activity. A security plan should also include the monitoring of your organization's outward bound Internet activity. Some Internet attacks involve the penetration of computers for the sole purpose of utilizing those computers in a coordinated attack on a third party.

Organizations should also be aware that not all incidents are purely electronic in nature. Phone calls, letters, or requests from unrecognized individuals for passwords and network information are potential incidents as well. Facility tours are a prime intelligence gathering method used by motivated attackers to gather information about potential network vulnerabilities. A potential attacker may call posing as a 'vendor' asking questions about what kind of hardware and software solution that a company may be using. Without proper training these potential 'social' incident attacks may not recognized by the staff of many organizations. If this type of attack is recognized it should be reported to the proper authorities as well. 

Who Do You Call?

Once an incident is detected what steps should an organization take to properly report the incident to the proper authorities? If the incident requires an immediate response a victim can contact their local FBI Field Office with the following information:

1. Names, location, and purpose of operating systems involved; 
2. Names and location of programs accessed; 
3. How intrusion access was obtained; 
4. Highest classification of information stored in the systems; and 
5. Impact (compromise of information of dollar loss). 

To aid the investigation the following steps are recommended:

1. Make backup copies of damaged or altered files, and keep these backups in a secure location; 
2. Activate all auditing software; 
3. Consider implementing a keystroke monitoring program, provided an adequate warning banner is displayed on your system; and 
4. DO NOT contact the suspected perpetrator. 

Electronic reporting (HTML form or PDF) is also available from the NIPC web site: http://www.nipc.gov/incident/cirr.htm The electronic form has 22 questions that will help victims provide the authorities with the needed information. Use the form as a reference to info you will need. NCMS recommends calling first, then sending the .pdf form by fax, rather than sending a plain html form. 

NIPC Recommendations for Victims

No matter what method of incident reporting that your organization chooses the NIPC makes the following recommendations:

1. Respond quickly. Contact law enforcement. Traces are often impossible if too much time is wasted before alerting law enforcement or your own incident response team. 
2. If unsure of what actions to take, DO NOT stop system processes or tamper with files. This may destroy traces of intrusion. 
3. Follow organizational policies/procedures. (Your organization should have a computer incident response capability/plan.) 
4. Use the telephone to communicate. Attackers may be capable of monitoring e-mail traffic. 
5. Contact the incident response team for your organization. Quick technical expertise is crucial in preventing further damage and protecting potential evidence. 
6. Consider activating Caller Identification on incoming lines. This information may help in leading to the identification of source/route of intrusion. 
7. Establish points of contact with General Counsel, emergency response staff, and law enforcement. Pre-established contacts will help in a quick response effort. 
8. Make copies of files an intruder may have altered or left. If you have the technical expertise to copy files this action will assist investigators as to when and how the intrusion may have occurred. 
9. Identify a primary point of contact to handle potential evidence. Establish chain-of-custody of evidence. Potential hardware/software evidence that is not properly controlled may lose its value. 
10. DO NOT contact the suspected perpetrator. 

Conclusion

In conclusion, companies that use the Internet for business operations should have a comprehensive plan that deals with network security. This plan should blend of hardware, software, and employee training to protect the electronic assets of an organization. A vital part of plan should be to report serious intrusion incidents to the proper law enforcement authorities. The need to report these types of incidents has increased as certain politically motivated groups have shown the desire to destabilize American business interests.