Unformatted text preview: criticality of those assets. So what kind
of containment strategy is best? Well, it depends. Containment strategies can be proactive or reactive. Which is best depends on the environment and the category of the attack. In some cases, the best action might be to disconnect the affected system from the
network. However, this reactive approach could cause a denial of service or limit functionality of critical systems. When complete isolation or containment is not a viable
solution, you may opt to use network segmentation to virtually isolate a system or systems. Boundary devices can also be used to stop one system from infecting another.
Another reactive strategy involves reviewing and revising firewall/filtering router rule
configuration. Access control lists can also be applied to minimize exposure. These containment strategies indicate to the attacker that his attack has been noticed and countermeasures are being implemented. But what if, in order to perform a root cause analysis,
you need to keep the affected system online and not let on that you’ve noticed the attack? In this situation, you might consider installing a honeynet or honeypot to provide
an area that will contain the attacker but pose minimal risk to the organization. This
decision should involve legal counsel and upper management because honeynets and
honeypots can introduce liability issues and be used to attack other internal targets.
Once the incident has been contained, we need to figure out what just happened by
putting the available pieces together. This is the stage of analysis, where more data are
gathered (audit logs, video captures, human accounts of activities, system activities) to
try and figure out the root cause of the incident. The goals are to figure out who did this,
how they did it, when they did it, and why. Management must be continually kept
abreast of these activities because they will be the ones making the big decisions on
how this whole mess is to be handled.
The group of individual...
View Full Document