The Changing Nature of Incident Response: Part 4
July 3rd, 2011
I last wrote about the first bona fide global emergency that response teams faced. The good news is that the worm that triggered this emergency eventually died out–its duration was slightly less than three weeks. Far more dramatic events started occurring around ten months later, however. People at a number of Department of Energy (DOE) sites as well as elsewhere started reporting suspicious events in their computer systems. Commonality in these events started pointing to a single origin. For example, some individuals reported finding that their password files in Unix systems contained an unexplained entry with a blank account name and password. Others reported that new accounts named “rgb” or something else started to show up in VMS systems. When it was possible to trace the origination of attacks, many of them appeared to originate from the Netherlands. Florida Atlantic University computers were often a first point of entry for unauthorized connections from Europe to computers in U.S. military computers at Navy, Air Force and Army bases and sometimes even at military headquarters or joint command facilities. Some attackers went so far as to use the grep command in Unix systems into which they had gained unauthorized access in an attempt to find files with words such as “weapon,” “missile,” and “nuclear” in them. Researchers at the University of Chicago and Bowling Green University found their systems’ hard drives filled with information about U.S. military weapons systems that the attackers had stolen and were storing there because their own systems were already completely filled with illegally-obtained military information. Oh, and by the way, all this was happening at the time of Operation Desert Shield involving preliminary military operations in connection with what would soon become Operation Desert Storm, the first Iraqi War in 1991.
The good news for DOE sites was that they were for the most part not the real target of these attacks. The bad news is that many DOE computers were successfully attacked in the process of intruders attempting to reach U.S. military computers. Shortly after the Morris Worm struck, the U.S. Department of Defense (DOD) reacted by severing Milnet and other military networks from what had been the ARPAnet (soon afterward the Internet). This turned out to be a very good move for DOD network security, as attackers were not for the most part able to directly reach DOD computing systems. But attackers discovered that many DOE computers were directly reachable and that there were numerous DOE gateways to military networks. Consequently, attackers gain authorized access to DOE computers to attack DOD computers.
There was considerable cooperation among certain incident response teams such as CIAC, NAVCIRT, NASIRC, AFCIRT, and DISA, as well as with certain U.S. government agencies such as the State Department and the National Institute of Standards and Technology (NIST). Despite many well-intentioned efforts, however, the onslaught of attacks continued virtually unabated for many months after they began, and well into Operation Desert Storm. Over time, an ever increasing amount of evidence pointed to the Netherlands as being the primary source of the attacks, and at that time there was no law against breaking into computing systems in that country. To the best of my knowledge, none of the attackers was ever punished or even tried for the many break-ins that occurred.
Would incident response teams today fare better if a similar scenario to the one I have described were to replay itself? In some ways, I think so. For one thing, I believe that better communication channels between incident response efforts have been established, and in many instances statements of understanding concerning actions to be taken when attacks that cross government agency and department boundaries occur have been put in place. Additionally, mandatory reporting of attacks is now widely required, something that greatly facilities investigatory efforts by incident response and other capabilities. Furthermore, barriers caused by having to deal with multiple response teams within the U.S. government have been reduced at least to some extent by the consolidation of many incident response efforts through the formation of the U.S. CERT. Best of all, however, one of the biggest improvements over the last two decades has been the ever growing effectiveness of law enforcement. Two decades ago FBI and Secret Service agents did not know much about computers; the opposite is now very much true. In today’s incidents law enforcement agencies often take the lead in investigating attacks to the point that they often do takedowns of malicious Web and SPAM sites. They also often identify suspects and make arrests, thereby shutting off incidents before they can go too far.
At the same time, however, the incident response and law enforcement communities have struggled with the onslaught of Chinese, Russian and other attacks with little genuine success. Although over time many facets of incident response have changed for the better, therefore, there is still much room for improvement.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.