On Mon, January 25, 2016 19:12, Benjamin Smith wrote: > > Which I'd consider "best practices" and we do them. > They are specifically asking about what to do *after* a > breach. Despite all the best practices in > place, there's *still* some risk. > If someone wants in to your network then they will get in. There is no point in deluding yourself or your clients on that point. The first thing that you must do after a breach is detected, or even suspected, is to notify all affected parties. There is an institutional bias against revelation of security incidents because of the fear of embarrassment. This is often couched in terms using the word 'premature'. Failure to disclose at the earliest opportunity is unethical and ultimately self-defeating. You will never regain trust thereafter. The second thing to do, concurrently with the first, is to isolate the affected systems from the rest of your network. If that means physically pulling wires and putting the things on their own switch and LAN segment blocked from the rest of your networks then do it. If it means shutting down the affected hosts then do it. If if means disconnecting from the network at your gateway then do it. They are in and they are looking for ways to expand their foothold. Delaying containment is pointless. The third thing to do is to involve the authorities. Unauthorised computer access is an indictable offence in Canada and the UK. It is a federal felony in the U.S.A. If you have an incident then report it. That means you should have computer emergency response contact information and reporting protocols already in place. Now, with your clients and the authorities notified and the suspect systems isolated, you begin to map out your recovery strategy. The basic bones of which you have already written down and implemented in your backup and disaster recovery plan. A security breach is a disaster. You need to start with that point clearly in mind and proceed on that basis. Once corporate and client services are restored on clean hosts and reconnected to the Internet then begin your investigation. Use your AIDE and syslog records to determine the point of entry, the length of compromise and the extent of penetration. If possible identify the nature of the attackers and their target. Where possible keep the compromised hosts' disk drives unaltered for further technical analysis. Where warranted bring in forensic investigators to examine them. It will likely prove impossible to positively identify them but you should be able to glean some inkling if this was a targeted breach or an opportunistic one. If the former then they will be back and you will need to consider how to deal with the next assault. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3