Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Preparing for Battle

Published: 2006-01-04
Last Updated: 2006-01-04 20:40:11 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
Are you ready to battle a large virus/worm outbreak?  Please don't view
this is a prediction that there will be a large event, but let me just
say that conditions are right for a big storm (WMF issue and the return
of the Sober worm).

Regarding the WMF issue, you have probably decided to either wait for
the official Microsoft patch, or you are rolling out Ilfak's patch.  But
there is still about 6-10 days of risk here for a major worldwide event.
So here are some recommendations for preparing for the battle.  (This is
primarily written for system and network admins...)

Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web
surfing, etc.
4) Several different versions of the exploit are in the wild and are
being actively used by criminal groups.  All propogation methods are
being used.  As of Wednesday, Jan 4 20:15:00 UTC, our current poll
indicates that 22% of respondents (340) have seen exploit attempts
through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are
publicly available.  These tools may be used to evade anti-virus and
IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system
signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that
were infected outside of your network before allowing them to connect
to your internal network?


As you provide this information, you should also provide an action plan
for mitigating damage in the worst case scenario.  You should consider
the following action items in your plan.  Also consider that your
organization may have no internal infections, but that the rest of the
Internet is having problems.  Solicit input from your management on the
circumstances that would dictate each of the actions below.

1) Disconnect from the Internet.
2) Disconnect specific services from the Internet.  Talk with your
network/firewall admins and have them be prepared to shut-off specific
services (SMTP or HTTP) at strategic locations.
3) If you have multiple locations, consider the action plan of
disconnecting internal WAN pipes to minimize damage to other parts of
your organization.
4) Disconnect internal and/or external e-mail servers to prevent further
damage.
5) If you plan to perform any of the above actions, then you should also
plan on how to bring these sites/services back online.
6) Determine an action plan for local workstation admins.  How are they
going to receive virus updates and virus removal tools to clean
workstations?

You should take this time to validate that you have good backups of your
e-mail servers.  If things go really badly, you may be restoring from
backup.  You should also make sure that everyone that could be involved
in the incident response has an updated contact list (cell phones,
pagers, home phones, etc) for all of the appropriate operational
personnel.  Remember that some of these communication methods may fail
during a virus outbreak.  Finally, you should identify secondary
Internet access (maybe dial-up) to download virus updates, IDS/IPS
updates, or get latest news about the event.

In a virus outbreak/worm event, communication between the operational
folks and management is critical.  Make sure that there is a clear
understanding of when/how to shut-off services and when/how to turn them
back on.  Communication to end-users is also critical and you may want
to start informing them now that the next 6-10 days could be very
difficult times.

You can find much more information about incident response plans at the
following sites:

http://www.intrusions.org/
http://www.sans.org/rr/whitepapers/incident/
http://www.cert.org/archive/pdf/csirt-handbook.pdf

Keywords:
0 comment(s)
Diary Archives