Difference between revisions of "I've Been Hacked-What Now"

From OWASP
Jump to: navigation, search
(Assessment)
m (My server has been hacked...what do I do now?)
Line 5: Line 5:
 
Anyone interested in contributing is welcome.
 
Anyone interested in contributing is welcome.
  
Here are the current section ideas contributed by marcin
 
  
 
==Identification==
 
==Identification==
Line 25: Line 24:
 
* Examples of an incident:
 
* Examples of an incident:
 
** Virus/malware infection
 
** Virus/malware infection
** Unauthorised system changes
+
** Unauthorized system changes
** Unauthorised application/web site changes
+
** Unauthorized application/web site changes
** Unauthorised disclosure of client information or information leakage
+
** Unauthorized disclosure of client information or information leakage
 
** Theft or loss of company information/assets
 
** Theft or loss of company information/assets
  
 
* Examples of an event:
 
* Examples of an event:
 
** Reports from intrusion detection system/WAF/Firewall or log scraping system
 
** Reports from intrusion detection system/WAF/Firewall or log scraping system
** Reports from vulnerability scanning/traffic monitoring/perfromance monitoring
+
** Reports from vulnerability scanning/traffic monitoring/performance monitoring
  
 
==Assessment==
 
==Assessment==
  
  
Incient severity :
+
Incident severity :
  
 
Risk Rating
 
Risk Rating
Line 46: Line 45:
 
** Non-repeated scans or probing from an external uncontrolled network
 
** Non-repeated scans or probing from an external uncontrolled network
  
* '''Meidium'''
+
* '''Medium'''
 
** Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
 
** Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
 
** Repeated active probing or parameter manipulation from an external or internal source.
 
** Repeated active probing or parameter manipulation from an external or internal source.

Revision as of 09:56, 21 November 2008

Contents

My server has been hacked...what do I do now?

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.


Identification

Basic principles:

  • Incident identification/notification may occur from a number of information sources (events):
    • Staff reporting unusual activity
    • Staff, clients or public reporting a problem
    • Technical teams/support discovering evidence of an incident on systems.
    • Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.
  • Roles:
    • A Security incident owner must be assigned.
    • A point of contact must be available to respond to incidents at all times.
    • A security incident owner must track the security incident to remediation and resolution.


  • Examples of an incident:
    • Virus/malware infection
    • Unauthorized system changes
    • Unauthorized application/web site changes
    • Unauthorized disclosure of client information or information leakage
    • Theft or loss of company information/assets
  • Examples of an event:
    • Reports from intrusion detection system/WAF/Firewall or log scraping system
    • Reports from vulnerability scanning/traffic monitoring/performance monitoring

Assessment

Incident severity :

Risk Rating

  • Low:
    • Events that cannot be 100% identified as attacks and have no effect on operations;
    • False activation of intrusion detection systems, WAF alerts etc
    • Non-repeated scans or probing from an external uncontrolled network
  • Medium
    • Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
    • Repeated active probing or parameter manipulation from an external or internal source.
    • Malware/rogue code/virus that has been successfully contained or removed

Containment

Evidence Collection

Forensic Analysis

Investigation

Incident Follow-up

Lessons Learned

Event Correlation and Aggregation (Streamlining)