Our enterprise customers depend on us to help them lower their security risk by implementing solid security policies, procedures, and technology. However, even with thorough security practices, malware infections still occur. For that reason, VARs, consultants, system integrators, and other organizations that provide security services need to consider setting up an effective malware incident response team to handle infectious outbreaks on customer network systems.
Bots and spyware, along with traditional viruses and worms, have caused tremendous harm to networks around the world. With botnet armies stretching to hundreds of thousands or millions of machines, and spyware infecting a massive number of Internet-connected computers, enterprises are rightfully concerned about their systems being compromised with malware. To minimize future damage from fast-moving malware, we need to have effective malware incident response teams ready to go. These four steps will get you started:
- Plan around-the-clock incident handling capabilities. Regardless of your organization's size, have at least one member of your IT or security staff, who is well versed in handling bots, worms, and viruses, available 24x7x365 via pager. So that one person isn't burdened all of the time, rotate the pager between individuals on a regular schedule.
- Distribute the incident-response pager number to your help desk and network management personnel. Publish a list of suspicious events that should trigger a call to the handler, such as an unexpected spike in network traffic, numerous intrusion detection (IDS) events, or a rash of virus alerts.
- Work with the enterprise network management team to create a list of routers, firewalls, and network-based Intrusion Prevention Systems distributed throughout your network that can act as choke points to arrest the spread of a self-replicating malware. In developing your list, pay special attention to Internet gateways, extranet connections and internal routers segmenting important business units. Depending on the enterprise's size, your list of choke points might include five, 10 or even 50 network gateways.
- For your various choke points, create sample filter rules that can be deployed in times of crisis to block worm-related traffic. Because we don't know which protocols tomorrow's nasty bots and worms will use, define a set of rules for blocking various individual protocols, especially ICMP, TCP and UDP. Write filter rules for each vendor product you plan to use as a choke point. By keeping these sample rules ready to roll, you'll be able to quickly tweak them to the specific characteristics of malware and deploy them early during an incident.
No security strategy can make you completely impervious to attack. Yet, by preparing your incident-response team in advance, you'll have far greater success in weathering the next major malware storm.
About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.
The original version of this tip appeared on SearchSecurityChannel.com sister site SearchSecurity.com.