Tip

Malware incident-response team creation strategies for the channel

Our enterprise customers depend on us to help them lower their security risk by implementing solid security policies, procedures, and technology. However, even with thorough security practices, malware infections still occur. For that reason, VARs, consultants, system integrators, and other organizations that provide security services need to consider setting up an effective malware incident response team to handle infectious outbreaks on customer network systems.

    Requires Free Membership to View

Bots and spyware, along with traditional viruses and worms, have caused tremendous harm to networks around the world. With botnet armies stretching to hundreds of thousands or millions of machines, and spyware infecting a massive number of Internet-connected computers, enterprises are rightfully concerned about their systems being compromised with malware. To minimize future damage from fast-moving malware, we need to have effective malware incident response teams ready to go. These four steps will get you started:

  1. Plan around-the-clock incident handling capabilities. Regardless of your organization's size, have at least one member of your IT or security staff, who is well versed in handling bots, worms, and viruses, available 24x7x365 via pager. So that one person isn't burdened all of the time, rotate the pager between individuals on a regular schedule.

  2. Distribute the incident-response pager number to your help desk and network management personnel. Publish a list of suspicious events that should trigger a call to the handler, such as an unexpected spike in network traffic, numerous intrusion detection (IDS) events, or a rash of virus alerts.

  3. Work with the enterprise network management team to create a list of routers, firewalls, and network-based Intrusion Prevention Systems distributed throughout your network that can act as choke points to arrest the spread of a self-replicating malware. In developing your list, pay special attention to Internet gateways, extranet connections and internal routers segmenting important business units. Depending on the enterprise's size, your list of choke points might include five, 10 or even 50 network gateways.

  4. For your various choke points, create sample filter rules that can be deployed in times of crisis to block worm-related traffic. Because we don't know which protocols tomorrow's nasty bots and worms will use, define a set of rules for blocking various individual protocols, especially ICMP, TCP and UDP. Write filter rules for each vendor product you plan to use as a choke point. By keeping these sample rules ready to roll, you'll be able to quickly tweak them to the specific characteristics of malware and deploy them early during an incident.

No security strategy can make you completely impervious to attack. Yet, by preparing your incident-response team in advance, you'll have far greater success in weathering the next major malware storm.

About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.

The original version of this tip appeared on SearchSecurityChannel.com sister site SearchSecurity.com.


This was first published in March 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.