Abnormal and Suspicious Activity The key to identifying incidents is to identify any abnormal or suspicious activity. Hopefully, any suspicious activity will also be abnormal. The only way to identify abnormal behavior is to know what normal behavior looks like. Every system is different. Although you can detect many attacks by their characteristic signatures, experienced attackers know how to “fly under the radar.” You must be very aware of how your system operates normally. Abnormal or suspicious activity is any system activity that does not normally occur on your system. An attacker with a high level of skills generally has little obvious impact on your system. The impact will be there, but it might take substantial skill to detect it. It is not uncommon for expe- rienced attackers to replace common operating system monitoring utilities with copies that do not report system activity correctly. Even though you may suspect that an incident is in progress and you investigate, you may see no unusual activity. In this case, the activity exists but has been hidden from the casual administrator. Always use multiple sources of data when investigating an incident. Be suspicious of any- thing that does not make sense. Ensure that you can clearly explain any activity you see is not normal for your system. If it just does not “feel” right, it could be the only clue you have to suc- cessfully intervene in an ongoing incident. Confiscating Equipment, Software, and Data Once you determine that an incident has occurred, the next step is to choose a course of action. Your security policy should specify steps to take for various types of incidents. Always proceed with the assumption that an incident will end up in a court of law. Treat any evidence you col- lect as if it must pass admissibility standards. Once you taint evidence, there is no going back. You must ensure that the chain of evidence is maintained. It is common to confiscate equipment, software, or data to perform a proper investigation. The manner in which the evidence is confiscated is important. Confiscation of evidence must be carried out in a proper fashion. There are three basic alternatives. First, the person who owns the evidence could voluntarily surrender it. This method is gener- ally only appropriate when the attacker is not the owner. Few guilty parties willingly surrender evidence they know will incriminate them. Less-experienced attackers may believe they have suc- cessfully covered their tracks and voluntarily surrender important evidence. A good forensic inves- tigator can extract much “covered up” information from a computer. In most cases, asking for evidence from a suspected attacker just alerts the suspect that you are close to taking legal action. Second, you could get a court to issue a subpoena, or court order, that compels an individual or organization to surrender evidence and have the subpoena served by law enforcement. Again, this course of action provides sufficient notice for someone to alter the evidence and render it useless in court. The last option is a search warrant. This option should be used only when you must have access to evidence without tipping off the evidence’s owner or other personnel. You must have a strong suspicion with credible reasoning to convince a judge to pursue this course of action. The three alternatives apply to confiscating equipment both inside and outside an organiza- tion, but there is another step you can take to ensure that the confiscation of equipment that belongs to your organization is carried out properly. It is becoming more common to have all new employees sign an agreement that provides consent to search and seize any necessary evidence dur- ing an investigation. In this manner, consent is provided as a term of the employment agreement. This makes confiscation much easier and reduces the chances of a loss of evidence while waiting for legal permission to seize it. Make sure your security policy addresses this important topic. Incident Data Integrity and Retention No matter how persuasive evidence may be, it can be thrown out of court if you change it during the evidence collection process. Make sure you can prove that you maintained the integrity of all evidence. Chapter 17, “Law and Investigations,” includes more information on evidence rules. But what about the integrity of data before it is collected? You may not detect all incidents as they are happening. Sometimes an investigation reveals that there were previous incidents that went undetected. It is discouraging to follow a trail of evidence and find that a key log file that could point back to an attacker has been purged. Carefully con- sider the fate of log files or other possible evidence locations. A simple archiving policy can help ensure that key evidence is available upon demand no matter how long ago the incident occurred. Because many log files can contain valuable evidence, attackers often attempt to sanitize them after a successful attack. Take steps to protect the integrity of log files and to deter their modification. One technique is to implement remote logging. Although not a perfect solution, it does provide some protection from post-incident log file cleansing. Another important forensic technique is to preserve the original evidence. Remember that the very conduct of your investigation may alter the evidence you are evaluating. Therefore, it’s always best to work with a copy of the actual evidence whenever possible. For example, when conducting an investigation into the contents of a hard drive, make an image of that drive, seal the original drive in an evidence bag, and then use the disk image for your investigation. As with every aspect of security planning, there is no single solution. Get familiar with your system and take the steps that make the most sense for your organization to protect it. Reporting Incidents When should you report an incident? To whom should you report it? These questions are often difficult to answer. Your security policy should contain guidelines on answering both questions. There is a fundamental problem with reporting incidents. If you report every incident, you run the very real risk of being viewed as a noisemaker. When you have a serious incident, you may be ignored. Also, reporting an unimportant incident could give the impression that your orga- nization is more vulnerable than is the case. This can have a serious detrimental effect for orga- nizations that must maintain strict security. For example, hearing about daily incidents from your bank would probably not instill additional confidence in their security practices. On the other hand, escalation and legal action become more difficult if you do not report an inci- dent soon after discovery. If you delay notifying authorities of a serious incident, you will probably have to answer questions about your motivation for delaying. Even an innocent person could look as if they were trying to hide something by not reporting an incident in a timely manner. As with most security topics, the answer is not an easy one. In fact, you are compelled by law or regulation to report some incidents. If your organization is regulated by a government