Reality

The reality is that we will never know when are you going to be hacked or be able to eliminate all possible risks to a system, network or application. Dealing with the reality of uncertainty can only be done by having a robust incident response strategy.

It happened, you got hacked! What now? Just like in real life, no matter how much you exercise or how healthy you eat, you will get sick. When you get sick, you have a recovery plan/strategy that provides access to doctors and nurses to help bring you back to normal. The same concept applies to the cyber world, the risk is always there, but having a good plan will provide the necessary steps to a fast recovery after an attack. The plan used to identify what to do in case of an attack is called an “Incident Response Plan” in the commercial and government industries.

Incident vs. Event

During an attack, two statuses will determine something is out of the ordinary. You need to understand the difference to know when to activate your incident response plan.

•   Event –  Is anything that is logged on the network, host or security appliance – A new System login to your home network.
•   Incident –  Any event that has been proven to have malicious intent or has caused a negative outcome – The system that logged in your home network doesn’t belong to anyone in the house.

Incident Response (IR)

The incident response plan is not only for businesses, you can also create a plan for you and your family. The incident response plan lays the steps to identify an incident, what to do when is happening and how to return to normal. The SANS Institute divides the IR’s into six steps:

1. Preparation – Define, analyze and identify what needs protection
2. Identification – Is this an incident?
3. Containment – Limit damage, stop from spreading
4. Eradication – Clean it
5. Recovery – Back to normal
6. Lesson Learned – How to prevent it from happening again

For a home IR plan, we can condense them into three time periods:

• Before the Incident
• During the Incident
• After the Incident

Before the Incident

Before the incident the most crucial step in the IR plan, Preparation. In this step is where you Define what information is important to you, Analyze the possible flow of these data and where it is to be stored. The next step is to Identify. Identification is where you pinpoint the actual locations of the most sensitive data, all devices in your home network, and categorize what is normal. Logically, not all the systems in the house have the same level of importance.

If you don’t take the time to identify and define the system’s level of importance, you will be wasting precious time during an incident. For example, the time attending the internet connected thermostat instead of removing a hard drive containing all financial and private information from the network.

Preparation Steps

Define – Here you need to identify which of the data, if stolen, deleted or corrupted, will be detrimental to your privacy or financial stability. Here are some questions that can help you in this step:

• What type of information could be in my systems? What is the level of importance?
  • Bank Statements (High / Medium / Low)
  • Family Picture (High / Medium / Low)
  • IRS Forms
  • School Work (High /Medium /Low)
  • Business Document (High / Medium / Low)
  • _____________ (High / Medium / Low)
• What data or systems are important to me? Why?

After defining what is important to you, next, you need to analyze where is the data moving:

• Is the sensitive data required to be accessible from outside my home network?
• Can this data be stored in a removable storage device?

“To see an anomaly, you first need to understand what is normal.”

To be able to recognize that something is wrong in your home network you will need to identify what is the norm in said network. In the next step, you need to identify the devices in the network. Here are some questions to help you:

• How many systems do I have connecting to my home network?
• Which of those systems handle and storages private data (IRS Forms, bank documents, etc.) and accounts access (Email, web pages, etc.)?
• Which of those systems are IoT devices and the Kids systems?

Tools

There are different tools available that can be used to identify devices connected to your home network.  Most network wi-fi routers have a mobile or web-based application that can be used to identify these devices. Below are various example of tools that can be used to analyze and monitor your network:

• Linksys Routers – Linksys App

• NetGear Routers – NetGear Genie

• CUJO– Hardware

• FING – Mobile Application

Last Step

The last step is to document all these information by writing it down on paper. You might ask why on paper? We have computers, “Just think about it,” I am sure you will answer that question yourself.  You will use the gathered information to identify abnormal events, the priority of the systems’ attention and how “back to normal” looks. Lastly, the most critical information that you will add to the plan is the contact information of a friend that works in IT.

Next Posting – Part 2

On the next article, we will continue with the next time-lapse of the incident response timeline, “During the Incident”.  I will show you the different attacks, the steps to identify an incident and to contain and eradicate an attacker from your network.