Tips on responding helpfully to a cybercrime incident

Your network is suddenly slow. You suspect your system is being scanned. Now what?

Successfully responding to an incident requires that you know where to begin, are able to clearly evaluate the situation, can gather information and evidence properly and in the correct order, and know when to request outside assistance, according to Peter Hillier, senior consultant with CGI.

When an incident – an anomaly that violates an organization’s security policy – occurs, responding in a timely fashion by marshalling appropriate resources is not something to be taken lightly, Hillier stresses. “People involved in responding to incidents need to be educated in the basic procedures of incident response. It is very difficult to do 24 and 7. It is still very difficult to find trained resources to analyze network traffic from a security standpoint.”

As a member of CGI’s 65-person Information Security Centre of Excellence (COE) in Ottawa, Hillier is involved with managed security service offerings that include intrusion detection and firewall deployment and operations, anti-virus, content filtering, authentication and technology threat, and vulnerability monitoring and reporting. A Certified Information Systems Security Professional, Hillier is also the founder and current president of the Ottawa chapter of the High Technology Crime Investigation Association.

Hillier uses the words respond, react and recover as acronyms representing the action to be taken in the event of a real or suspected cybercrime incident.

Request information;

Evaluate the situation;

Stop the ‘attack’ and secure the ‘crime scene’;

Preserve evidence;

Organize forensic examination;

Note findings;

Determine cause(s).

Hillier highlights how to react when you are (or think you are) being attacked:

Review policy and procedures;

Evaluate the situation;

Avoid panic;

Collect information;

Take appropriate action.

Avoiding panic includes not trashing the ‘crime scene’, he advises. Unless otherwise directed by the incidence response team, don’t, for example log in and poke around or let other people do the same. Don’t run attack probes to determine if your site is vulnerable to some particular attack. Don’t halt the machine via an unapproved or abnormal procedure. Don’t engage the attacker and don’t probe the involved networks.

To recover from an attack or suspected attack:

Raise security expectations;

Evaluate current security posture;

Create implementation plan;

Order the implementation to be done;

Validate the implementation;

Expect the unexpected;

RECOVER on a regular basis.

Having such a strategy “is no longer just a line item in a project plan,” Hillier claims. “People’s whole businesses are out there on the Internet now and the total loss of your capability is at stake here.

“You would be absolutely amazed at how many (companies) actually do it,” he adds. “That’s the issue. They might be using all the right tools – firewalls, intrusion detection, both network and host-based, but rarely do they have this process in place. As a matter of fact, I haven’t seen it yet in an engagement that we’ve been involved in.

“A lot of people are treating security solutions and security operations in the same manner as an add-on to network operations,” he continues. “So if someone is doing firewall management, for example, they are reporting monthly to their client with statistics on what hit the firewall.” But they don’t reveal where it came from, what the impact was, how to stop it, what counter measures are in place, for example. “This is the kind of stuff that we’re worried about for our clients – and some of those are financial institutions.”

He recommends companies that can’t afford or choose not to pursue a 24/7 incidence response capability must have at their disposal an incident response team that includes a director, lead investigator, forensic technician(s), response handlers, evidence handlers and a legal advisor. It may be “double hatting” sometimes, he adds, but “when there is an event of some importance, these people have to be able to get together.”

What if your company does not have incidence response policies and procedures? Hillier recommends you notify senior management, form an ad hoc incidence response team, follow the REACT procedures, and get external help from experts.

He cites several sources for help in responding to an incident in addition to CGI’s Computer Incident Response Team, the police and provincial or federal governments. There is the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP), a civilian organization operating within the Department of National Defence ( The Computer Emergency Response Team Coordination Center (CERT/CC) is a centre of Internet security expertise at the Software Engineering Institute, a U.S. federally funded research and development centre operated by Carnegie-Mellon University in Pittsburgh, Penn. ( The SANS (SysAdmin, Audit, Network, Security) Institute based in Bethesda, MD, was established in 1989 as a cooperative research and education organization ( CanCERT has been operated 24/7 since 1998 by EWA-Canada Ltd. ( to collect and disseminate information related to networked computer threats, vulnerabilities, incidents and incident response (

Hillier will be presenting these points in more detail at the 13th World Conference on Disaster Management, June 22-25, 2003 at the International Plaza Hotel, Toronto. 1-800-668-3656