Once a plan of action is created, it must be agreed upon and
actively implemented. Any aspect of the plan that is questioned
during an active implementation can result in poor response time
and downtime in the event of a breach. This is where practice
exercises become invaluable. Unless something is brought to
attention before the plan is actively set in production, the
implementation should be agreed upon by all directly connected
parties and executed with confidence.
If a breach is detected and the CERT team is present for quick
reaction, potential responses can vary. The team can decide to
disable the network connections, disconnect the affected systems,
patch the exploit, and then reconnect quickly without further,
potential complications. The team can also watch the perpetrators
and track their actions. The team could even redirect the
perpetrator to a honeypot — a system
or segment of a network containing intentionally false data —
used to track incursion safely and without disruption to production
resources.
Responding to an incident should also be accompanied by
information gathering whenever possible. Running processes, network
connections, files, directories, and more should be actively
audited in real-time. Having a snapshot of production resources for
comparison can be helpful in tracking rogue services or processes.
CERT members and in-house experts are great resources in tracking
such anomalies in a system. System administrators know what
processes should and should not appear when running top or ps. Network
administrators are aware of what normal network traffic should look
like when running snort or even tcpdump. These team members should know their
systems and should be able to spot an anomaly more quickly than
someone unfamiliar with the infrastructure.
