FYI...Preparing for Battle
Last Updated: 2006-01-04 20:40:11 UTC
"Are you ready to battle a large virus/worm outbreak? Please don't view this is a prediction that there will be a large event, but let me just say that conditions are right for a big storm (WMF issue and the return
of the Sober worm). Regarding the WMF issue, you have probably decided to either wait for the official Microsoft patch, or you are rolling out Ilfak's patch. But there is still about 6-10 days of risk here for a major worldwide event. So here are some recommendations for preparing for the battle. (This is primarily written for system and network admins...)
Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web surfing, etc.
4) Several different versions of the exploit are in the wild and are being actively used by criminal groups. All propogation methods are being used. As of Wednesday, Jan 4 20:15:00 UTC, our current poll indicates that 22% of respondents (340) have seen exploit attempts through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are publicly available. These tools may be used to evade anti-virus and IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that were infected outside of your network before allowing them to connect to your internal network?
As you provide this information, you should also provide an action plan for mitigating damage in the worst case scenario. You should consider the following action items in your plan. Also consider that your organization may have no internal infections, but that the rest of the Internet is having problems. Solicit input from your management on the circumstances that would dictate each of the actions below.
1) Disconnect from the Internet.
2) Disconnect specific services from the Internet. Talk with your network/firewall admins and have them be prepared to shut-off specific services (SMTP or HTTP) at strategic locations.
3) If you have multiple locations, consider the action plan of disconnecting internal WAN pipes to minimize damage to other parts of your organization.
4) Disconnect internal and/or external e-mail servers to prevent further damage.
5) If you plan to perform any of the above actions, then you should also plan on how to bring these sites/services back online.
6) Determine an action plan for local workstation admins. How are they going to receive virus updates and virus removal tools to clean workstations?
You should take this time to validate that you have good backups of your e-mail servers. If things go really badly, you may be restoring from backup. You should also make sure that everyone that could be involved in the incident response has an updated contact list (cell phones, pagers, home phones, etc) for all of the appropriate operational personnel. Remember that some of these communication methods may fail during a virus outbreak. Finally, you should identify secondary Internet access (maybe dial-up) to download virus updates, IDS/IPS updates, or get latest news about the event. In a virus outbreak/worm event, communication between the operational folks and management is critical. Make sure that there is a clear understanding of when/how to shut-off services and when/how to turn them back on. Communication to end-users is also critical and you may want to start informing them now that the next 6-10 days could be very difficult times.
You can find much more information about incident response plans at the following sites:http://www.intrusions.org/http://www.sans.org/...apers/incident/http://www.cert.org/...rt-handbook.pdf