Responding to Hacker Incidents

Hacker incidents require a somewhat different response than do virus incidents. Some hackers are highly skilled, employ sophisticated techniques, and will go to great lengths to avoid being detected.
To complicate matters further, a hacker can also be someone working for an organization (an insider) engaging in after-hours illegal activity, such as unauthorized access to sensitive information or perhaps password cracking. Whether they originate from the inside or outside, all hacker incidents need to be addressed as real threats to organizational computer systems.

Hacking incidents can be divided into three general categories:
✓ Those involving attempts to gain access to a system
✓ Active, or live, sessions on a system
✓ Events discovered after the fact 

Of the three, an active hacker session is the most severe and must be dealt with as soon as possible.

There are two basic methods for handling an active hacking incident. 

The first method is to quickly lock the hacker out of the system. 

• To do this, you must first identify the hacker’s point of entry into the system. 
• Here are some common entry points that hackers look for when seeking to gain a way in:
• Port access: It is common for Internet applications to be configured to listen on a predefined port for incoming connections. 
• Internet access: Hackers often write simple scripts that randomly generate and ping large groups of IP addresses, looking for computers or servers that respond.
•  Trojan horse:  they sit quietly on your Internet-connected computer system and generate open ports.

The second method is to allow the hacker to continue his or her attack while you attempt to collect potential information that could lead to identification and possible criminal conviction of the hacker. 

• One method for identifying the source of an attack(s) is by carefully examining system log files and active network connections. 
• Be sure to make copies of all audit trail information.
• Capture system process and status information in a separate file, and then store that file in a safe place. 
• Programs like Process Explorer, by Mark Russinovich are excellent for this task.