Reacting to cyber‐intrusions: the technical, legal and ethical dilemmas
DOI | https://doi.org/10.1108/13590790410809095 |
Date | 01 April 2004 |
Published date | 01 April 2004 |
Pages | 163-167 |
Author | Richard E. Overill |
Subject Matter | Accounting & finance |
Reacting to Cyber-Intrusions: The Technical, Legal
and Ethical Dimensions
Richard E. Overill
INTRODUCTION
The classical three-layer security paradigm of `Protect,
Detect, React' has traditionally been applied to the
®eld of information assurance with ®rewalls playing
a major protective role while detection is handled
mainly by intrusion detection systems. This somewhat
simpli®ed overview, however, leaves open two
important questions: who or what should react, and
how?
The potential range of options for reacting to
cyber-intrusions has to date received substantially
less critical attention than the protection from or
the detection of cyber-intrusions. In many business-
situations, recovery processing, which includes re-
compiling code, relinking modules, reclaiming
memory, restoring ®les, recon®guring ®rewalls or
network segments, and eventually resuming (a possi-
bly reduced level of) business processing,
1
will natu-
rally take priority over any form of reactive response.
However, in view of the introduction of auto-
mated response or `active defence' capabilities into
®elded systems during the past few years, this paper
aims to address, highlight and critically evaluate the
strategic issues that are associated with various types
of reactive strategy. In particular, it is stressed that
these issues must be viewed within the context of
the portfolio of a particular organisation's mission
statement, business continuity plan and information
security policy.
The potential range of behaviours of these active
defences raises at least three distinct kinds of issue
for consideration:
2
(1) technical possibilities Ð what behaviour is
practically feasible;
(2) legal aspects Ð what behaviour falls within the
appropriate legal framework;
(3) ethical considerations Ð what behaviour is
acceptable in a particular cultural, social or
business context.
This last category is especially in¯uenced by an
organisation's information security policy, business
continuity plan and mission statement.
TECHNICAL POSSIBILITIES
In principle there exists a wide spectrum of potential
responses that a reactive defence could make to a pre-
sumed intrusion. On a nominal graduated impact
scale ranging from benign (0) to aggressive (9) these
potential responses may be categorised within a
schematic taxonomy as shown below:
(1) Notify the operator, system manager or
network manager by means of a console
alarm, pager, e-mail or text message (impact 0).
(2) Send a warning e-mail to the originator of the
suspect process or connection (impact 1).
(3) Monitor and record suspect sessions or connec-
tions using system logs or raw network trac
data to provide forensic evidence or diagnostic
material for any future investigation Ð the
`gold®sh bowl' (impact 2).
(4) Lure the intruder into divulging identity infor-
mation and other evidential material using a
protective `sandbox' or an enticing `honey-
pot' as a decoy (impact 2).
(5) Discard a stream of suspicious inbound network
packets (impact 3).
(6) Discard all outbound packets destined for the
originator of the process or connection Ð the
`black hole' (impact 3).
(7) Terminate the suspect user process (impact 4).
(8) Disconnect the oending user connection
(impact 4).
(9) Disable the aected user account (impact 5).
(10) Modify a router ®lter list to reject connection
requests from the suspect IP source address
(impact 5).
(11) Recon®gure a ®rewall to block requests for the
particular IP service used by the suspected
intruder (impact 5).
(12) Shut down the aected machine (impact 6).
(13) Disconnect the aected machine from the
network (impact 6).
(14) Perform an interrogatory probe, port scan or
sub-net mapping on the presumed source of
the suspected intrusion (impact 7).
(15) Mount a denial-of-service (DoS) reprisal attack
Page 163
Journal of Financial Crime Ð Vol. 11 No. 2
Journal of Financial Crime
Vol.11,No. 2,2003,pp. 163 ±167
#HenryStewart Publications
ISSN 1359-0790
To continue reading
Request your trial