A.23 Chapter 22: Discovering a Break-In

  • Don't panic!

  • Plan ahead: have response plans designed and rehearsed.

  • Start a diary and/or script file as soon as you discover or suspect a break-in. Note and timestamp everything you discover and do. Sign these notes.

  • Run hardcopies of files showing changes and tracing activity. Initial and time-stamp these copies.

  • Prepare a forensic toolkit with trusted software on a bootable CD-ROM.

  • Run machine status-checking programs regularly to watch for unusual activity: ps, w, vmstat, etc.

  • If a break-in occurs, consider making a dump of the system to backup media before correcting anything.

  • If the break-in occurs over the network, contact the attacker's ISP by phone.

  • Carefully examine the system after a break-in. See the chapter for specifics?there is too much detail to list here. Specifically, be certain that you restore the system to a known, good state.

  • Carefully check backups and logs to determine if this is a single occurrence or is related to a set of incidents.

  • Trust nothing but hardcopy.

    Part VI: Appendixes