Manage Learn to apply best practices and optimize your operations.

Keys to an effective virus incident-response team

How you recover from a malicious code attack depends on how quickly you respond. Learn how to coordinate a virus incident-response team to help minimize malware damage.

Over the past year, worms and viruses have caused tremendous harm to networks around the world. To minimize future damage from fast-moving malware, you need to prepare your incident-response team in advance.

  • Plan around-the-clock incident handling capabilities. Regardless of your organization's size, have at least one member of your IT or security staff, who is well versed in handling worms and viruses, available 24x7x365 via pager. So that one person isn't burdened all of the time, rotate the pager between individuals on a regular schedule.
  • Distribute the incident-response pager number to your help desk and network management personnel. Publish a list of suspicious events that should trigger a call to the handler, such as an unexpected spike in network traffic, numerous IDS events or a rash of virus alerts.
  • Work with your network management team to create a list of routers and firewalls distributed throughout your network that can act as choke points to arrest the spread of a worm. In developing your list, pay special attention to Internet gateways, extranet connections and internal routers segmenting important business units. Depending on your organization's size, your list of choke points might include five, 10 or even 50 network gateways.
  • For your various choke points, create sample filter rules that can be deployed in times of crisis to block worm-related traffic. Because we don't know which protocols tomorrow's nasty worms will use, define a set of rules for blocking various individual protocols, especially ICMP, TCP and UDP. Write filter rules for each vendor product you plan to use as a choke point. By keeping these sample rules ready to roll, you'll be able to quickly tweak them to the specific characteristics of a worm and deploy them early during an incident.

No security strategy can make you completely impervious to attack. Yet, by preparing your incident response team in advance, you'll have far greater success in weathering the next major worm and virus storm.

About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.

  • Our sister publication, Information Security magazine, has a feature titled Are you prepared? that offers a business blueprint for an effective incident management program.
  • Also take a look at this Incident Response Matrix from Information Security.
  • SearchSecurity Featured Topic: Incident response

This was last published in January 2004

Dig Deeper on Malware, virus, Trojan and spyware protection and removal