I'd like to step into the post-intrusion phase to discuss Recoverable Network Architecture (RNA, goes well with DNA, right?), a set of characteristics for an enterprise that give it the best chance to recover from an intrusion. This list is much rougher than the previous DNA list, and I appreciate feedback. The idea is that without these characteristics, you are not likely to be able to resume operations following an incident.
RNA does not mean your enterprise will be intruder-free, just as DNA didn't mean you would be intrusion free. Rather, if you do not operate a Recoverable Network Architecture you have very little chance of returning at least the system of interest to a trustworthy state. (Please remember the difference between trusted and trustworthy!)
- The recoverable network must be defensible. Being defensible not only helps with resisting intrusions; it helps recovery too. For example, the network must already be:
- Monitored: Monitoring helps determine incident scope before recovery and remediation effectiveness after recovery.
- Inventoried: Inventories help incident responders understand the range of potential victims in an incident before recovery and help ensure no unrecognized victims are left behind after recovery.
- Controlled: Control helps implement short term incident containment, if appropriate, before recovery, and enforces better resistance after recovery.
- Claimed: Because an asset is claimed, incident responders know which asset owners to contact.
- Minimized: Assets that retain security exposures following recovery are subject to easy compromise again.
- Assessed: Assessment validates that monitoring works (can we see the assessment?), that inventories are accurate (is the system where it should be?), that controls work (did we need an exception to scan the target, or could we sail through?), and that minimization/keeping current worked (are easy holes present?)
- Current: Assets that retain security vulnerabilities following recovery are subject to easy compromise again.
- Measured: Measurement helps justify various recovery actions, e.g. showing that so-called "cleaning" is less effective and costs more than complete system rebuilds.
What do you think of these requirements? I may try expanding on each of the DNA items with examples at some point. If that works well I will apply the same to RNA.
Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.