Osbert Rimorr had released a potent malware attack into the wild. It was simple random bad luck that Osbert's worm took over the primary HAL mail server. From there, it quickly infected every system in the company. As the worm copied itself over and over again, the servers at HAL quickly stopped doing their assigned tasks and spent all their resources copying the worm to every computer they could reach.

It was two o'clock in the morning when Susan Carter, the third-shift help desk supervisor, was informed of the attack, first by the technicians in the network operations center and then by the application support team. Once she heard what was happening, Susan wasted no time. She directed the application support team to shut down the mail server, then she initiated the incident response plan by calling the help desk supervisor to activate the call tree.

The IR plan worked as expected and the CSIRT assembled quickly, but the worm was fast, very fast. By the time the primary mail server was disconnected, every major server had been infected. And by the time the main Internet connection was severed, nearly every desktop system was infected.

Susan called Paul Alexander, the HAL incident commander on call, to advise him of the incident.

Paul, still in bed, reached for the phone. Seeing that it was the network operations center's number lit up on the display, he took the call.

Sorry to wake you, Paul, Susan said.

What's up, Susan? Paul asked, still groggy.

We're down, Susan replied. All systems. All networks. It looks like a worm that just bogs everything down. Nothing malicious that we can see, just lots and lots of it, Susan said, sounding worried.

Okay, Paul replied while reaching for the laptop computer on his nightstand. Give me a minute to get logged in. Oh, wait, all networks are down! Okay, assemble all the facts you can. I guess the containment options didn't pan out very well; it's time for recovery operations. Work the IR plan with the CSIRT.

Paul leaned over to look at the clock. I'll be there by 3:15.

Okay, I'll have the coffee ready, said Susan.

After a very long 12 hours, HAL's servers and client systems were fully functional and back online. Even though the CSIRT had trained for scenarios just like this, it was still overwhelmed by the sheer speed at which the worm replicated. It was able to reimage the infected systems and do a partial restoration of data. Some data was lost between the last backup and the beginning of the incident, but that was only a 30-minute window, so it was minimal. The CSIRT had even been able to get a copy of the worm, for reverse-engineering and research purposes. A brief e-mail was sent out to explain what had happened and to let everybody know that things were now back to normal.

The day after the incident ended, Paul Alexander had a meeting with Paul Bryant and George Denney, both from the legal department. They wanted a briefing on what had occurred, in order to assess potential liability issues for the company. After exchanging pleasantries as the three of them assembled in the conference room, Bryant got down to business and started questioning Alexander.

Paul, what in the world happened? I thought we had firewalls in place to prevent stuff like this from attacking our network! How could you let this happen?

Paul Alexander, still exhausted from the previous day's events, resisted the urge to start yelling at Paul Bryant over the unfair accusation. He took a deep breath, composed himself, and said, Let's begin at the top, shall we?

Discussion Questions

Was the CSIRT response appropriate, given the circumstances? On what do you base your position?

Was Paul Alexander being unjustly accused of allowing the incident to happen? On what do you base your position?

Was there anything else Paul Alexander could have done to prevent the incident? On what do you base your position?