Appendix C. Incident Response
Your router has been hacked. Now what? This chapter covers the basics of emergency response when dealing with a router compromise. Ideally, you should have an incident response plan that is tailored to your organization. If you are reading this chapter because you have just been hacked and don’t know what to do, first promise that as soon as this incident is over, you will develop a complete incident response plan. Then keep reading for help on responding to incidents involving router compromises.
The goals of incident response are to:
Determine if the incident is an attack or an accident
Discover what happened and the scope of the incident
Preserve all the evidence
Recover from the incident
Take the steps necessary to prevent this incident from happening again
If you do not have a detailed incident response plan in place and you have been hacked, it is best to do nothing yourself and to call law enforcement. They are trained to preserve the evidence and investigate the incident and can track down attackers through means you don’t have access to. Therefore, the first recommendation is to do nothing and call law enforcement.
However, many attacks may look like accidental outages (and vice versa). The following information is provided for those who are still trying to determine if an incident is due to a hacker or an accident or for those who must get the compromised router operational as soon as possible. So please read this entire chapter—especially ...