The phone rings, and the networking guys tell you that you’ve been hacked and that your customers’
sensitive information is being stolen from your network. You begin your investigation by checking
your logs to identify the hosts involved. You scan the hosts with antivirus software to find the
malicious program, and catch a lucky break when it detects a trojan horse named TROJ.snapAK. You
delete the file in an attempt to clean things up, and you use network capture to create an intrusion
detection system (IDS) signature to make sure no other machines are infected. Then you patch the hole
that you think the attackers used to break in to ensure that it doesn’t happen again.
Then, several days later, the networking guys are back, telling you that sensitive data is being stolen
from your network. It seems like the same attack, but you have no idea what to do. Clearly, your IDS
signature failed, because more machines are infected, and your antivirus software isn’t providing
enough protection to isolate the threat. Now upper management demands an explanation of what
happened, and all you can tell them about the malware is that it was TROJ.snapAK. You don’t have
the answers to the most important questions, and you’re looking kind of lame.