Part III: Tactical Response

If we do not wish to fight, we can prevent the enemy from engaging us even though the lines of our encampment be merely traced out on the ground. All we need do is to throw something odd and unaccountable in his way.

—Sun Tzu in The Art of War

As soon as you have identified an active attack against your web application, how should you respond to the threat? This is a seemingly straightforward question with often surprisingly complicated answers. Your responses should be as nuanced and varied as the attacks you’re facing. You should react differently depending on the threat you are facing. If you are under an application layer distributed denial-of-service attack from a botnet, you should respond differently than you would for a client that may be infected with banking trojan software and still differently than you would for a cross-site request forgery worm infection. In some situations, you may want to redirect the user to a friendly error page, and in others you may want to e-mail security personnel or passively proxy the connection to a separate honeypot web application. Response actions are not a one-size-fits-all model. Choose wisely.

Timely Response

How much time do you have to respond to active attacks before an attacker may be able to successfully bypass basic security filters? This is a critical question from an incident response perspective; unfortunately, metric data of this type is severely lacking. To obtain concrete data about the time-to-hack ...