Friday, November 17, 2006

How do you do that voodoo that you do?

After reading through the SecuriTeam documents, and then reading this SANS ISC post, I have to admit, incident response can be extremely complex. This is particularly true if the bad guys catch you with your pants down (figuratively, or hey, even literally). From the SecuriTeam write-ups, we get an insight into how systems are targetted...via Google searches (with books such as Google Hacking from Johnny Long, there's really no big mystery to this) and even freely available vulnerability scanning tools.

In the SecuriTeam documents, the decision to conduct a live response is documented, as a "full forensic analysis" would take too long...it was evidently determined that the attackers hadn't simply defaced a web page, but were actively on the system and involved in creating mayhem. This isn't unusual...many organizations decide that affected systems cannot be taken down. However, with the Team Evil incident, there didn't seem to be any volatile data collected or analyzed. It appears that because a web page was defaced and some directories created, that the investigation and the IR team's reactions focused solely on the web application(s).

One thing I took away from the second SecuriTeam document was that there were...what? Eight attacks?

The post from the Internet Storm Center doesn't seem to make things any easier, does it? After all, not only do multiple downloaders dump a "zoo of malware" (i.e., keylogger, BHOs, even disables the Security Center) on the system, but it also reports the infected system's location so it can be tracked via Google Maps. While this is an interesting new capability, the real issue IMHO is the stuff that's dumped on the system. How do you track it all? If you really don't know a great deal about your systems (hosts and networks) and the applications that you're running, and you haven't taken any real steps to protect those systems, I'd have to say that the ISC recommendation to reinstall is the only option.

If you really think about it, though, maybe this is the intention. If you've been looking at some of the various conference presentations over the past couple of years, there have been some anti-forensics and "how to use the analyst's training against them" presentations. One way to look at these attacks is that the attacker is just being greedy. Another is to think that the intention of dumping multiple programs (keyloggers, BHOs, etc.) on the system is that IF the sysadmin detects any one of them, they'll reinstall the system...and it's likely that the system can be easily reinfected.

So, on the face of things, we've got a denial of service attack...compromise and infect a critical-use system, and it's so important that the sysadmin takes it offline for a reinstall. This also lends itself to persistence...the reinstalled system may have the same or additional vulnerabilities, so the attacker can reinfect the system once it's back up.

Of course, I can't help but think that this could also be a distraction, a little bit of misdirection...get the IT staff looking one direction while the attacker is siphoning data off of another system.

So I guess I have to concede the point that reinstallation is the thing to do. If you (a) don't really know your infrastructure (hosts or network) that well, (b) have no idea where critical (processing or storing sensitive personal information) applications are, (c) haven't really taken any defense-in-depth measures, (d) have no clue what to do, and (e) don't have an IR plan that is supported and endorsed by senior management, I guess there really isn't any other option.

Thoughts?

4 comments:

Kfir D. said...

I do agree. In every investigation one must assume there are pieces of the passel that you don't know exists.
So one must clean the whole system.
But, as you said: "the reinstalled system may have the same or additional vulnerabilities, so the attacker can reinfect the system once it's back up."

So before each system reinstalling, one must find at least one security hole, and to make sure he close it after the installation is over.
This way, hopefully, in the end he will close them all.

Leaving theory a side, it should be mentioned that most Sysadmins (at least those I met) are not really happy of shutting down their servers. Even more, they really don't like to reinstall their system.
So you can suggest them to reinstall every time they are hacked, but unfortunately not all will listen.
;)

Keydet89 said...

kfir d...

Twice in one night...many thanks!

So before each system reinstalling, one must find at least one security hole, and to make sure he close it after the installation is over.
This way, hopefully, in the end he will close them all.


Just one? What if it's the wrong one? Or what if the vulnerability that is found only permits denial of service attacks, and not remote code execution...and the vulnerability the attacker used allowed remote code execution.

I would agree with your statement if we were to keep all admins and responders at their current skill level. However, I'm advocating an increase in skill levels, so that the admins and responders can do more in less time.

Anonymous said...

Subject matter expertise determines procedures! If you don know what you have you don't know where to look.

Keydet89 said...

Exactly!