If you know that you have a deeply compromised network, but you can’t practically shut it down and rebuild it from scratch, how do you go about cleaning it up and restoring trust in its use? This is a very difficult problem, and I would say that in most cases, it’s pretty much impossible to ever be completely sure that an intrusion has been removed. However, since reformatting every machine and starting over is usually not a viable option for an operating business, it’s important to know how to get as close as practical to restoring trust in a compromised network.
This post on the SANS ISC Hander’s Diary is a great resource to get you started on the process of pinpointing which hosts on a network are still compromised, and need to be carefully reviewed. Since a large network with many servers is assumed, the easiest way to begin is from the network level, working your way down to host-based solutions.
You can read the post for all the details, but the basic tools and techniques mentioned are:
- log all DNS queries
- store netflow data
- log accepted firewall connections
- deploy IDS with relevant EmergingThreats rule sets
- use BotHunter
- carefully monitor DNS traffic for anomalies
- monitor web traffic for unusual activity
- virus scan as many hosts as possible using good heuristic software
- check for root kits on critical systems, using something like RootkitRevealer
- scan for suspicious executables, using something like Red Curtain
Yes, this is a long list of actions, and it can take quite a while to implement. Unfortunately, the longer it takes, the more time your adversary has to reinfect your network, especially if you haven’t figured out and closed the hole he used in the first place.
This is why being prepared ahead of time is always a huge advantage. If IDS is already deployed and working, and if you know what your network traffic looks like normally, it becomes a lot easier to detect anamolies when something goes wrong. Hey, if all else fails, you could always unplug the company from the Internet for a few days, right…?