Restoring trust in a compromised network

On November 16, 2008, In forensics, security, By eugenekogan

If you know that you have a deeply compromised network, but you can’t practically shut it down and rebuild it from scratch, how do you go about cleaning it up and restoring trust in its use? This is a very difficult problem, and I would say that in most cases, it’s pretty much impossible to ever be completely sure that an intrusion has been removed. However, since reformatting every machine and starting over is usually not a viable option for an operating business, it’s important to know how to get as close as practical to restoring trust in a compromised network.

This post on the SANS ISC Hander’s Diary is a great resource to get you started on the process of pinpointing which hosts on a network are still compromised, and need to be carefully reviewed. Since a large network with many servers is assumed, the easiest way to begin is from the network level, working your way down to host-based solutions.

You can read the post for all the details, but the basic tools and techniques mentioned are:

  • log all DNS queries
  • store netflow data
  • log accepted firewall connections
  • deploy IDS with relevant EmergingThreats rule sets
  • use BotHunter
  • carefully monitor DNS traffic for anomalies
  • monitor web traffic for unusual activity
  • virus scan as many hosts as possible using good heuristic software
  • check for root kits on critical systems, using something like RootkitRevealer
  • scan for suspicious executables, using something like Red Curtain

Yes, this is a long list of actions, and it can take quite a while to implement. Unfortunately, the longer it takes, the more time your adversary has to reinfect your network, especially if you haven’t figured out and closed the hole he used in the first place.

This is why being prepared ahead of time is always a huge advantage. If IDS is already deployed and working, and if you know what your network traffic looks like normally, it becomes a lot easier to detect anamolies when something goes wrong. Hey, if all else fails, you could always unplug the company from the Internet for a few days, right…?

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response

DojoSec miniconference

On October 2, 2008, In forensics, By eugenekogan

I attended the first ever DojoSec minicon tonight, put on free of charge by Sun Tzu Data. The idea behind DojoSec is to have top-notch information security presentations come to our local area for one night each month. It’s kind of like bringing a small part of a security conference to your backyard.

Both of tonight’s talks were very good. The first one was a technical discussion about how skilled intruders expand their accesses into corporate (or government) networks, and how they maintain access even after being discovered. A lot of information was presented on how to use a more effective incident response procedure, especially focusing on how to accurate gauge the scope of an intrusion. The speakers (Chris Daywalt and Eoghan Casey) were knowledgeable and engaging.

The second presenter was Johnny Long, and he was as entertaining as always – even at 9:30 pm. Of course, I’ve already seen his No-Tech Hacking talk a couple of times, so it wasn’t exactly full of surprises for me. I would say he should update the slides and the examples he uses, but I think all his spare time goes to Hackers for Charity, which he runs.

Overall, it was a great event, especially considering it was the first one ever. I hope it will continue to attract high quality speakers and grow in attendance.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response

iPhones have Eyes

On September 12, 2008, In apple, forensics, By eugenekogan

Here’s an interesting story of unintended consequences. iPhone users, you know how when you press the Home button, the screen you’re looking at shrinks away as the main menu comes up? Well, that’s a pretty simple graphics trick to do, but it does require treating the current screen as an image. So, each time the iPhone needs to perform that user interface magic, it takes a screen shot of whatever you happen to be doing.

That basically means that there is a pretty good record of all your activity throughout the iPhone, including stuff you do in Safari, Mail, or any other apps. In theory, the screen shots are only temporary and get deleted automatically. But just like on any other computer storage device, deleting data usually does not really mean it’s gone.

The article below talks about how computer forensics investigators have been using this unintended consequence to their advantage. It’s actually helped them discover critical evidence in some pretty serious cases.

But from a personal privacy stand point, this kinda sucks. Assuming Apple wants to keep this pretty feature around, one solution would be to securely wipe the screen shot as soon as it’s done being used. Another possibility is to make sure that the image is always written to the same file and location on disk, so that you can only easily recover the most recent one. Anyway, I have a feeling this issue will stick around for a while, so just be aware of the consequence.

IPhone Takes Screenshots of Everything You Do | Gadget Lab from Wired.com.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response

Software Reverse Engineering Tool Library

On January 2, 2008, In forensics, reversing, By eugenekogan

This is pretty cool. It’s the new Collaborative RCE Tool Library, a nearly comprehensive directory of reverse engineering tools. Not only does it list the tools and provide links to download them, the directory also has pretty good descriptions and resources to learn more about each topic. The tools are conveniently sorted by target type (e.g., Java, Flash, Linux) as well as tool type (e.g., debuggers, PE editors, unpackers) and the whole thing is searchable, which makes it pretty easy to find what you need. (Although, right now the search seems to be broken.)

Perhaps the best feature of the RCE Tool Library is that it’s collaborative, meaning users can improve upon entires, add new ones as new tools are created, and generally keep everything up to date. That will definitely help keep the directory from becoming stale.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
1 Comments
Leave A Response

Investigating a Linux zombie

On September 17, 2007, In forensics, hacking, linux, By eugenekogan

This blog post details a guy’s ad hoc investigation of a Linux server that was compromised and turned into a zombie. Basically, the “hacker” came in, installed a root kit, an SSH back door, and an IRC bot for command and control. The post gives all the steps that the “investigator” goes through, and provides a lot of detail and screen captures.

I find it somewhat entertaining, since it’s almost exactly what I went through investigating a very similar situation several (probably nine) years ago, on my friend’s server. I actually ended up talking to the attacker in his IRC channel, and he was nice enough to tell me how he broke in. Those were the good old days…

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response
« Previous Entries
Go To Top »