Restoring trust in a compromised network

On November 16, 2008, In forensics, security, By eugenekogan

If you know that you have a deeply compromised network, but you can’t practically shut it down and rebuild it from scratch, how do you go about cleaning it up and restoring trust in its use? This is a very difficult problem, and I would say that in most cases, it’s pretty much impossible to ever be completely sure that an intrusion has been removed. However, since reformatting every machine and starting over is usually not a viable option for an operating business, it’s important to know how to get as close as practical to restoring trust in a compromised network.

This post on the SANS ISC Hander’s Diary is a great resource to get you started on the process of pinpointing which hosts on a network are still compromised, and need to be carefully reviewed. Since a large network with many servers is assumed, the easiest way to begin is from the network level, working your way down to host-based solutions.

You can read the post for all the details, but the basic tools and techniques mentioned are:

  • log all DNS queries
  • store netflow data
  • log accepted firewall connections
  • deploy IDS with relevant EmergingThreats rule sets
  • use BotHunter
  • carefully monitor DNS traffic for anomalies
  • monitor web traffic for unusual activity
  • virus scan as many hosts as possible using good heuristic software
  • check for root kits on critical systems, using something like RootkitRevealer
  • scan for suspicious executables, using something like Red Curtain

Yes, this is a long list of actions, and it can take quite a while to implement. Unfortunately, the longer it takes, the more time your adversary has to reinfect your network, especially if you haven’t figured out and closed the hole he used in the first place.

This is why being prepared ahead of time is always a huge advantage. If IDS is already deployed and working, and if you know what your network traffic looks like normally, it becomes a lot easier to detect anamolies when something goes wrong. Hey, if all else fails, you could always unplug the company from the Internet for a few days, right…?

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response

Automated Web-Based Malware Behavior Analysis

On October 21, 2008, In reversing, security, virtualization, By eugenekogan

I just watched a video presentation from September’s OWASP conference. The presenter, Tyler Hudak, talked about the Truman-based hybrid sandnet he created to automate the analysis of web-based malware. He references Google’s The Ghost in the Browser paper, as well as the Honeynet Project. One tool he used to help automate things in Windows is AutoIt, something I had not heard of before, but it sounds handy. The demo also shows a tool called InCtrl5, a utility for Windows that monitors changes to your system, primarily for use when installing some new program. I guess it’s used to compliment the usual Sysinternals tools, so maybe it has some extra features that Tyler finds useful.

Some of the problems this approach is trying to solve are browser-dependent obfuscated JavaScript, plug-in dependencies (like Flash), multiple redirects, etc. All of these issues make malware analysis more complex and time consuming, so any automation you can get away with is a big help. The demo at the end is pretty cool, but he glossed over how the information from the automated analysis is presented to the user. I’m guessing it’s not (yet) in a pretty report format. Either way, you still need someone with the right knowledge to analyze the output and decide what to do with it to help defend your network.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
1 Comments
Leave A Response

CloudAV prototypes anti-virus scanning via cloud computing

On August 11, 2008, In networking, security, tech, By eugenekogan

This is interesting research, but is it something you would use?

The researchers’ new approach, called CloudAV, moves antivirus functionality into the “network cloud” and off personal computers. CloudAV analyzes suspicious files using multiple antivirus and behavioral detection programs simultaneously.

In general, that’s not a bad idea. It might save a few CPU cycles on your local workstation by not having to directly virus scan files. Then again, you have to use network resources uploading each file to the cloud, where it is scanned for you.

Each time a computer or device receives a new document or program, that item is automatically detected and sent to the antivirus cloud for analysis.

The privacy concerns here are obvious. Would you trust CloudAV to receive a copy of every file you want to virus scan? How sure can you be that they don’t use the contents for something else, or accidentally leak private information?

I think this idea has more merit as an internal virus scanning system for a large organization. That way sensitive data doesn’t have to leave the corporate boundary, or be sent to a third party. The benefit is that you have a more thorough and updated virus scanning engine, possibly using several different products at once.

Researchers develop next-generation antivirus system.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response

Ruby vulnerabilities

On June 25, 2008, In development, security, By eugenekogan

There are already plenty of people talking/screaming/crying about the recent bugs found in the Ruby programming language:

The list of CVEs created to track these bugs:

The funny thing is, these vulnerabilities were created in the run-time implementation of Ruby, which is itself written in C. So it’s really not all that surprising, considering how hard it is to write secure, large, bug-free C programs.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response

Classic insider threat example

On June 25, 2008, In security, By eugenekogan

IT director gets fired. IT director still has remote access to company network. IT director deletes a bunch of stuff and causes some damage.

This is a cut and dry example of why the insider threat is such a major issue. I guess some companies need to learn the hard way: Disable all accounts belonging to terminated employees; if it’s an admin (or the IT director), change all the root passwords as well. Of course, this implies that a company has to keep track of all the accounts an employee might have, which is not easy. The important thing to remember is that this is more of a people/policy challenge than a technical one.

  • email
  • Digg
  • Facebook
  • LinkedIn
  • Google Bookmarks
  • StumbleUpon
 
0 Comments
Leave A Response
« Previous Entries Next Entries »
Go To Top »