|-----Original Message----- |From: Jonas M Luster [mailto:jluster@d-fensive.com] <snipped the fascinating analogy> | |I've seen quite a number of intrusions in my life. Most of the systems |were reinstalled between four and six hours after detection - that is |after someone with sufficient clue took he 'live' snapshot, did the |on-analysis and removed the media to do the deeper forensic work. A |new harddisk in, reinstall, good. And by that time, one knows HOW the |bad guy got in and what he did. In the current world, given the cost of harddrives vs. people's time and downtime for "critical" sites, I would do (and have done) the following: 1) get infected machine off the net. 2) remove and replace HD with a new/clean one. 3) get somebody rebuilding/restoring system (still isolated from untrusted net) 4) take HD to forensic machine and make a bit copy onto analysis disk. 5) Turn HD over to a custodian, pref. someone like Legal or HR (preserve chain of custody) -- this is just in case. 6) do forensics on analysis disk, and (hopefully) figure out what possible/likely holes were used/available. Feed this info back to the step 3 person to insure that (at least) those holes are closed somehow. 7) Don't return machine to untrusted net until either a) you are pretty sure how it got hacked, -or- b) if you can't find a hole, at least add detection resources (tripwire, HIDS, NIDS, remote logging) to catch it when it happens again. It will happen again. | |The 'security through reinstallation' myth seems to have coined by all |those Certified Internet Snakeoil Sales People (CISSPs) and their I have that cert and I haven't seen that among most of the CISSP's that I know. |likes to conceal the fact that all their fancy certs don't help them |much when it comes to true forensic work. No fancy cert actually helps when it comes to "doing the work". They should give you an idea of what level of expertise you can expect from the cert holder. Have you never met an MCSE or even a CCIE (gasp!) that didn't seem up to the level of excellence that you expected from that cert? I would be happy to further discuss your thoughts about the CISSP offline, if you wish. | |See, I believe that a networked system brings with itself |responsibilities. Just like buying a car or a gun. It's a liability, |one should only accept if s/he knows how to resolve these problems in |a matter that keeps neighbors and other participants in the |'community', knows someone who's competent to do it, or can pay for |someone to do it. I agree fully with this. Any thoughts on how we can further this sense of responsibility and acceptance of liability in the "community" ?? |An initial 'live' assessment takes 3-4 hours, reinstalling a system |from the latest backup between 1 and 3 hours, and applying the patches |to prevent the intrusion from happening again, based on the knowledge |gathered during the initial 3-4 hours, takes another 2 hours. So, I |guess, it's fair to say that it _will_ indeed take longer to do proper |forensics, but not 2 hours compared to 3 days but more like three |hours compared to six. | absolutely. ...and its even faster if those steps can be done in parallel. | |And if it's just to find out if they did it to other systems from |yours, it's always worth the effort - at least in my book. Yes. For a variety of reasons, not the least of which is liability. Thanks for listening. Joe Dial ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 09:06:44 PDT