If you know that you have a deeply compromised network, but you can’t practically shut it down and rebuild it from scratch, how do you go about cleaning it up and restoring trust in its use? This is a very difficult problem, and I would say that in most cases, it’s pretty much impossible to ever be completely sure that an intrusion has been removed. However, since reformatting every machine and starting over is usually not a viable option for an operating business, it’s important to know how to get as close as practical to restoring trust in a compromised network.
This post on the SANS ISC Hander’s Diary is a great resource to get you started on the process of pinpointing which hosts on a network are still compromised, and need to be carefully reviewed. Since a large network with many servers is assumed, the easiest way to begin is from the network level, working your way down to host-based solutions.
You can read the post for all the details, but the basic tools and techniques mentioned are:
- log all DNS queries
- store netflow data
- log accepted firewall connections
- deploy IDS with relevant EmergingThreats rule sets
- use BotHunter
- carefully monitor DNS traffic for anomalies
- monitor web traffic for unusual activity
- virus scan as many hosts as possible using good heuristic software
- check for root kits on critical systems, using something like RootkitRevealer
- scan for suspicious executables, using something like Red Curtain
Yes, this is a long list of actions, and it can take quite a while to implement. Unfortunately, the longer it takes, the more time your adversary has to reinfect your network, especially if you haven’t figured out and closed the hole he used in the first place.
This is why being prepared ahead of time is always a huge advantage. If IDS is already deployed and working, and if you know what your network traffic looks like normally, it becomes a lot easier to detect anamolies when something goes wrong. Hey, if all else fails, you could always unplug the company from the Internet for a few days, right…?
No, I’m not talking about how to earn money by working for Canonical. This is a post about actually designing a new piece of currency using open source software, especially Python. A quick summary: The Netherlands wanted to commemorate its rich history in the field of architecture, so they held a contest for the creation of a new coin. Using a bunch of open source software and many hours of hard work, both on the artistic and engineering side of things, Stani Michiels was able to come up with a truly inspiring design. Please read his blog post for some great, large pictures and a detailed overview of the process he used.
I just watched a video presentation from September’s OWASP conference. The presenter, Tyler Hudak, talked about the Truman-based hybrid sandnet he created to automate the analysis of web-based malware. He references Google’s The Ghost in the Browser paper, as well as the Honeynet Project. One tool he used to help automate things in Windows is AutoIt, something I had not heard of before, but it sounds handy. The demo also shows a tool called InCtrl5, a utility for Windows that monitors changes to your system, primarily for use when installing some new program. I guess it’s used to compliment the usual Sysinternals tools, so maybe it has some extra features that Tyler finds useful.
Some of the problems this approach is trying to solve are browser-dependent obfuscated JavaScript, plug-in dependencies (like Flash), multiple redirects, etc. All of these issues make malware analysis more complex and time consuming, so any automation you can get away with is a big help. The demo at the end is pretty cool, but he glossed over how the information from the automated analysis is presented to the user. I’m guessing it’s not (yet) in a pretty report format. Either way, you still need someone with the right knowledge to analyze the output and decide what to do with it to help defend your network.
If you’re a Python developer, you should really read about what’s new in Python 2.6, which was just released a few days ago. There are a number of significant changes and additions, so this is a long document, but it’s worth going through. Most importantly, 2.6 is a stepping stone to the upcoming 3.0 release, so it’s a great way to get used to the future of Python while still having the choice to use older syntax.
I attended the first ever DojoSec minicon tonight, put on free of charge by Sun Tzu Data. The idea behind DojoSec is to have top-notch information security presentations come to our local area for one night each month. It’s kind of like bringing a small part of a security conference to your backyard.
Both of tonight’s talks were very good. The first one was a technical discussion about how skilled intruders expand their accesses into corporate (or government) networks, and how they maintain access even after being discovered. A lot of information was presented on how to use a more effective incident response procedure, especially focusing on how to accurate gauge the scope of an intrusion. The speakers (Chris Daywalt and Eoghan Casey) were knowledgeable and engaging.
The second presenter was Johnny Long, and he was as entertaining as always - even at 9:30 pm. Of course, I’ve already seen his No-Tech Hacking talk a couple of times, so it wasn’t exactly full of surprises for me. I would say he should update the slides and the examples he uses, but I think all his spare time goes to Hackers for Charity, which he runs.
Overall, it was a great event, especially considering it was the first one ever. I hope it will continue to attract high quality speakers and grow in attendance.
I got this comment from the presenter this morning: Your name: Tyler Hudak Message: ...