Cleaning Up the Mess After a Major Hack Attack

Hugh Pickens writes "Kevin Mandia has spent his entire career cleaning up problems much like the recent breach at Stratfor where Anonymous defaced Stratfor's Web site, published over 50,000 of its customers' credit card numbers online and have threatened to release a trove of 3.3 million e-mails, putting Stratfor is in the position of trying to recover from a potentially devastating attack without knowing whether the worst is over. Mandia, who has responded to breaches, extortion attacks and economic espionage campaigns at 22 companies in the Fortune 100 in the last two years and has told Congress that if an advanced attacker targets your company then a breach is inevitable (PDF), calls the first hour he spends with companies 'upchuck hour' as he asks for firewall logs, web logs, and emails to quickly determine the 'fingerprint' of the intrusion and its scope. The first thing a forensics team will do is try to get the hackers off the company's network, which entails simultaneously plugging any security holes, removing any back doors into the company's network that the intruders might have installed, and changing all the company's passwords. 'This is something most people fail at. It's like removing cancer. You have to remove it all at once. If you only remove the cancer in your leg, but you have it in your arm, you might as well have not had the operation on your leg.' In the case of Stratfor, hackers have taken to Twitter to announce that they plan to release more Stratfor data over the next several days, offering a ray of hope — experts say the most dangerous breaches are the quiet ones that leave no trace."

Government warnings??

[Anonymous Coward]

I'm curious though. In the PDF Kevin Mandia states that 90% of private enterprises don't know their networks have been compromised until the government (DoD, etc) tell them. So, how does the government know that these companies are compromised ?
I mean, apart from seeing spammy emails coming out, or in the case of the spooks, them seeing information on another system somewhere that's obviously been "stolen" from a US bank or something, how would they know ?
What sort of things would have to happen for a company to get a "Hey, you have bad guys all over your network" visit from the government guys ?

Re:Clean up? Start fresh

[Anonymous Coward]

I did work for a Fortune 100 company. We had Disaster Recovery Plans which involve that exact sort of thing. We rehearsed it once for an entire market we operated in, it took about 11 staff and 12 hours to do. We did it during the night during a weekend to reduce impact. Many of the systems were still operating during the rehearsal. We did phones, servers, workstations, restoration of images/backups, phones, network infrastructure, most HSMs (Excluding CAs) etc. As for viruses coming back from at-rest data backups, well, we virus scan them before it's used and nearly all of them are digitally signed (so tampering after the fact is harder) but I can't think of what else you can do. We can load our own heuristics and signatures onto our distributed IDSs though, so if we did find any type malware on our system, we can identify it and add it to the IDS and it would be picked up when/if it was on offline backups and when/if it's restored. The biggest weaknesses we identified was network bottlenecks, outdated documentation and outdated client software to handle the procedures.

Re:Clean up? Start fresh

[Arrogant-Bastard]

This also includes clean installs on employee portable systems (laptops, PDAs, tablets, phones) as well as anything they have at home that can connect to the corporate network.

Of course, this will never happen.

Then it's time to go through all backup media and sanitize it, since of course a potential future restore could re-initiate the breach.

Of course, this will never happen.

Meanwhile, forensic work needs to be done to figure out what the vector(s) was/were for this incident. It's not enough to just identify and deal with those, however; they need to be studied in context in order to achieve an understanding of what additional, latent vectors exist that could be used.

Of course, this will never happen.

And then it's time for a very pointed session with a copy of Marcus Ranum's "Six Dumbest Ideas in Computer Security", because chances are pretty high that this organization used all six.

Of course, this -- especially this -- will never happen.

Serious Hackers don't leave viruses/rootkits.

[JRHelgeson]

Like Kevin Mandia, I too clean up these messes professionally. Cleaning these things up starts with the data gathering and analysis, virus scans, offline analysis - and more that are not mentioned.

The MOST important thing that ANY admin should know is that the true professional hackers do not use rootkits. They will use exploits to gain their foothold, but rather than install a rootkit, they will install remote network admin utilities, such as Dameware NT utilities (old), or more recently I've seen LabTech Software.

From www.labtechsoftware.com
IT Systems Management Software providing a leading remote monitoring and management (RMM) solution for Managed Service Providers (MSP) and IT...

This software is great for Managed Service Providers - it also is a dream come true for cyber-criminals as it provides a backdoor into networks using signed code that will not appear on any antivirus, anti-malware or anti-rootkit scan. It can sit dormant for years, get backed up, and restored. Even if you do run anti-virus scans on your backups prior to restoring them - as one commenter stated above - it would be of no use.

So, when I am gathering the data dump, what I do is look for ALL network management tools, and I have created scripts that search for these.
        *****
        Google this: C:\WINDOWS\LTSVC\LTSVC.exe Hijackthis
        You will find examples of people who have run Hijackthis on their computer and posted the log online - the common complaint is that they keep getting reinfected and cannot figure out how. They've run {insert virus tools here} a number of times and cannot figure it out. They usually resort to reinstalling the OS.
        *****
Anyhow - gathering up all the logs from every device on the network, linking how they went from machine-to-machine, enumerating lists of installed software on each machine, and also performing offline analysis of drives, searching for any file/directory modifications based upon time stamp. It is FAR more involved, but it is the only way to enumerate the intrusion.

Removal must be done all at once. Either cut the network access of all the devices, then remove, or write a custom removal script and schedule it as a task to have everything be done at precisely the same moment.

I then have custom IDS signatures that look for any unauthorized Remote Management & Monitoring software.

Re:FIrst Post

[Tsingi]

But were it an expert hack:

experts say the most dangerous breaches are the quiet ones that leave no trace.

You would not have known.

In fact, security experts would like that to be your last thought before you go to sleep at night, and your first thought when you wake up, and uppermost in your mind when they pad your bill with zeroes.