|
-
May 30th, 2005, 03:08 PM
#11
I suppose by default if gathering evidence for prosecution is not top of your list then it really isn't on the list at all.
Absolutely......
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 31st, 2005, 04:13 PM
#12
Originally posted here by Aspman
Had a discussion with the boss late on Friday.
Unofficially the org has a policy of not aiming to prosecute intruders into the system.
The process of gathering forensics (of a quality suitable for court) is too disruptive and expensive considering the likelyhood of any prosecution is negligable.
The aim of incedent response (for us anyway) is to confirm if an intrusion has occurred, how that intrusion occurred, what the intruder did while in the system and identifying what steps are needed to restore the system to a secure working state.
A lot of the info you've given is still applicable for the process of identifying the weakness in the system but for us gathering evidence for prosecution is way down the list of priorities. I suppose by default if gathering evidence for prosecution is not top of your list then it really isn't on the list at all.
I think you guys are thinking the imaging process is actually more complicated than it really is and are thinking taking an image may not be helpful...
If you have all your stuff together and the disk isn't that big, you can image a drive in a few minutes...assuming a fast external drive (they are dirt cheap now...150 $US for a 120GB external HDD?) or a good network connection to another sytem (using netcat). Even if the disk is enormous, imaging still doesn't take all that long... If you are not shooting for a prosecution (bad idea IMHO, but to each organization its own) this really only effects what you do with the compromised system afterwards ... my best recommendation in that respect is to rebuild/restore it from backups to a date prior to the incident and then any data that was missed since, to review it carefully before adding it back (for evidence of trojaned files or altered data). Unless you rebuild it you can't be garunteed to have complete control of the system back.
But back to the original point, the image of the compromised system is INVALUABLE for evaluating what really happened...you can tell what files changed recenty, view DELETED files, see what files were altered and in what order and generally tell EXACTLY what happened to the system...without this you are merely guessing and hoping you see it all. In a UNIX environment this can be especially interesting since everything in UNIX is essentially a file...and it is quite useful in a Windows environment as well.
Can't stress it enough...taking an image does not require removing the HDD (please note you must make sure you have good binaries that haven't been altered (ie, rootkit, which is why an incident response kit is suggested) and in some cases it may be necessary to boot off of a CD to make sure the rootkit isn't interfering (which is where Helix shines) ) and it is very useful in determining exactly what happened...rootkit or no...deleted files or no.
EDIT: Forgot to add, about the only time I would consider NOT imaging the system was if it was a massive file server or SAN/RAID and then the requirements for storage of the image are alot higher...still very useful though and would image if at all possible.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
May 31st, 2005, 06:21 PM
#13
Senior Member
Hello -
Had a discussion with the boss late on Friday.
Unofficially the org has a policy of not aiming to prosecute intruders into the system.
The process of gathering forensics (of a quality suitable for court) is too disruptive and expensive considering the likelyhood of any prosecution is negligable.
The aim of incedent response (for us anyway) is to confirm if an intrusion has occurred, how that intrusion occurred, what the intruder did while in the system and identifying what steps are needed to restore the system to a secure working state.
A lot of the info you've given is still applicable for the process of identifying the weakness in the system but for us gathering evidence for prosecution is way down the list of priorities. I suppose by default if gathering evidence for prosecution is not top of your list then it really isn't on the list at all.
Just curious - but was the incident confirmed as being an internal or external?
Also, as far as procedures go - does your organization have a process/procedure to handle these types of incidents? Or would that fall under DRP/BCP?
-
June 1st, 2005, 10:37 AM
#14
Don't know yet. There should be a follow up meeting today or tomorrow when I should get some more details.
The procedures that are in place are a bit general. They are for any incident that covers the CIA rather than specifically for intrusions.
These incidents are very rare here, 1 intrusion and 1 virus outbreak in the last 3 years , that I've been told about (I've been here 6 months).
-
June 6th, 2005, 12:08 PM
#15
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote