Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Compromised WinXP box prob

from [Mark Brunner] Network Security [Permanent Link]
Subject: RE: Compromised WinXP box prob
Date: Wed, 19 Mar 2008 18:36:12 -0400 
Exactly right on the mark, Laura.  THAT is security 101.  If a box has been
compromised, it is no longer yours and should not be trusted.

Modern malware is now dollar-driven and extremely motivated.  The initial
infection vector is rarely the entire compromise, and the secondary
infections are built to last.  Notice that it is infections, and not
infection.  The attacker seeks out a crack in your defenses and places as
many ways back in as possible, assuming that you will eventually find them
out and patch what you can detect.  They have the same intell or better than
most of us do.  We all know that one detective program will find most
malware, but not all.

I perform incident response daily, and the first rule of thumb is to "get
'em back in business".  Re-imaging takes 20-30 minutes.  First rule of
security is understand your attacker, so before I get 'em back in business,
I take a forensic image of the system whenever possible.  That generally
takes an hour.  My SLA is to have them back in business same or next day,
depending on the criticality of the system and availability of a temp
system.

The trouble ticket closes when the system is restored to functional, but the
investigation is open until I am satisfied that I have learned all that I
can learn from the compromised box(es).

Cheers,
Mark

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Geekwench
Sent: Wednesday, March 19, 2008 4:36 PM
To: Mike Moratz-Coppins; focus-ms@securityfocus.com
Subject: Re: Compromised WinXP box prob

[Quote:]

Of course it is a case of picking the right time to close the 
investigation and to correct the overall problem the quick way, but I am 
sure that everyone on this list used to use an OS reinstall as the answer 
to their problems more often than they do now.

[/Quote:]

Actually, I think you'll find that a significant portion of the people on 
this list use an OS reinstall *more* often than they did in the past, not 
less. If a forensic analysis is needed, that's one thing, but most of the 
people on this list would sooner reinstall than try to repair a compromised 
system. That's Security 101- if your system is compromised, it cannot be 
trusted and you cannot be absolutely certain that you've completely 
remediated whatever was done to it; therefore, a reinstall is pretty much a 
given.

Laura
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: More along the lines of malware disinfection, Mike Moratz-Coppins
Next by Date:  Re: More along the lines of malware disinfection, Geekwench
Previous by Thread:  Re: Compromised WinXP box prob, Geekwench
Next by Thread:  More along the lines of malware disinfection, Mike Moratz-Coppins
Indexes:  [Date] [Thread] [Top] [All Lists]