So, You Have Been Cracked. What Next?

Get the WebProNews Newsletter:

[ Business]

As much as we would all like to say that our systems are impenetrable, the truth of the matter is that they aren’t. No matter how much we patch, upgrade, and tune our systems, there are still vulnerabilities that have yet to be discovered. There is always the chance that some recently discovered exploit will be used against your system(s) before a patch is even available from your vendors. That being said, let’s take a look at what your first responses to a break in should be.

The very first thing you will need to do is isolate the system. By this I mean to detach it from the network. Do *not* shut the machine down. This will change the timestamps on several files, some of which you may need to see unaltered during your evaluation.

Before doing anything else (do *not* touch the keyboard yet), take a deep breath and carefully consider what your next move will be. Do you want to do an exhaustive evaluation of the machine that could last for days or even weeks or months? Do you have the time and resources to do such an evaluation? How much damage was done (i.e. do you need to contact the authorities or your company security team)? Do you need to get this system (or systems) back online as soon as possible (I know, that is a dumb question!)? What is the state of your backups? I think you get the point.

Usually, if you have no intrusion detection software (IDS- Intrusion Detection System) of any kind, you are in a tight spot at this point. You can read through your logs and hope that your attacker was sloppy and left a trail behind. On the other hand, your attacker may be very talented and, in an effort to distract you, he/she may have left a bunch of false leads in your logs (or elsewhere on your system). Once an intruder has gained access to your system, they can change the timestamps on files, remove and/or make entries in your logs, or any number of other things in an effort to distract you. Keep this in mind as you inspect your system.

The quickest, safest, and probably easiest thing to do is reinstall the operating system and rebuild the machine from backups. You can probably rebuild, restore and repatch a machine in a day or less, depending on the state of your backup and the number of services running on that machine. The problem with this is that you still don’t know anything about how the attacker got in, and you run the risk of being cracked again. If you did have an IDS installed on the machine, you can perform an audit. This should give you a good idea of which files were altered, by whom and at what time. At a minimum, you could simply replace the corrupted files and apply any new patches from your vendor.

I don’t recommend doing this for several reasons. First of all, your IDS could have been corrupted by the attacker. Yes, this is very unlikely, especially if you have taken the time to properly tune your database, but it is possible. Secondly, how sure are you that your IDS will detect everything that may have been altered? There is simply too much risk that a Trojan or sniffer or other cracking tool could have been slipped in under your nose. Save yourself the aggravation of being cracked again and reinstall the operating system.

If you do decide to evaluate the damage done, you will probably need some forensic tools. For the *nixes, there is The Coroner’s Toolkit. The Coroner’s Toolkit is free (a.k.a. Open Source) to download and use. The Coroner’s Toolkit can be found here (see below).

If you are interested in forensics tools, do a search on Google.com for “computer forensic software” without the quotes. This yielded about 82,000 results for me, so if you want to be more specific simply add additional search terms.

There are also many free and commercial file recovery programs available for most common operating systems and/or file systems. Again, do a search on Google, and be prepared to do some reading. In fact, included with The Coroner’s Toolkit are some file recovery utilities.

Jay Fougere is the IT manager for the iEntry network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@ientry.com.

So, You Have Been Cracked. What Next?
Comments Off
This entry was posted in Business.
About Jay Fougere
Jay Fougere is the IT manager for the iEntry network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@ientry.com. WebProNews Writer
Top Rated White Papers and Resources

Comments are closed.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom