What do you do for Incident Response

Discussion in 'other security issues & news' started by lunarlander, Oct 8, 2011.

Thread Status:
Not open for further replies.
  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Hi,

    What do you guys do for incident response? I see everyone is interested in hardening procedures. But what do you do when you suspect some hacker is attacking?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If a hacker's attacking me I'm shutting my computer down... that's my incident response.

    EDIT: Actually I'd probably just shut Wifi off and then turn my router off. Maybe contact my ISP. Depends.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Could you be more specific regarding what you call an "incident?" Some security packages regard a port scan as an incident and will interrupt whatever you're doing to tell you about it. IMO, that's about as useful as a vehicle alarm that sounds whenever something touches your car in a busy parking lot. For the most part, I don't want to be alerted to my system being probed. It's too commonplace.

    I do log all unpermitted application activity and outbound internet access attempts and periodically check them, albeit a lot less often than I used to. Can't remember the last time I saw anything out of the ordinary there. With default-deny, there isn't much to see. Beyond that, it's hard to be more specific without knowing exactly what the incident is.
     
  4. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Ok I will be more specific. One time, several months ago, I ran sfc /scannow during a regular system check and found a shimgvw.dll with deny permissions set for everything. That is the photo gallery viewer, and belongs to the OS. That, to me, seems like to me that someone has edited the permissions, which would require admin rights to do. The file is owned by TrustedInstaller, but an admin can run SecEdit to modify the perms. Since this is a production machine ( wife's machine is a production machine :) , nothing is allowed to go wrong ), I assumed it was 0wned and proceded to to reimage the machine. I now regret that I missed to opportunity to fully investigate the system. What would you do to investigate this?

    The machine has an outdated version of QuickTime and ITunes. So in hindsight, I attributed that as point of entry.
     
    Last edited: Oct 8, 2011
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I wouldn't bother investigating. I'd either take it to my IT Admin if it was corporate or reformat if it was personal.

    I'd probably check my router to see if it's been hacked, again probably call my ISP, and then harden my computer further.
     
  6. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    There must be something to do for investigating. How else would we know how to prevent a similar attack in the future?
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Normally, I'd start with system activity and HIPS event logs (if you use one) and look for events whose times and dates match up to the dates on the altered file(s).

    By itself, I can't see where that change would benefit an attacker in any way. IMO, I'd suspect a bad disk write, possibly from a bad shutdown or a power fluctuation is the more likely cause. This is assuming that this file is the only one altered.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If I think I have malware, again, the first thing I do is shut off my internet (there's a hardware switch.)

    That's the most important thing to do as a first step in my opinion. I don't care what's on my machine if it can't connect to a network and leak my information/ bring over more crap.

    I would try to identify the malware, which I think is the most important thing when removing malware.

    Then it's cleanup time.

    After cleaning up I'd probably backup and reformat. Depends on what malware I've gotten. I have Win8 now so I could easily just "Reset" my computer.
     
  9. x942

    x942 Guest

    I haven't been infected in years. but when I am I just wipe the MBR with a Zero wipe to ensure now rootkits or bootkits are present and then reinstall an image taken with clonezilla.

    For friends/family all I do is a fresh install as all they use their PC's for is music and web browsing.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    noone particular,

    I think maybe the attacker wants to disrupt normal operation: stop the user from viewer photos.

    ----------------
    MrBrian,

    Thanks for the link. I'll look into what log2timeline can do.

    ----------------
    X942

    Didn't even think about wiping the MBR. Thanks, I'll add that to my procedure.

    ----------------
    Hungry Man

    Did you go to some online education site to learn about malware removal? I've once joined one, but they kicked me out because I didn't log in for 2 weeks.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That would be a rather strange attack, especially when it wouldn't stop a 3rd party image viewer from working. Was there any other changes to the system that you know of?
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    More free programs to investigate what happened on the suspect computer:
    Windows Journal Parser
    RegRipper
    RegExtract
    OSForensics
     
  14. wat0114

    wat0114 Guest

    No wasting time here trying to find out what went wrong because it's usually so obvious. An "incident" for me is (most of the time) one or more software installs I don't like, so I just go ahead and restore an earlier image of my choice. As for suspected malware, this hasn't happened to me in many years.
     
  15. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    Noone particular,

    No, I stopped looking for more after seeing the deny permissions on that file. I concluded that the attacker gained admin privileges and decided to reimage.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Theoretically, if I found unexpected changes to my system, I'd disconnect the affected system from the network or internet, try to determine the extent of the compromise, and if possible, try to determine how it was accomplished. In the end, I'd most likely use a backup image, but I'd first try to figure out how I was compromised and try to close that weakness. Otherwise, I'd be restoring a system with the same vulnerability.

    If that permission change was the extent of the change, I'd be inclined to chalk it up to a bad disk write. If you're certain it was more than that, you might want to add a regular integrity checking of your system files. There's several that can do that on a schedule and on demand.
     
  17. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    121
    I want to determnie this too. But I don't know how.
     
Loading...
Thread Status:
Not open for further replies.