What do you do for Incident Response

Hi,

What do you guys do for incident response? I see everyone is interested in hardening procedures. But what do you do when you suspect some hacker is attacking?

 

If a hacker's attacking me I'm shutting my computer down... that's my incident response.

EDIT: Actually I'd probably just shut Wifi off and then turn my router off. Maybe contact my ISP. Depends.

 

Could you be more specific regarding what you call an "incident?" Some security packages regard a port scan as an incident and will interrupt whatever you're doing to tell you about it. IMO, that's about as useful as a vehicle alarm that sounds whenever something touches your car in a busy parking lot. For the most part, I don't want to be alerted to my system being probed. It's too commonplace.

I do log all unpermitted application activity and outbound internet access attempts and periodically check them, albeit a lot less often than I used to. Can't remember the last time I saw anything out of the ordinary there. With default-deny, there isn't much to see. Beyond that, it's hard to be more specific without knowing exactly what the incident is.

 

Ok I will be more specific. One time, several months ago, I ran sfc /scannow during a regular system check and found a shimgvw.dll with deny permissions set for everything. That is the photo gallery viewer, and belongs to the OS. That, to me, seems like to me that someone has edited the permissions, which would require admin rights to do. The file is owned by TrustedInstaller, but an admin can run SecEdit to modify the perms. Since this is a production machine ( wife's machine is a production machine , nothing is allowed to go wrong ), I assumed it was 0wned and proceded to to reimage the machine. I now regret that I missed to opportunity to fully investigate the system. What would you do to investigate this?

The machine has an outdated version of QuickTime and ITunes. So in hindsight, I attributed that as point of entry.

 

I wouldn't bother investigating. I'd either take it to my IT Admin if it was corporate or reformat if it was personal.

I'd probably check my router to see if it's been hacked, again probably call my ISP, and then harden my computer further.

 

There must be something to do for investigating. How else would we know how to prevent a similar attack in the future?

 

Normally, I'd start with system activity and HIPS event logs (if you use one) and look for events whose times and dates match up to the dates on the altered file(s).

By itself, I can't see where that change would benefit an attacker in any way. IMO, I'd suspect a bad disk write, possibly from a bad shutdown or a power fluctuation is the more likely cause. This is assuming that this file is the only one altered.

 

If I think I have malware, again, the first thing I do is shut off my internet (there's a hardware switch.)

That's the most important thing to do as a first step in my opinion. I don't care what's on my machine if it can't connect to a network and leak my information/ bring over more crap.

I would try to identify the malware, which I think is the most important thing when removing malware.

Then it's cleanup time.

After cleaning up I'd probably backup and reformat. Depends on what malware I've gotten. I have Win8 now so I could easily just "Reset" my computer.

 

I haven't been infected in years. but when I am I just wipe the MBR with a Zero wipe to ensure now rootkits or bootkits are present and then reinstall an image taken with clonezilla.

For friends/family all I do is a fresh install as all they use their PC's for is music and web browsing.

 

Log2timeline: free computer event and artifact timeline analysis

 

noone particular,

I think maybe the attacker wants to disrupt normal operation: stop the user from viewer photos.

----------------
MrBrian,

Thanks for the link. I'll look into what log2timeline can do.

----------------
X942

Didn't even think about wiping the MBR. Thanks, I'll add that to my procedure.

----------------
Hungry Man

Did you go to some online education site to learn about malware removal? I've once joined one, but they kicked me out because I didn't log in for 2 weeks.

 

That would be a rather strange attack, especially when it wouldn't stop a 3rd party image viewer from working. Was there any other changes to the system that you know of?

 

More free programs to investigate what happened on the suspect computer:
Windows Journal Parser
RegRipper
RegExtract
OSForensics

 

No wasting time here trying to find out what went wrong because it's usually so obvious. An "incident" for me is (most of the time) one or more software installs I don't like, so I just go ahead and restore an earlier image of my choice. As for suspected malware, this hasn't happened to me in many years.

 

Noone particular,

No, I stopped looking for more after seeing the deny permissions on that file. I concluded that the attacker gained admin privileges and decided to reimage.

 

Theoretically, if I found unexpected changes to my system, I'd disconnect the affected system from the network or internet, try to determine the extent of the compromise, and if possible, try to determine how it was accomplished. In the end, I'd most likely use a backup image, but I'd first try to figure out how I was compromised and try to close that weakness. Otherwise, I'd be restoring a system with the same vulnerability.

If that permission change was the extent of the change, I'd be inclined to chalk it up to a bad disk write. If you're certain it was more than that, you might want to add a regular integrity checking of your system files. There's several that can do that on a schedule and on demand.

 

I want to determnie this too. But I don't know how.