Incident Response Misconceptions

By Harlan Carvey


There are two fairly popular and commonly-held

misconceptions within the IT community when it comes

to performing incident response on Windows systems;

that the best and quickest response is to wipe the

hard drive clean and reinstall the system from clean

media, and that the best approach to analyzing a

potentially compromised system is to use a Linux-based

bootable CD such as Knoppix.  These may be short term

fixes, but in the long run, the security posture of

your organization will only suffer.  


Let’s take a look at each of these misconceptions in

turn.  If a Windows system is suspected of being

compromised, one of the most popular suggested

responses in the online forums and lists is to

disconnect the system from the network, wipe the hard

drive, and reinstall the system from clean media and

backups.  This is the only way that the Windows

administrator can ensure that she’s removed all traces

of…whatever it was that was on the system.


While this may be a fairly straight-forward task to

perform, and will generally take a set and planned-for

amount of time, it also shows a serious hole in the

security posture of the organization in question.  If

no root cause analysis has been performed to determine

what had actually happened to the system, how can the

administrator protect against it happening again? 


Suppose, for example, that the issue at hand is

spyware.  If the system administrator doesn’t perform

some sort of root cause analysis, how does he

determine how the spyware got on the system, and now

to prevent it from happening in the future?  What if

the spyware infection is indicative of a much more

significant issue, such as the installation of network

sniffing software, or of a keylogger that is capturing

personal and corporate data alike? 


Remote compromises generally take one of two

flavors…they are either the result of a poorly

configured system, or of poorly written software.  The

most prevalent example of a poorly configured system

is one in which there is no Administrator password, or

if it’s easily guessed.  Buffer overflows are

generally the result of poorly written software.

These being the case, reloading the operating system

from the installation media (or from a ghosted image)

and updating it with all available service packs and

hotfixes will not prevent the issue from occuring

again in the future, if no strong password policy is

being enforced.  In essence, the newly-reloaded system

will be placed back on the network and recompromised.


Another issue to consider when reloading archived data

from backups is that if no root cause analysis has

been performed, how does the administrator know

whether or the backups themselves are infected or

similarly compromised?  What if the issue is a

backdoor or IRCbot that has been installed for

sometime?  If the backups themselves contain that

malware, then reloading data from backup will simply

reload the malware, as well.  Once all data has been

reloaded, the Windows administrator is write back

where they started.


Rather than reinstalling the system from clean media

and reloading archived data from backup, Windows

administrators should be performing root cause

analyses to first verify the nature of the issue, and

second to document the resolution of the issue.  But

why aren’t more system administrators performing root

cause analyses?  Is it because they take too long?

The solution to that is simple…training.  Properly

trained administrators have no trouble drawing on

their tools and skills to diagnose a system and

determining where the issue lies in a timely manner.

Any task for which someone is trained goes much faster

and is completely accurately, due to familiarity.


With regards to using Linux-based distributions during

incident response activities on Windows systems, let

me begin by asking the question, “why?”  When using

such a CD, the system has to be booted to the Linux

operating system, thereby destroying all volatile data

on the system.  Everything that is in physical memory

(RAM) disappears and is irretrievable.  What sort of

information am I referring to?  Running processes,

network connections, the contents of routing tables

and the clipboard…information that is invaluable in

determining the root cause of any suspected issues on

a system.


As with the “wipe and reload” mentality, the solution

to using Linux-based distributions in performing

incident response activities is training.  However,

for the training to be valuable, the system

administrator who attends or receives this training

must return to an environment in which that training

has value.  IT managers should make professional

development, in general, a requirement of retention

and promotion, and the same requirements must apply

for security-specific training. 


There are many training resources available, in the

form of books, web sites, and public and private

instruction.  IT managers must consider their business

goals when deciding which resources (or combination

thereof) are best suited for their staff and their


Comments (1)

  1. Anonymous says:

    Harlan Carvey has written an interesting article examining misconceptions around incident response -…