Incident Response Misconceptions


By Harlan Carvey


 


There are two fairly popular and commonly-held


misconceptions within the IT community when it comes


to performing incident response on Windows systems;


that the best and quickest response is to wipe the


hard drive clean and reinstall the system from clean


media, and that the best approach to analyzing a


potentially compromised system is to use a Linux-based


bootable CD such as Knoppix.  These may be short term


fixes, but in the long run, the security posture of


your organization will only suffer.  


 


Let’s take a look at each of these misconceptions in


turn.  If a Windows system is suspected of being


compromised, one of the most popular suggested


responses in the online forums and lists is to


disconnect the system from the network, wipe the hard


drive, and reinstall the system from clean media and


backups.  This is the only way that the Windows


administrator can ensure that she’s removed all traces


of…whatever it was that was on the system.


 


While this may be a fairly straight-forward task to


perform, and will generally take a set and planned-for


amount of time, it also shows a serious hole in the


security posture of the organization in question.  If


no root cause analysis has been performed to determine


what had actually happened to the system, how can the


administrator protect against it happening again? 


 


Suppose, for example, that the issue at hand is


spyware.  If the system administrator doesn’t perform


some sort of root cause analysis, how does he


determine how the spyware got on the system, and now


to prevent it from happening in the future?  What if


the spyware infection is indicative of a much more


significant issue, such as the installation of network


sniffing software, or of a keylogger that is capturing


personal and corporate data alike? 


 


Remote compromises generally take one of two


flavors…they are either the result of a poorly


configured system, or of poorly written software.  The


most prevalent example of a poorly configured system


is one in which there is no Administrator password, or


if it’s easily guessed.  Buffer overflows are


generally the result of poorly written software.


These being the case, reloading the operating system


from the installation media (or from a ghosted image)


and updating it with all available service packs and


hotfixes will not prevent the issue from occuring


again in the future, if no strong password policy is


being enforced.  In essence, the newly-reloaded system


will be placed back on the network and recompromised.


 


Another issue to consider when reloading archived data


from backups is that if no root cause analysis has


been performed, how does the administrator know


whether or the backups themselves are infected or


similarly compromised?  What if the issue is a


backdoor or IRCbot that has been installed for


sometime?  If the backups themselves contain that


malware, then reloading data from backup will simply


reload the malware, as well.  Once all data has been


reloaded, the Windows administrator is write back


where they started.


 


Rather than reinstalling the system from clean media


and reloading archived data from backup, Windows


administrators should be performing root cause


analyses to first verify the nature of the issue, and


second to document the resolution of the issue.  But


why aren’t more system administrators performing root


cause analyses?  Is it because they take too long?


The solution to that is simple…training.  Properly


trained administrators have no trouble drawing on


their tools and skills to diagnose a system and


determining where the issue lies in a timely manner.


Any task for which someone is trained goes much faster


and is completely accurately, due to familiarity.


 


With regards to using Linux-based distributions during


incident response activities on Windows systems, let


me begin by asking the question, “why?”  When using


such a CD, the system has to be booted to the Linux


operating system, thereby destroying all volatile data


on the system.  Everything that is in physical memory


(RAM) disappears and is irretrievable.  What sort of


information am I referring to?  Running processes,


network connections, the contents of routing tables


and the clipboard…information that is invaluable in


determining the root cause of any suspected issues on


a system.


 


As with the “wipe and reload” mentality, the solution


to using Linux-based distributions in performing


incident response activities is training.  However,


for the training to be valuable, the system


administrator who attends or receives this training


must return to an environment in which that training


has value.  IT managers should make professional


development, in general, a requirement of retention


and promotion, and the same requirements must apply


for security-specific training. 


 


There are many training resources available, in the


form of books, web sites, and public and private


instruction.  IT managers must consider their business


goals when deciding which resources (or combination


thereof) are best suited for their staff and their


environment. 

Comments (1)

  1. Anonymous says:

    Harlan Carvey has written an interesting article examining misconceptions around incident response -…