Incident Response Misconceptions
There are two fairly popular and commonly-held
misconceptions within the IT community when it comes
to performing incident response on Windows systems;
that the best and quickest response is to wipe the
hard drive clean and reinstall the system from clean
media, and that the best approach to analyzing a
potentially compromised system is to use a Linux-based
bootable CD such as Knoppix. These may be short term
fixes, but in the long run, the security posture of
your organization will only suffer.
Let's take a look at each of these misconceptions in
turn. If a Windows system is suspected of being
compromised, one of the most popular suggested
responses in the online forums and lists is to
disconnect the system from the network, wipe the hard
drive, and reinstall the system from clean media and
backups. This is the only way that the Windows
administrator can ensure that she's removed all traces
of...whatever it was that was on the system.
While this may be a fairly straight-forward task to
perform, and will generally take a set and planned-for
amount of time, it also shows a serious hole in the
security posture of the organization in question. If
no root cause analysis has been performed to determine
what had actually happened to the system, how can the
administrator protect against it happening again?
Suppose, for example, that the issue at hand is
spyware. If the system administrator doesn't perform
some sort of root cause analysis, how does he
determine how the spyware got on the system, and now
to prevent it from happening in the future? What if
the spyware infection is indicative of a much more
significant issue, such as the installation of network
sniffing software, or of a keylogger that is capturing
personal and corporate data alike?
Remote compromises generally take one of two
flavors...they are either the result of a poorly
configured system, or of poorly written software. The
most prevalent example of a poorly configured system
is one in which there is no Administrator password, or
if it's easily guessed. Buffer overflows are
generally the result of poorly written software.
These being the case, reloading the operating system
from the installation media (or from a ghosted image)
and updating it with all available service packs and
hotfixes will not prevent the issue from occuring
again in the future, if no strong password policy is
being enforced. In essence, the newly-reloaded system
will be placed back on the network and recompromised.
Another issue to consider when reloading archived data
from backups is that if no root cause analysis has
been performed, how does the administrator know
whether or the backups themselves are infected or
similarly compromised? What if the issue is a
backdoor or IRCbot that has been installed for
sometime? If the backups themselves contain that
malware, then reloading data from backup will simply
reload the malware, as well. Once all data has been
reloaded, the Windows administrator is write back
where they started.
Rather than reinstalling the system from clean media
and reloading archived data from backup, Windows
administrators should be performing root cause
analyses to first verify the nature of the issue, and
second to document the resolution of the issue. But
why aren't more system administrators performing root
cause analyses? Is it because they take too long?
The solution to that is simple...training. Properly
trained administrators have no trouble drawing on
their tools and skills to diagnose a system and
determining where the issue lies in a timely manner.
Any task for which someone is trained goes much faster
and is completely accurately, due to familiarity.
With regards to using Linux-based distributions during
incident response activities on Windows systems, let
me begin by asking the question, "why?" When using
such a CD, the system has to be booted to the Linux
operating system, thereby destroying all volatile data
on the system. Everything that is in physical memory
(RAM) disappears and is irretrievable. What sort of
information am I referring to? Running processes,
network connections, the contents of routing tables
and the clipboard...information that is invaluable in
determining the root cause of any suspected issues on
a system.
As with the "wipe and reload" mentality, the solution
to using Linux-based distributions in performing
incident response activities is training. However,
for the training to be valuable, the system
administrator who attends or receives this training
must return to an environment in which that training
has value. IT managers should make professional
development, in general, a requirement of retention
and promotion, and the same requirements must apply
for security-specific training.
There are many training resources available, in the
form of books, web sites, and public and private
instruction. IT managers must consider their business
goals when deciding which resources (or combination
thereof) are best suited for their staff and their
environment.