Since the man responsible for that phrase is likely dead enough not to sue us for slander, we are going to blame him for the recent Chinese hacking of MP workstations in the Canadian government .
On a serious note consider the following:
- Renting servers “in the cloud” is really handing for spinning up a quick platform for launching pentesting tools at a target and hosting malicious content.
- The attacker can reside in any country, but launch from a news worthy location like China or Russia and create an excellent smoke screen.
- Normal tools like IP reputation and signature matching are very ineffective because this hacking platform will disappear as fast as it appeared, and it shares the same IP space with many legitimate businesses. Like a coyote wearing a sheep costume, it’s pretty hard to tell good from bad through binoculars.
A quick blog search and RSS review proved once again that Canada security incidents do not make a lot of news outside of Canada. The articles I did find were mostly recycled CBC news reports, nothing deeply technical like the Aurora analysis. Consequently there is no analysis to debate but we have learned from the field over the years and there are some possible learnings out this that can translate to the businesses paying the taxes that will be paying for this clean up.
All that has been officially reported so far is a couple of MP machines were owned, and the internet access for those departments was disabled during the investigation. Most stories indicate it started with spear phishing.
This is an old story,
” receive credible email or return a targeted search result, click a few links, computer now talking to some anonymous server…”
Since this is exactly how legitimate information is also shared, is it reasonable to expect any security software, or an end user, to correctly tell the sheep from the masquerading coyotes 100% of the time?
Probably not, so what do you do?
Disconnecting won’t work!
There is too little friction in the new information flow model for us to ever go back to paper files, Canada post and telephone queues to data entry workers in front of green screens.
Temporary disconnection to assess the damage may have been the right call, again no details, so no point second guessing the responders. It’s almost certain that while the internet was down department business was still done, and it is possible data was now traveling out via USB sticks and smart phones. One company I know lost their internet for a week and those without blackberrys just took the data home and sent email from their home PC’s. It’s like Jurassic park after the sterile dinosaurs learned how to breed again, the data will get out.
I agree with the premise that we need to accept that systems are going to get owned, so the question becomes what is worth taking? The sad news is most companies don’t really stop to think about it and advise their IT staff/company so the security professional secures according to an arbitrary standard instead of a custom fit.
For some SMBs, the prize is nothing more than yet another free computer resource, others have customer records that are valuable, and the odd company has some intellectual property worth taking.
No sense calling in the RCMP when a bare metal restore will solve the botnet problem in about 4 hours, but what about IP or customer information breaches? If the test is “what would a reasonable person do?” , then some insight into the targets, or at least the capabilities of the exploit(s) is in order.
All too often the IT incident response model is to rebuild the machine rather than look for a root cause. Putting on the business hat, the fastest/cheapest way back to a known good state is sound. Put the gray hat back on and there is a big “ya but” that comes up.
A stolen physical article is easy to identify, a stolen digital copy is very difficult to detect.
While the compromised machine may be back to it’s former trustable self in 15 minutes through an image restore, the lingering doubt should remain.
- How did it get owned in the first place?
- What other machines may have been touched, or certainly were not touched?
- What other credentials were on that machine?
- What data was visible from that machine and all accounts on that machine.
- How many of those accounts are still valid with the credentials stored on that machine?
- How long was it compromised for?
- ___ ___ ____, (fill in the gaps that match your nightmares)
A good incident response plan gets the business back running as fast as possible. A great incident response plan has provision for true root cause analysis that can answer these questions. Ideally this includes the ability to take some of the compromised machines offline for forensic analysis, giving the user a replacement to get back to work. This is more difficult with company-wide servers but snapshots, logging and audit trails may really help out here.
Thanks to terabyte storage arrays and local drives, the old school image disk, send to lab, wait forever is probably going to return much value for most SMB IT, it’s just too slow and costly. The SANS forensics curriculum includes behaviour analysis and timeline analysis in it’s methodology for getting to the facts. For this to work well, knowledge of high value targets within the company, as well as common exploits and techniques in the wild will help determine what the intruders may have been up too, and what they were not capable of.
You may never know what the malicious party wanted or did, but ruling out what the attack didn’t do, or didn’t get, is just as important when the big boss says
” the media is downstairs, do we know if they accessed ___ ____ ____?” (fill in the blanks with your nightmare)