An Information Security Community
“Oh, a worm just took down all of our servers. We’ve got a problem!”
“Oh, a virus has infected all of our PCs. Let’s quickly delete it!”
“Oh, chinese hackers have pwns0red several companies. But we are fine because we’ve got IDS, IPS, Antivirus, Anti-Spam, DLP and ‘til now we haven’t got a single alert from any of these silver-bullet-magic-unicorn-elvish-devices. We are perfectly safe, aren’t we?”
But what if you go to your boss with the following message:
“Sir, we’ve detected strange connections from one computer to some malware related site. It could be industrial spies who compromised the system, but we don’t know yet. However to be sure we’ve conducted a full AV scan with a dedicated boot CD and we’ve found some viruses”
Boss: “Hell then why don’t you just delete the virus?”
You: “We don’t want to destroy evidence. We need you to decide whether or not a full blown investigation shall be initiated. We may need to check other systems, too”
Boss: “So you’re telling me you want to do a full blown investigation potentially crippling our business operations just because of one frickin’ virus? Get the hell outta here and fix that one box, will you?”
Well maybe it’s not that agitated all the time but in essence it’s pretty much what most organizations will do when they find one box infected with something.
But is that really such a good idea in a time of highly organized electronic espionage and computer crime? Can we really ignore the possibility that some other organization might have intruded our networks and is continually exfiltrating data?
Think about the Aurora and Stuxnet stories and the latest “Advanced Persistent Threat” story “Night Dragon”. The perpetrators are professionally organized, thus the “advanced” and “persistent”. The means need not to be very advanced all the time since AV and Intrusion Detection Systems can quite simply be circumvented and people still fail to do proper configuration and use good passwords.
But regardless which means are being used by the perpetrators, most organizations - especially smaller ones - don’t have the IT brains and manpower in order to properly acquire and preserve forensic data and/or perform a professional it-forensic analysis.
We just realize that in many recent cases, the intruders managed to stay undetected for several months!
So what will you do next time, someone detects a virus or detects “strange” connections? Will you investigate? How much effort will you put into your investigation?
Will your superiors allow you to trigger a full blown internal investigation just because of your “paranoia”?
Small details often indicate some big security breach. Remember Cliff Stoll?
He went all the way from investigating a discrepancy of some mere cents in the computer-usage accounting to a full blown case of international cyber espionage targeting classified data in military systems.
So maybe next time when you detect a compromised machine and you do not have the means for preserving conclusive forensic data without risking to damage evidence, and if you don’t have a contract with some forensic experts company, maybe it could be time to call in the feds?
Afterthought: even if you have an incident response plan, you may not have the intel to decide if a computer security incident needs further investigation or not. A twenty person outfit will neither have the budget nor the personnel for CSIRT/CERT services, maybe not even for a "security guy". And maybe after investigating a "security breach" (detected virus) you come out with nothing substantial and it's just another generic virus with no organized crime or special purpose behind it. You'd most probably have a hard time explaining to your boss why you needed to take them literally out of business for several hours or even days, just to check all the hard drives in read only mode with an AV boot cd....