Why do organizations rush to pull the power plug?
In my experiences it's due to a number of reasons - this is not exhaustive.
1) The environment is so dirty(lots of compromises) that pulling the plug is the safest move.
2) It's the traditional method, and it's been proven - so people are comforted by that fact.
3) Organizations haven't taken the time or effort to TRAIN their first responders or they just don't trust them enough.
4) Response time is so slow that the unfounded fear is that the volatile data will be lost before a trained responder can get to the system.
5) The environment is very sensitive and pulling the plug removes the possibility to lose sensitive data(more than they had already).
So then I started considering a few other points of interest. Suppose your network is monitored as in using netflow to collect "call records" or something more elaborate. Do you have enough information from a network log to remove the risk of losing data by pulling the network cable from the back of the affected system? Let's take a look at this shall we?
1) We can deduce which ports were open and those that were active until the network cable was pulled by evaluating network flow logs and system configuration after the fact.
If I have net flow logs that show traffic flowing to or from the system on say...port 445 I can say that port 445 was open, and listening and it had a connection to a remote host with IP a.b.c.d.
We can also reason that based on the system and the environment that certain ports are expected to be open. For instance, we know that a windows XP box will have a specific number of ports open and listening by default - unless there has been a configuration change to limit this or if software has been installed that changes this. In the case of the latter, we can obtain this information post mortem from the system or during an interview with a sysadmin.
2) If I pull the network cable I will lose data. This is true, but what am I losing? I will lose data from the output of maybe one tool that may or may not even return accurate information depending on the tool and if there is malware that prevents the accurate display of information. I may lose the specific point in time data related to the specific process that is running that is responsible for having an open socket and port. Have I lost the ability to analyze the executable? Have I lost the ability to analyze the system at a different point in time? If I have a Windows XP box on a domain can I expect the system behavior to be the same from day to day? Certainly there are variations that will occur (which domain controller authenticates the user for instance) but generally speaking the behavior of the system will be largely the same from day to day. Add some malware to the mix and what do you get? dynamic or static variance? By this I mean does the malware have a static footprint (it opens port 6669 and attempts to connect to ircX.foo.bar) that is the same between reboots, meaning that we have added a degree of variance but that variance will not itself change, or is it introduce a dynamic variance to the system (it chooses a different port each time and a different dns host between reboots), which is to say that it changes system behavior in a different way each time. This is tool marks all over again (opening a port and connecting to a dns host would be class characteristics, the specific ones would be individual characteristics). So to answer my own question have I lost the ability to analyze the system at a different point in time? No. Will system behavior be the same from day to day? Yes, this is due to the deterministic nature of computers.
Will the process stop running as a result of losing the network connection? Maybe, maybe not. But even if it does stop running can I determine this behavior of the malware after the fact? Yes I can.
What else do I lose? The one thing we lose without argument is the ability at that point in time to determine if sensitive data is leaving the network. Not if it has left or will leave, but if it is at that very moment in transit.
If we compare this to pulling the power cable, it seems like pulling the network cable is much more preferable and less damaging. So, let me codify this a bit.
Pull the network cable but not the power cable if:
- Your environment has network logging at least at the session level.
- The system can sustain the loss of the network cable being pulled.
- Your environment demands this action.
- You've collected live response data.
So to clarify..what am I saying? Pull the network cable instead of the power cable unless your environment demands otherwise.
What are people's thoughts on this?