Sunday, August 24, 2008

When users attack

This is one of those things that make my head hurt. Just last week an IDS alert fired and ended up in my inbox. This was one of those alerts that require validation so after consulting network logs, a conclusion was reached that this was an incident and not just an event. Phone calls were made, emails were sent, and the local system admin called to let me know they were on their way to the machine. Great news. I instructed the sysadmin not to touch the system, not to let the user touch the system and just unplug the network cable. "Sure thing" said the sysadmin. I was already offsite on another engagement so it took a short while for me to get to the site. Upon arrival I checked in with the receptionist and spoke to the manager. The sysadmin was no longer around. I was directed to the computer user and together, we headed to the office where the computer was located. As instructed the user was not operating on the computer that had been compromised. This seemed promising...

We get to the office and the user says...

"I just got done running an antivirus scan, and it didn't find anything".

I'm literally at a loss for words at this point. "Err, uhm, what?!" I think to myself.

Friendly user offers up lots of other information about their actions and the nature of the system, including that they had no idea the vulnerable piece of software that got exploited was even installed on the system. This is bad(TM). Could be worse I suppose but to think that the sysadmin echoed back my request and agreed to pull the network cable and remove the user from the system and not to touch the system themselves, and then the user scanned the system..yikes. But wait! It gets better. The user has the risk history window open in symantec antivirus. Well well, looky what we have here, a scan that precedes the one just run by the user..and it's an administrative scan that identified lots of badness. 5 pieces of badness to be exact. I suppose it's a good thing that antivirus found the malware, but did it find it all? How can we be sure?

When next I speak to my sysadmin friend I think we'll need to talk. Ever feel like Chris Tucker and Jackie Chan in Rush Hour? "Do you understand the words that are coming out of my mouth"? The ever elusive Jun Tao snuck in, did damage and disappeared..all before I could get there. Common isn't it?

My sysadmin stick is being sharpened....


H. Carvey said...

I can't tell you the number of times I've started assessing an incident and spoken to the sysadmins...

"What actions did you take on the system?"

"Nothing. We didn't touch it."

"AV logs and file last access times indicate that an AV scan was run 3 hrs after the triage call (where we asked you not to touch the system). "

"Oh, yeah...we ran a scan, but nothing else."

"No spyware scans??"

"Yeah...we ran one of those, too...but nothing else."

"The INFO2 file in the Administrator's Recycle Bin indicates that several files were 'deleted' after the scans, although the scan logs show that nothing was found."

"Oh, yeah. Sorry. We all use the same Administrator account on all of the systems, and someone else went in and deleted some files."

"Do you know which ones and why they did it?"


From my perspective as a responder, admins and admin staffs are exposing organizations to as much or more risk than the intruders or malware at this point.