When a server gets rooted (e.g. a situation like this), one of the first things that you may decide to do is containment. Some security specialists advise not to enter remediation immediately and to keep the server online until forensics are completed. Those advises are usually for APT. It's different if you have occasional Script kiddie breaches, so you may decide to remediate (fix things) early. One of the steps in remediation is containment of the server. Quoting from Robert Moir's Answer - "disconnect the victim from its muggers".
A server can be contained by pulling the network cable or the power cable.
Which method is better?
Taking into consideration the need for:
- Protecting victims from further damage
- Executing successful forensics
- (Possibly) Protecting valuable data on the server
Edit: 5 assumptions
Assuming:
- You detected early: 24 hours.
- You want to recover early: 3 days of 1 systems admin on the job (forensics and recovery).
- The server is not a Virtual Machine or a Container able to take a snapshot capturing the contents of the servers memory.
- You decide not to attempt prosecuting.
- You suspect that the attacker may be using some form of software (possibly sophisticated) and this software is still running on the server.
Answer
If you're facing an APT, then your best option is to set up a honeypot and thoroughly investigate all traffic that flows into and out of it, in addition to monitoring the server.
The measure of going through memory is so expensive in terms of time and effort that it's usually not worthwhile unless you've tried every other method, and if you determine that it's worthwhile, it's generally best setting up a honeypot that allows you to easily dump the memory and system state to another machine on the fly so you can do analysis with less threat of being detected while the machine is up and running.
I had one situation where the attacker kept everything in memory to the degree that, except for logs, the machine looked exactly like its image once powered off and back on. They would then hack back in and start using it again because the vulnerability was still there - they didn't need to leave any backdoors for themselves. A memory evaluation could have helped here, but watching the traffic was enough in this case to identify the vulnerability quickly.
Therefore:
The only reason to avoid pulling the power and doing offline disk evaluation is if you're going to go through the pain of doing a thorough memory analysis of the threat while it's in place and operating. If you've gotten to the point where this is necessary, then there is no reason to pull either plug.
If you're not doing a memory analysis, then pulling the power plug is your best bet - pulling the ethernet (or using a shutdown command) is only going to give the attacker's software advance notice - which does matter occasionally.
So:
Pull them both, unless you're doing a memory analysis, in which case, don't pull either.
No comments:
Post a Comment