Anatomy of a hack attack

• Tags:
• Passwords,
• Hacker,
• Credit Card,
• Chief Executive

Sally Whittle ZDNet.co.uk

Published: 07 Jan 2008 16:39 GMT

• 
• 
• 
• 
• 

...the system has been compromised, and no alerts have yet been triggered. "When you go in as an attacker during a penetration test, it's relatively easy to be undetected, providing you don't start changing or deleting data," said Ravid Zavlinsky, of web-security specialist Applicure. "Many clients we speak to think their sites are impenetrable, [while] we find that they're being accessed every one or two minutes in fact."

Monday, 4pm
The hacker's next step is to create a new administrator account on the server — he knows the likelihood of this account being deleted in future is slim, even if staff don't recognise the name associated with the account. With this account, he copies some data from a database table and deletes a series of security profiles — eventually triggering the government agency's IT security systems.

When the IT manager on duty sees the alert from both the firewall and intrusion-detection system, he realises an attack may be in progress. He immediately asks for copies of any logs that are available, including the web server, database, firewall and intrusion-detection system. These logs should reveal what requests were made to the database and web server, and help to locate any attack scripts. This job should be overseen by a security specialist, as it can be hard to locate scripts created by an experienced hacker.

Completing this audit before disconnecting any machine from the network is absolutely vital, according to the experts. "If you panic and simply pull the plug out of the wall, you will lose a good deal of evidence because of volatile memory footprints," said Jose Nazario, senior security researcher with Arbor Networks. "You also lose any track a hacker may have left of what they have accessed or changed, and it makes it much harder to see what they are doing if there are no active processes running."

Moreover, if you don't know what's happened, there is no guarantee the hacker isn't still hiding on the network, observed Brian Chess, chief scientist with security company Fortify Software.

Back at the government agency, the logs reveal that the agency's web server has been compromised and, more seriously, the database server holding web-payment records and user IDs for thousands of citizens has been accessed and some records deleted. The user IDs and passwords of the database administrators have been accessed, and running an anti-rootkit application reveals that a number of rootkits have been installed on the database server.

Monday, 4.30pm
Now that he has a clearer idea of what has been compromised, the head of IT calls the chief information officer, who immediately informs the chief executive of the security breach. The chief information officer also informs the police, who contact the Serious Organised Crime Agency (SOCA), and government security agencies of the attack. "Informing the authorities is often a regulatory requirement, but it's also important to give them the chance to help identify and track down the culprits," said Chess. The chief information officer and the chief executive decide to delay issuing a public statement until there is more information about the security breach itself.

It is important to inform the authorities early on in an attack situation, before all evidence that might trap the hacker...

Go to section: You've been compromised! The hacker's next steps The clean-up begins How to deal with the aftermath

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit