Anatomy of a hack attack
Published: 07 Jan 2008 16:39 GMT
...is lost, said Chess. "Although it's often a very slight chance that a hacker could be identified and caught, it's important to warn the police before you do anything that tips off the hacker you know about him. It's also important they can come in before the audit trail is lost."
Monday, 5pm
The head of IT meets the chief information officer and IT security specialists to devise a plan of action. The agency has a well-established policy for dealing with security breaches, which means staff are less likely to panic and make poor decisions in a crisis. To ensure that your IT team doesn't panic during the immediate aftermath of an attack, ensure there are written policies detailing the procedure to be followed. "There should be clear rules to guide the team, and rule number one is never unplug the server until you know what you are dealing with," Chess said.
While the action plan is being formulated, the agency uses an automated tool to block the IP address of the hacker. An automated tool is often the best option in this situation, since, as soon as you block a hacker's IP address, he will often switch to another IP address within seconds.
Monday, 5.30pm
One team of IT staff is dispatched to examine the web server, the server is temporarily taken offline, and a "closed for essential maintenance page" is posted on the website. The clean-up team runs a full antivirus and anti-rootkit check on the web server and uses the previous day's backup disk to verify that nothing on the server has been deleted or amended.
The head of IT realises that just rebooting the system isn't an option, since it would compromise evidence but could also prevent the clean-up team from easily seeing what has been done while the machine was running.
Auditing the logs and examining the requests made to the server reveals that the hacker exploited a known vulnerability in the server operating system to gain access to the system, and this weakness is immediately patched.
The clean-up team also ensures that all other patches to the server have been applied, and that there are no other known vulnerabilities that could result in the server being attacked again. It's important not to apply patches or make any system changes until this investigation is complete, said Zavlinsky. "Making untested or ad-hoc changes to an application could just add further vulnerabilities."
This is a real danger if a hacker is determined to target your organisation. "The ultimate goal for many hackers is to take a server offline within minutes of it going back online," added Zavlinsky. "So it is vital not to reboot a server unless you are absolutely confident you know what the problem was and that it has been fixed. Otherwise, you'll be up and down for three days trying to sort it all out."
Read this
Special report: Countering corporate espionage
How can you mitigate the risks to your company?
At the same time, a second team is examining the compromised database server. The database is relatively complex and has links into multiple other agencies and systems. After examining the logs and audits, the investigation team realises the hacker has leveraged a SQL injection and created a false administrator login to the machine. From here, the hacker accessed a number of user IDs and passwords, then moved on to look at financial records and security documents, and deleted some records altogether.
"This isn't a great situation to be in," said Chess. "They've opened the back door but now they've also got a key to the front door as well." The priority is to discover which records have been accessed and to compare the database with the most recent backup to look for changes or deletions. Since it is possible that credit-card and direct-debit details may have been accessed, the chief information officer immediately informs the relevant banks of the potential breach.
Monday, 8pm
A subsequent scan of the server for malware or other scripts shows a number of scripts and programs have been added, including rootkits that could be used to further compromise the network. At this point, the head of IT makes the decision that cleaning up the machine will be too time-consuming, and...
Previous
- Governments prepare for 'cyber cold war'
- MI5 warns of Chinese digital espionage
- Burglars plunder Verizon's London data centre
- Cyberterrorism: Myth or reality?
- Explaining the Estonian cyberattacks
- The worst IT security incidents of 2007
- Cracking open the cybercrime economy
- Countering corporate espionage
- Anatomy of a hack attack
- Storm worm anniversary brings fresh variants
- CIA: Cyberattack caused multi-city blackout
- Schneier: Cyber-extortion on the rise
Did you find this article useful?
36 out of 36 people found this useful
- Share this article:
