Wednesday, July 19, 2006

Israeli Incident Response Report

Incident responders from Beyond Security published an interesting report (.pdf) explaining their involvement in a recent defacement of an Israeli Web site. I read the report but was surprised to not see any mention of shutting down access to the Web site upon discovering the intrusion. There was no question of compromise -- the image above shows what happened to the Web site. Consider the following excerpt from the report.

[T]he web site in question was defaced by Team Evil and action had to be taken immediately. There was no time to perform a full forensic investigation. What the attacked organization required was a real-time forensic analysis of the attack in order to contain damage and respond accordingly, with the following operational goals in mind:

1. Stop the continuing damage being inflicted as soon as possible by kicking out the attackers who were damaging the site while analysis was done.

2. Prevent further access from the attackers.

3. Determine what hole the attackers used to get in, and seal it.

While these goals are sequential, they had to be done simultaneously to be successful as the attackers were at the same time performing counter-measures and attacking back.

It was a fight between the attackers who were already in the system, and the incident response personnel on the ground with the help of the local system administrator.


"No time" for a forensic investigation? Try shutting down the Web server's switch port. It sounds like the intruders were active while the IR team worked:

While examining the second web GUI tool we noticed that there was currently a user trying to use the exploit. At this stage we no longer had a system administrator present, nor access to the attacked machine. (emphasis in original)

Again, shut down the switch port. Is this the "uptime argument?" Who needs uptime when the public is visiting a defaced Web server?

No wonder the intruders were active -- the defenders were visiting a potentially hostile Web site:

We soon located the tool on the web page... Looking at their site provided another clue.

If the victims were visiting an intruder's Web site during the incident response, that's an easy way to tip off the attackers that defense is taking place.

Finally, observe how the IR team finally tried to take control of the victim:

Left with no other alternative and the organization's approval, we used the intruders' web GUI tool to retrieve the MySQL password and used it to get into the forum database and escalate the permission of a user under our control to an administrator status (probably like the intruders themselves have done...).

Use an intruder's tool to remove the intruder? Wow.

IR is certainly a fluid experience, but I think some basic rules were violated during this scenario. Still, I'm very happy to see Beyond Security share its story. The report itself contains a ton of technical details and I highly recommend everyone read it. It's been a while since I've read anything like it.

6 comments:

Anonymous said...

As far as I undestood report, the IR team was working online - remotely. So this is an "uptime argument", to not shut down the switch port.

greets

Richard Bejtlich said...

In that case, the victim sys admin should have implemented a firewall block for all activity except from that of a trusted IP used by the incident response team.

Joe said...

I agree with you Richard. I'm not a forensics expert, but I would disconnect the server right away since I have all of the session data and full packet captures prior to and during the attack.

It's apparent to me that a lot of forensics training involves some basic common sense and understanding of evidence preservation. It's not as hard as people make it out to be.

Bastian Schwittay said...

Although it appears clever to use the very tools of an attacker to defeat him, I agree this would most definitely cause a lot of problems later, talk about evidence preservation. Not to mention that they seem to have worked in parallel with the intruders. If this went to court, I guess an opposite lawyer would tear the whole case to shreds, considering what even Keith Jones, who did a remarkable job on the UBS case and worked very diligently, did have to face from the defense. The UBS case is an excellent example of how high the standards in courtrooms really are, and how one should approach forensic investigations.

John V. Weaver said...

I talked to them and ask the questions raised here. They said:
"You are right, but in this case we did not have the option of shutting anything down or, off".
Also:
"Friend, sorry, but we were under instructions to stop it. No future legal case was to be considred".

Lastly, from Gadi Evron:
"The comments you mention are still correct, but you should note that a lot of conflicting concepts in security are also correct. Non are the "absolute truth". Implementation largely depends on necessity vs. demand".

JW.

Richard Bejtlich said...

Hi John,

Thanks for getting feedback from the parties involved!